Merged PR 7689: 5/1 AM Publish

.openpublishing.redirection.json

@@ -6,6 +6,11 @@
 "redirect_document_id": true
 },
 {
+"source_path": "windows/security/threat-protection/device-guard/device-guard-deployment-guide.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide",
+"redirect_document_id": true
+},
+{
 "source_path": "windows/security/threat-protection/windows-defender-application-control.md",
 "redirect_url": "/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control",
 "redirect_document_id": true
@@ -441,11 +446,6 @@
 "redirect_document_id": true
 },
 {
-"source_path": "windows/security/threat-protection/device-guard/deploy-windows-defender-application-control.md",
-"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide",
-"redirect_document_id": true
-},
-{
 "source_path": "windows/security/threat-protection/device-guard/optional-create-a-code-signing-certificate-for-windows-defender-application-control.md",
 "redirect_url": "/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control",
 "redirect_document_id": true

education/windows/autopilot-reset.md

@@ -75,6 +75,9 @@ Autopilot Reset is a two-step process: trigger it and then authenticate. Once yo
 
 2. Sign in with the admin account credentials. If you created a provisioning package, plug in the USB drive and trigger Autopilot Reset.
 
+>[!IMPORTANT] 
+>To reestablish Wi-Fi connectivity after reset, make sure the **Connect automatically** box is checked for the device's wireless network connection. 
+
     Once Autopilot Reset is triggered, the reset process starts. 
     
     After reset, the device:

windows/client-management/manage-windows-10-in-your-organization-modern-management.md

@@ -129,8 +129,8 @@ There are a variety of steps you can take to begin the process of modernizing de
 -   [Switch Configuration Manager workloads to Intune](https://docs.microsoft.com/en-us/sccm/core/clients/manage/co-management-switch-workloads)
 -   [Co-management dashboard in System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/core/clients/manage/co-management-dashboard)
 
- ## Related topics
+## Related topics
 
 -   [What is Intune?](https://docs.microsoft.com/en-us/intune/introduction-intune)
 -   [Windows 10 Policy CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider)
--   [Configuration service Providers](https://docs.microsoft.com/en-us/windows/client-management/mdm/configuration-service-provider-reference)
+-   [Windows 10 Configuration service Providers](https://docs.microsoft.com/en-us/windows/client-management/mdm/configuration-service-provider-reference)

windows/client-management/mdm/applocker-csp.md

@@ -7,7 +7,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 04/24/2018
+ms.date: 04/30/2018
 ---
 
 # AppLocker CSP
@@ -159,17 +159,16 @@ Each of the previous nodes contains one or more of the following leaf nodes:
 <p>Here is a sample certutil invocation:</p>
 
 ```
-certutil -encode WinSiPolicy.p7b WinSiPolicy.txt
+certutil -encode WinSiPolicy.p7b WinSiPolicy.cer
 ```
 
-<p>Use only the data enclosed in the BEGIN CERTIFIFCATE and END CERTIFICATE section. Ensure that you have removed all line breaks before passing the data to the CSP node.</p>
 <p>An alternative to using certutil would be to use the following PowerShell invocation:</p>
 
 ``` 
 [Convert]::ToBase64String($(Get-Content -Encoding Byte -ReadCount 0 -Path <bin file>))
 ```
 
-<p>If you are using Hybrid MDM management with System Center Configuration Manager please ensure that you are using Base64 as the Data type when using Custom OMA-URI functionality to apply the Code Integrity policy.</p>
+<p>If you are using hybrid MDM management with System Center Configuration Manager or using Intune, ensure that you are using Base64 as the Data type when using Custom OMA-URI functionality to apply the Code Integrity policy.</p>
 <p>Data type is string. Supported operations are Get, Add, Delete, and Replace.</p></td>
 </tr>
 <tr class="even">

windows/deployment/upgrade/upgrade-readiness-additional-insights.md

@@ -2,17 +2,52 @@
 title: Upgrade Readiness - Additional insights
 description: Explains additional features of Upgrade Readiness.
 ms.prod: w10
-author: greg-lindsay
+author: jaimeo
-ms.date: 10/26/2017
+ms.date: 04/03/2018
 ---
 
 # Upgrade Readiness - Additional insights
 
 This topic provides information on additional features that are available in Upgrade Readiness to provide insights into your environment. These include:
 
+- [Spectre and Meltdown protections](#spectre-meltdown-protection-status): Status of devices with respect to their anti-virus, security update, and firmware updates related to protection from the "Spectre" and "Meltdown" vulnerabilities.
 - [Site discovery](#site-discovery): An inventory of web sites that are accessed by client computers running Windows 7, Windows 8.1, or Windows 10 using Internet Explorer.
 - [Office add-ins](#office-add-ins): A list of the Microsoft Office add-ins that are installed on client computers.
 
+## Spectre and Meltdown protection status
+Microsoft has published guidance for IT Pros that outlines the steps you can take to improve protection against the hardware vulnerabilities known as "Spectre" and "Meltdown." See [Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities](https://go.microsoft.com/fwlink/?linkid=867468) for details about the vulnerabilities and steps you can take.
+ 
+Microsoft recommends three steps to help protect against the Spectre and Meltdown vulnerabilities:
+- Verify that you are running a supported antivirus application.
+- Apply all available Windows operating system updates, including the January 2018 and later Windows security updates.
+- Apply any applicable processor firmware (microcode) updates provided by your device manufacturer(s).
+ 
+Upgrade Readiness reports on status of your devices in these three areas.
+
+![Spectre-Meltdown protection blades](../images/spectre-meltdown-prod-closeup.png)
+
+>[!IMPORTANT]
+>To provide these blades with data, ensure that your devices can reach the endpoint **http://adl.windows.com**. (See [Enrolling devices in Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started) for more about necessary endpoints and how to whitelist them.)
+
+### Anti-virus status blade
+This blade helps you determine if your devices' anti-virus solution is compatible with the latest Windows operating system updates. It shows the number of devices that have an anti-virus solution with no known issues, issues reported, or an unknown status for a particular Windows security update. In the following example, an anti-virus solution that has no known issues with the January 3, 2018 Windows update is installed on about 2,800 devices.
+
+![Spectre-Meltdown antivirus blade](../images/AV-status-by-computer.png)
+
+### Security update status blade
+This blade indicates whether a Windows security update that includes Spectre- or Meltdown-related fixes (January 3, 2018 or later) has been installed, as well as whether specific fixes have been disabled. Though protections are enabled by default on devices running Windows (but not Windows Server) operating systems, some IT administrators might choose to disable specific protections. In the following example, about 4,300 devices have a Windows security update that includes Spectre or Meltdown protections installed, and those protections are enabled.
+
+![Spectre-Meltdown antivirus blade](../images/win-security-update-status-by-computer.png)
+
+>[!IMPORTANT]
+>If you are seeing computers with statuses of either “Unknown – action may be required” or “Installed, but mitigation status unknown,” it is likely that you need to whitelist the **http://adl.windows.com** endpoint.
+
+### Firmware update status blade
+This blade reports the number of devices that have installed a firmware update that includes Spectre or Meltdown protections. The blade might report a large number of blank, “unknown”, or “to be determined” statuses at first. As CPU information is provided by partners, the blade will automatically update with no further action required on your part.
+
+
+
+
 ## Site discovery
 
 The site discovery feature in Upgrade Readiness provides an inventory of web sites that are accessed by client computers using Internet Explorer on Windows 7, Windows 8.1, and Windows 10. Site discovery does not include sites that are accessed using other Web browsers, such as Microsoft Edge. Site inventory information is provided as optional data related to upgrading to Windows 10 and Internet Explorer 11, and is meant to help prioritize compatibility testing for web applications. You can make more informed decisions about testing based on usage data.
@@ -20,7 +55,7 @@ The site discovery feature in Upgrade Readiness provides an inventory of web sit
 > [!NOTE] 
 > Site discovery data is disabled by default; you can find documentation on what is collected in the [Windows 7, Windows 8, and Windows 8.1 appraiser diagnostic data events and fields](https://go.microsoft.com/fwlink/?LinkID=822965). After you turn on this feature, data is collected on all sites visited by Internet Explorer, except during InPrivate sessions. The data collection process is silent, without notification to the employee. You are responsible for ensuring that your use of this feature complies with all applicable local laws and regulatory requirements, including any requirements to provide notice to employees.
 
-[In order to use site discovery, a separate opt-in is required; see Enrolling]
+In order to use site discovery, a separate opt-in is required; see [Enrolling devices in Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started).
 
 ### Review most active sites
 

windows/deployment/windows-10-deployment-workflow.md

@@ -1,14 +0,0 @@
----
-title: Windows 10 deployment workflow
-description: Scenarios, methods, tools, and requirements for deploying Windows 10.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: high
-ms.pagetype: deploy
-ms.sitesec: library
-author: greg-lindsay
-ms.date: 12/4/2017
----
-
-# Windows 10 deployment workflow
-

windows/hub/index.md

@@ -18,13 +18,15 @@ Find the latest how to and support content that IT pros need to evaluate, plan,
 
  
 
-> [!video https://www.youtube.com/embed/LFiP73slWew?autoplay=false]
+> [!video https://www.microsoft.com/en-us/videoplayer/embed/RE21ada?autoplay=false]
 
+
+## Check out [what's new in Windows 10, version 1803](/windows/whats-new/whats-new-windows-10-version-1803).
 <br>
 <table border="0" width="100%" align="center">
   <tr style="text-align:center;">
     <td align="center" style="width:25%; border:0;">
-      <a href="/windows/whats-new/whats-new-windows-10-version-1709"> 
+      <a href="/windows/whats-new/whats-new-windows-10-version-1803"> 
         <img src="images/whatsnew.png" alt="Read what's new in Windows 10" title="Whats new" />
       <br/>What's New? </a><br>
     </td>

windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md

@@ -27,6 +27,9 @@ To avoid the automatic encryption of data, developers can enlighten apps by addi
 
 We strongly suggest that the only unenlightened apps you add to your allowed apps list are Line-of-Business (LOB) apps.
 
+>[!IMPORTANT]
+>After revoking WIP, unenlightened apps will have to be uninstalled and re-installed since their settings files will remain encrypted.
+
 >[!Note]
 >For more info about creating enlightened apps, see the [Windows Information Protection (WIP)](https://msdn.microsoft.com/en-us/windows/uwp/enterprise/wip-hub) topic in the Windows Dev Center.
 

windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md

@@ -509,6 +509,9 @@ To configure WIP to use Azure Rights Management, you must set the **AllowAzureRM
 
 Optionally, if you don’t want everyone in your organization to be able to share your enterprise data, you can set the **RMSTemplateIDForEDP** MDM setting to the **TemplateID** of the Azure Rights Management template used to encrypt the data. You must make sure to mark the template with the **EditRightsData** option. 
 
+>[!IMPORTANT]
+>Curly braces -- {} -- are required around the RMS Template ID.
+
 >[!NOTE]
 >For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-custom-templates) topic.
 

windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md

@@ -420,6 +420,9 @@ To configure WIP to use Azure Rights Management, you must set the **AllowAzureRM
 
 Optionally, if you don’t want everyone in your organization to be able to share your enterprise data, you can set the **RMSTemplateIDForEDP** MDM setting to the **TemplateID** of the Azure Rights Management template used to encrypt the data. You must make sure to mark the template with the **EditRightsData** option. 
 
+>[!IMPORTANT]
+>Curly braces -- {} -- are required around the RMS Template ID.
+
 >[!NOTE]
 >For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-custom-templates) topic.
 

windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md

@@ -555,6 +555,9 @@ To configure WIP to use Azure Rights Management, you must set the **AllowAzureRM
 
 Optionally, if you don’t want everyone in your organization to be able to share your enterprise data, you can set the **RMSTemplateIDForEDP** MDM setting to the **TemplateID** of the Azure Rights Management template used to encrypt the data. You must make sure to mark the template with the **EditRightsData** option. 
 
+>[!IMPORTANT]
+>Curly braces -- {} -- are required around the RMS Template ID.
+
 >[!NOTE]
 >For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-custom-templates) topic.
 

windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md

@@ -23,6 +23,9 @@ We've come up with a list of suggested testing scenarios that you can use to tes
 ## Testing scenarios
 You can try any of the processes included in these scenarios, but you should focus on the ones that you might encounter in your organization.
 
+>[!IMPORTANT]
+>If any of these scenarios does not work, first take note of whether WIP has been revoked. If it has, unenlightened apps will have to be uninstalled and re-installed since their settings files will remain encrypted.
+
 <table>
     <tr>
         <th>Scenario</th>
@@ -152,7 +155,7 @@ You can try any of the processes included in these scenarios, but you should foc
         <td>Unenroll client devices from WIP.</td>
         <td>
             <ul>
-                <li>Unenroll a device from WIP by going to <strong>Settings</strong>, click <strong>Accounts</strong>, click <strong>Work</strong>, click the name of the device you want to unenroll, and then click <strong>Remove</strong>.<br>The device should be removed and all of the enterprise content for that managed account should be gone.<br><br><strong>Important</strong><br>On desktop devices, the data isn't removed and can be recovered, so you must make sure they content is marked as <strong>Revoked</strong> and that access is denied for the employee. On mobile devices, the data is removed.</li>
+                <li>Unenroll a device from WIP by going to <strong>Settings</strong>, click <strong>Accounts</strong>, click <strong>Work</strong>, click the name of the device you want to unenroll, and then click <strong>Remove</strong>.<br>The device should be removed and all of the enterprise content for that managed account should be gone.<br><br><strong>Important</strong><br>On desktop devices, the data isn't removed and can be recovered, so you must make sure the content is marked as <strong>Revoked</strong> and that access is denied for the employee. On mobile devices, the data is removed.</li>
             </ul>
         </td>
     </tr>

windows/security/threat-protection/get-support-for-security-baselines.md

@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
 ms.localizationpriority: high
 ms.author: sagaudre
 author: brianlic-msft
-ms.date: 10/23/2017
+ms.date: 05/01/2018
 ---
 
 # Get Support

windows/security/threat-protection/security-compliance-toolkit-10.md

@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
 ms.localizationpriority: high
 ms.author: sagaudre
 author: brianlic-msft
-ms.date: 02/16/2018
+ms.date: 05/01/2018
 ---
 
 # Microsoft Security Compliance Toolkit 1.0
@@ -22,6 +22,7 @@ The SCT enables administrators to effectively manage their enterprise’s Group
 The Security Compliance Toolkit consists of:
 
 -   Windows 10 Security Baselines
+    -   Windows 10 Version 1803 (April 2018 Update)
     -   Windows 10 Version 1709 (Fall Creators Update)
     -   Windows 10 Version 1703 (Creators Update)
     -   Windows 10 Version 1607 (Anniversary Update)
@@ -40,7 +41,7 @@ The Security Compliance Toolkit consists of:
     -   Local Group Policy Object (LGPO) tool
 
 
-You can [download the tools](https://www.microsoft.com/download/details.aspx?id=55319) along with the baselines for the relevant Windows versions.
+You can [download the tools](https://www.microsoft.com/download/details.aspx?id=55319) along with the baselines for the relevant Windows versions. For more details about security baseline recommendations, see the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/).
 
 ## What is the Policy Analyzer tool?
 
@@ -52,7 +53,7 @@ The Policy Analyzer is a utility for analyzing and comparing sets of Group Polic
 
 Policy Analyzer lets you treat a set of GPOs as a single unit. This makes it easy to determine whether particular settings are duplicated across the GPOs or are set to conflicting values. Policy Analyzer also lets you capture a baseline and then compare it to a snapshot taken at a later time to identify changes anywhere across the set. 
 
-More information on the Policy Analyzer tool can be found on the [Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2016/01/22/new-tool-policy-analyzer/) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
+More information on the Policy Analyzer tool can be found on the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2016/01/22/new-tool-policy-analyzer/) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
 
 ## What is the Local Group Policy Object (LGPO) tool?
 
@@ -62,4 +63,4 @@ LGPO.exe can import and apply settings from Registry Policy (Registry.pol) files
 It can export local policy to a GPO backup. 
 It can export the contents of a Registry Policy file to the “LGPO text” format that can then be edited, and can build a Registry Policy file from an LGPO text file.
 
-Documentation for the LGPO tool can be found on the [Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2016/01/21/lgpo-exe-local-group-policy-object-utility-v1-0/) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
+Documentation for the LGPO tool can be found on the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2016/01/21/lgpo-exe-local-group-policy-object-utility-v1-0/) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).

windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md

@@ -54,7 +54,9 @@ You can also [customize the message displayed on users' desktops](https://docs.m
 
 When a Windows Defender Antivirus client encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend will apply heuristics, machine learning, and automated analysis of the file to determine the files as malicious or clean. 
 
-The Block at First Sight feature only uses the cloud protection backend for executable files and non-portable executable files (such as JS, VBS, or macros) that are downloaded from the Internet, or originating from the Internet zone. A hash value of the .exe file is checked via the cloud backend to determine if this is a previously undetected file.
+In Windows 10, version 1803, the Block at first sight feature can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files.
+
+The Block at First Sight feature only uses the cloud protection backend for executable files and non-portable executable files that are downloaded from the Internet, or originating from the Internet zone. A hash value of the .exe file is checked via the cloud backend to determine if this is a previously undetected file.
 
  
 

windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md

@@ -11,14 +11,14 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 04/17/2018
+ms.date: 04/30/2018
 ---
 
 # Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection
 
 **Applies to:**
 
-- Windows 10, version 1703
+- Windows 10, version 1703 and later
 
 **Audience**
 
@@ -42,7 +42,7 @@ To understand how next-gen technologies shorten protection delivery time through
 <iframe 
 src="https://videoplayercdn.osi.office.net/embed/c2f20f59-ca56-4a7b-ba23-44c60bc62c59" width="768" height="432" allowFullScreen="true" frameBorder="0" scrolling="no"></iframe>
 
-Read the following blogposts for detailed protection stories involving cloud-protection and Microsoft AI: 
+Read the following blog posts for detailed protection stories involving cloud-protection and Microsoft AI: 
 
 - [Why Windows Defender Antivirus is the most deployed in the enterprise](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/22/why-windows-defender-antivirus-is-the-most-deployed-in-the-enterprise/) 
 - [Behavior monitoring combined with machine learning spoils a massive Dofoil coin mining campaign](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/)

windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md

@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 04/17/2018
+ms.date: 04/30/2018
 ---
 
 # Windows Defender Antivirus in Windows 10 and Windows Server 2016
@@ -49,6 +49,12 @@ Some of the highlights of Windows Defender AV include:
 >- Fast learning (including Block at first sight)
 >- Potentially unwanted application blocking
 
+## What's new in Windows 10, version 1803
+
+- The [Block at First Sight feature](configure-block-at-first-sight-windows-defender-antivirus.md) can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files.
+- The [Virus & threat protection area in the Windows Defender Security Center](windows-defender-security-center-antivirus.md) now includes a section for Ransomware protection. It includes Controlled folder access settings and ransomware recovery settings.
+
+
 ## What's new in Windows 10, version 1703
 
 New features for Windows Defender AV in Windows 10, version 1703 include:
@@ -60,9 +66,6 @@ We've expanded this documentation library to cover end-to-end deployment, manage
 - [Evaluation guide for Windows Defender AV](evaluate-windows-defender-antivirus.md)
 - [Deployment guide for Windows Defender AV in a virtual desktop infrastructure environment](deployment-vdi-windows-defender-antivirus.md)
 
-See the [In this library](#in-this-library) list at the end of this topic for links to each of the updated sections in this library.
-
-
 
 <a id="sysreq"></a>
 ## Minimum system requirements

windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md

@@ -76,7 +76,7 @@ Item | Windows 10, before version 1703 | Windows 10, version 1703 and later | De
 
 ## Common tasks
 
-This section describes how to perform some of the most common tasks when reviewing or interacting with the threat protection provided by Windows Defender Antivirus in the new Windows Defender Security Center app.
+This section describes how to perform some of the most common tasks when reviewing or interacting with the threat protection provided by Windows Defender Antivirus in the Windows Defender Security Center app.
 
 > [!NOTE]
 > If these settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. The [Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md) topic describes how local policy override settings can be configured.
@@ -142,8 +142,17 @@ This section describes how to perform some of the most common tasks when reviewi
  
 4. Click **See full history** under each of the categories (**Current threats**, **Quarantined threats**, **Allowed threats**).
  
+<a id="ransomware"></a>
+**Set ransomware protection and recovery options**
+1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
 
+2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
 
+3. Click **Ransomware protection**.
+
+4. To change Controlled folder access settings, see [Protect important folders with Controlled folder access](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard).
+
+5. To set up ransomware recovery options, click **Set up** under **Ransomware data recovery** and follow the instructions for linking or setting up your OneDrive account so you can easily recover from a ransomware attack.
 
 
 ## Related topics

windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md

@@ -46,7 +46,7 @@ This topic describes how to customize the following settings of the Controlled f
 - [Add apps that should be allowed to access protected folders](#allow-specifc-apps-to-make-changes-to-controlled-folders)
 
 >[!WARNING]
->Controlled folder access is a new technology that monitors apps for activities that may be malicious. Sometimes it might block a legitimate app from making legitimate changes to your files.
+>Controlled folder access monitors apps for activities that may be malicious. Sometimes it might block a legitimate app from making legitimate changes to your files.
 >
 >This may impact your organization's productivity, so you may want to consider running the feature in [audit mode](audit-windows-defender-exploit-guard.md) to fully assess the feature's impact.
 

windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md

@@ -22,7 +22,7 @@ ms.date: 04/30/2018
 - Windows 10, version 1703 and later
 
 
-The **Virus & threat protection** section contains information and settings for antivirus protection from Windows Defender Antivirus and third-party AV products. In Windows 10, version 1803 and later, this section also contains information and settings for ransomware protection and recovery, including Controlled folder access settings and sign in to Microsoft OneDrive. IT administrators and IT pros can get more information and documentation about configuration from the following:
+The **Virus & threat protection** section contains information and settings for antivirus protection from Windows Defender Antivirus and third-party AV products. In Windows 10, version 1803, this section also contains information and settings for ransomware protection and recovery. This includes Controlled folder access settings to prevent unknown apps from changing files in protected folders, plus Microsoft OneDrive configuration to help you recover from a ransomware attack. This area also notifies users and provides recovery instructions in the event of a ransomware attack. IT administrators and IT pros can get more information and documentation about configuration from the following:
 
 - [Windows Defender Antivirus in the Windows Defender Security Center app](../windows-defender-antivirus/windows-defender-security-center-antivirus.md)
 - [Windows Defender Antivirus documentation library](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)

windows/security/threat-protection/windows-security-baselines.md

@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
 ms.localizationpriority: high
 ms.author: sagaudre
 author: brianlic-msft
-ms.date: 10/31/2017
+ms.date: 05/01/2018
 ---
 
 # Windows Security Baselines

windows/whats-new/whats-new-windows-10-version-1803.md

@@ -21,7 +21,7 @@ The following 3-minute video summarizes some of the new features that are availa
 
  
 
-> [!video https://www.youtube.com/embed/LFiP73slWew?autoplay=false]
+> [!video https://www.microsoft.com/en-us/videoplayer/embed/RE21ada?autoplay=false]
 
 
 ## Deployment
@@ -221,7 +221,9 @@ Device Health’s new App Reliability reports enable you to see where app update
 
 ## Microsoft Edge
 
-iOS and Android versions of Edge are now available. Support in [Windows Defender Application Guard](#windows-defender-application-guard) is also improved.
+iOS and Android versions of Edge are now available. For more information, see [Microsoft Edge Tips](https://microsoftedgetips.microsoft.com/en-us?source=firstrunwip).
+
+Support in [Windows Defender Application Guard](#windows-defender-application-guard) is also improved.
 
 
 ## See Also