diff --git a/devices/surface/surface-enterprise-management-mode.md b/devices/surface/surface-enterprise-management-mode.md
index e42a925b72..0f888bcc93 100644
--- a/devices/surface/surface-enterprise-management-mode.md
+++ b/devices/surface/surface-enterprise-management-mode.md
@@ -154,7 +154,7 @@ Packages created with the Microsoft Surface UEFI Configurator tool are signed wi
 * **Key Length** – 2048
 * **Hash Algorithm** – SHA-256
 * **Type** – SSL Server Authentication
-* **Key Usage** – Key Encipherment
+* **Key Usage** – Digital signature, Key Encipherment
 * **Provider** – Microsoft Enhanced RSA and AES Cryptographic Provider
 * **Expiration Date** – 15 Months from certificate creation
 * **Key Export Policy** – Exportable
diff --git a/devices/surface/windows-autopilot-and-surface-devices.md b/devices/surface/windows-autopilot-and-surface-devices.md
index baef69db7c..2126074cb7 100644
--- a/devices/surface/windows-autopilot-and-surface-devices.md
+++ b/devices/surface/windows-autopilot-and-surface-devices.md
@@ -41,11 +41,16 @@ Support for broad deployments of Surface devices using Windows Autopilot, includ
 
 ### Surface device support
 Surface devices with support for out-of-box deployment with Windows Autopilot, enrolled during the purchase process with a Surface partner, include the following devices, where the devices ship from the factory with Windows 10 Version 1709:
-* Surface Pro (Model 1796)
+
+* Surface Pro (5th gen)
+* Surface Laptop(1st gen)
+* Surface Studio (1st gen)
+* Surface Pro 6
 * Surface Book 2
-* Surface Laptop
-* Surface Studio
+* Surface Laptop 2
+* Surface Studio 2
 * Surface Go
+* Surface Go with LTE Advanced
 
 ## Surface partners enabled for Windows Autopilot
 Enrolling Surface devices in Windows Autopilot at the time of purchase is a capability provided by select Surface partners that are enabled with the capability to identify individual Surface devices during the purchase process and perform enrollment on an organization’s behalf. Devices enrolled by a Surface partner at time of purchase can be shipped directly to users and configured entirely through the zero-touch process of Windows Autopilot, Azure Active Directory, and Mobile Device Management.
diff --git a/education/get-started/get-started-with-microsoft-education.md b/education/get-started/get-started-with-microsoft-education.md
index 6df81f8b27..c57aa58776 100644
--- a/education/get-started/get-started-with-microsoft-education.md
+++ b/education/get-started/get-started-with-microsoft-education.md
@@ -32,7 +32,7 @@ Hello, IT administrators! In this walkthrough, we'll show you how you can quickl
 - **Microsoft Teams** to bring conversations, content, and apps together in one place and create collaborate classrooms, connect in professional learning communities, and communicate with school staff 
 - **Learning Tools** are moving beyond the OneNote desktop app and is now available in Office Lens, OneNote Online, Word Online, and Word desktop
 - **Whiteboard** to create interactive lessons on the big screen, share and collaborate real-time by connecting to Class Notebook and Classroom
-- **Windows 10, version 1703 (Creators Update)** which brings 3D for everyone and other new and updated Windows features
+- **Windows 10, version 1703 or later** which brings 3D for everyone and other new and updated Windows features
 - **Minecraft: Education Edition** which provides an open and immersive environment to promote creativity, collaboration, and problem-solving 
 
 With Microsoft Education, schools can:
@@ -60,11 +60,11 @@ Click the link to watch the video or follow the step-by-step guidance for each.
 
 ## Prerequisites
 Complete these tasks before you start the walkthrough:
-- Make sure all the devices that you want to configure, such as student PCs, have the latest Windows 10, version 1703 image installed.
+- Make sure all the devices that you want to configure, such as student PCs, have Windows 10 (version 1703 or later) image installed.
 
-  We recommend Windows 10, version 1703 to take advantage of all the new features and functionality that Windows supports. This version of Windows is also compatible with the latest version of the Set up School PCs app and the versions must match in order for Set up School PCs to provision the devices. 
+  We recommend Windows 10, version 1703 or later, to take advantage of all the new features and functionality that Windows supports. This version of Windows is also compatible with the latest version of the Set up School PCs app and the versions must match in order for Set up School PCs to provision the devices. 
 
-  If you don't have Windows 10, version 1703 installed on your devices, we recommend upgrading. This process takes a while so start this task before proceeding with this walkthrough. 
+  If you don't have Windows 10, version 1703 or later, installed on your devices, we recommend upgrading. This process takes a while so start this task before proceeding with this walkthrough. 
 
 - Have an education-verified tenant to qualify for an Office 365 for Education subscription. You also need to be education-verified to use School Data Sync and Intune for Education.
 
diff --git a/mdop/mbam-v25/planning-how-to-secure-the-mbam-websites.md b/mdop/mbam-v25/planning-how-to-secure-the-mbam-websites.md
index 500b84672e..2d7e4cedbf 100644
--- a/mdop/mbam-v25/planning-how-to-secure-the-mbam-websites.md
+++ b/mdop/mbam-v25/planning-how-to-secure-the-mbam-websites.md
@@ -311,7 +311,9 @@ If you already registered SPNs on the machine account rather than in an applicat
 </tbody>
 </table>
 
- 
+## Required Request Filtering Settings
+ 
+ 'Allow unlisted file name extensions' is required for the application to operate as expected.  This can be found by navigating to the 'Microsoft BitLocker Administration and Monitoring' -> Request Filtering -> Edit Feature Settings.
 
 
 ## Related topics
diff --git a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
index c841ddef41..7c84c08b31 100644
--- a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
+++ b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
@@ -296,7 +296,7 @@ The deep link used for connecting your device to work will always use the follow
 
 | Parameter | Description                                                  | Supported Value for Windows 10|
 |-----------|--------------------------------------------------------------|----------------------------------------------|
-| mode      | Describes which mode will be executed in the enrollment app. Added in Windows 10, version 1607| “mdm”, "awa", "aadj"                                        |
+| mode      | Describes which mode will be executed in the enrollment app. Added in Windows 10, version 1607| MDM (Mobile Device Management), AWA (Adding Work Account), and AADJ (Azure Active Directory Joined).                                       |
 |username  | Specifies the email address or UPN of the user who should be enrolled into MDM. Added in Windows 10, version 1703. | string |
 | servername | Specifies the MDM server URL that will be used to enroll the device. Added in Windows 10, version 1703. | string|
 | accesstoken | Custom parameter for MDM servers to use as they see fit. Typically, this can be used as a token to validate the enrollment request. Added in Windows 10, version 1703. | string |
diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md
index bfd84c39bb..afc9f144c2 100644
--- a/windows/deployment/deploy-enterprise-licenses.md
+++ b/windows/deployment/deploy-enterprise-licenses.md
@@ -181,6 +181,12 @@ You can verify the Windows 10 Enterprise E3 or E5 subscription in **Settings &g
 
 If there are any problems with the Windows 10 Enterprise E3 or E5 license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process.
 
+>[!NOTE] 
+>If you use slmgr /dli or /dlv commands to retrieve the activation information for the Windows 10 E3 or E5 license, the license information displayed will be the following:<BR>
+>Name: Windows(R), Professional edition<BR>
+>Description: Windows(R) Operating System, RETAIL channel<BR>
+>Partial Product Key: 3V66T<BR>
+
 ## Virtual Desktop Access (VDA)
 
 Subscriptions to Windows 10 Enterprise are also available for virtualized clients. Windows 10 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [qualified multitenant hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx).
diff --git a/windows/deployment/deploy-m365.md b/windows/deployment/deploy-m365.md
index 67561a162b..b5d8733948 100644
--- a/windows/deployment/deploy-m365.md
+++ b/windows/deployment/deploy-m365.md
@@ -32,6 +32,14 @@ For Windows 10 deployment, Microsoft 365 includes a fantastic deployment advisor
 
 ## Free trial account
 
+**If you already have a Microsoft services subscription account and access to the Microsoft 365 Admin Center**
+
+From the [Microsoft 365 Admin Center](https://portal.office.com), go to Billing and then Purchase services.
+In the Enterprise Suites section of the service offerings, you will find Microsoft 365 E3 and Microsoft 365 E5 tiles.
+There are "Start Free Trial" options available for your selection by hovering your mouse over the tiles.
+
+**If you do not already have a Microsoft services subscription**
+
 You can check out the Microsoft 365 deployment advisor and other resources for free! Just follow the steps below. 
 
 >[!NOTE]
diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
index 1750d67101..da352844e5 100644
--- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
@@ -606,7 +606,7 @@ In these steps, you generate offline media from the MDT Production deployment sh
 
 Offline media has its own rules, its own Bootstrap.ini and CustomSettings.ini files. These files are stored in the Control folder of the offline media; they also can be accessed via properties of the offline media in the Deployment Workbench.
 
-1.  On MDT01, using File Explorer, copy the CustomSettings.ini file from the **E:\\MDTBuildLab\\Control** folder to **E:\\MDTOfflineMedia\\Content\\Deploy\\Control**. Overwrite the existing files.
+1.  On MDT01, using File Explorer, copy the CustomSettings.ini file from the **E:\MDTProduction\Control** folder to **E:\\MDTOfflineMedia\\Content\\Deploy\\Control**. Overwrite the existing files.
 2.  Using Deployment Workbench, in the **MDT Production / Advanced Configuration / Media** node, right-click the **MEDIA001** media, and select **Properties**.
 3.  In the **General** tab, configure the following:
     1.  Clear the Generate x86 boot image check box.
diff --git a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
index 8dcb9a871f..933f240e24 100644
--- a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
+++ b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
@@ -26,8 +26,8 @@ To configure your environment for BitLocker, you will need to do the following:
 3.  Configure the operating system deployment task sequence for BitLocker.
 4.  Configure the rules (CustomSettings.ini) for BitLocker.
 
-**Note**  
-Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery key and TPM owner information in Active Directory. For additional information about these features, see [Backing Up BitLocker and TPM Recovery Information to AD DS](https://go.microsoft.com/fwlink/p/?LinkId=619548). If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker.
+>[!NOTE]
+>Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery key and TPM owner information in Active Directory. For additional information about these features, see [Backing Up BitLocker and TPM Recovery Information to AD DS](https://go.microsoft.com/fwlink/p/?LinkId=619548). If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker.
  
 For the purposes of this topic, we will use DC01, a domain controller that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
 
@@ -35,8 +35,8 @@ For the purposes of this topic, we will use DC01, a domain controller that is a
 
 To enable BitLocker to store the recovery key and TPM information in Active Directory, you need to create a Group Policy for it in Active Directory. For this section, we are running Windows Server 2012 R2, so you do not need to extend the Schema. You do, however, need to set the appropriate permissions in Active Directory.
 
-**Note**  
-Depending on the Active Directory Schema version, you might need to update the Schema before you can store BitLocker information in Active Directory.
+>[!NOTE]
+>Depending on the Active Directory Schema version, you might need to update the Schema before you can store BitLocker information in Active Directory.
  
 In Windows Server 2012 R2 (as well as in Windows Server 2008 R2 and Windows Server 2012), you have access to the BitLocker Drive Encryption Administration Utilities features, which will help you manage BitLocker. When you install the features, the BitLocker Active Directory Recovery Password Viewer is included, and it extends Active Directory Users and Computers with BitLocker Recovery information.
 
@@ -79,8 +79,8 @@ Following these steps, you enable the backup of BitLocker and TPM recovery infor
         Computer Configuration / Policies / Administrative Templates / System / Trusted Platform Module Services
     4.  Enable the **Turn on TPM backup to Active Directory Domain Services** policy.
 
-**Note**  
-If you consistently get the error "Windows BitLocker Drive Encryption Information. The system boot information has changed since BitLocker was enabled. You must supply a BitLocker recovery password to start this system." after encrypting a computer with BitLocker, you might have to change the various "Configure TPM platform validation profile" Group Policies, as well. Whether or not you need to do this will depend on the hardware you are using.
+>[!NOTE]
+>If you consistently get the error "Windows BitLocker Drive Encryption Information. The system boot information has changed since BitLocker was enabled. You must supply a BitLocker recovery password to start this system." after encrypting a computer with BitLocker, you might have to change the various "Configure TPM platform validation profile" Group Policies, as well. Whether or not you need to do this will depend on the hardware you are using.
  
 ### Set permissions in Active Directory for BitLocker
 
diff --git a/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md b/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md
index c815cc9c41..a2f2212ae8 100644
--- a/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md
+++ b/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md
@@ -21,15 +21,15 @@ This topic is designed to teach you how to use the MDT database to pre-stage inf
 
 MDT can use either SQL Server Express or full SQL Server, but since the deployment database isn't big, even in large enterprise environments, we recommend using the free SQL Server 2012 SP1 Express database in your environment.
 
-**Note**  
-Be sure to enable Named Pipes when configuring the SQL Server 2012 SP1 Express database. Although it is a legacy protocol, Named Pipes has proven to work well when connecting from Windows Preinstallation Environment (Windows PE) to the SQL Server database.
+>[!NOTE]
+>Be sure to enable Named Pipes when configuring the SQL Server 2012 SP1 Express database. Although it is a legacy protocol, Named Pipes has proven to work well when connecting from Windows Preinstallation Environment (Windows PE) to the SQL Server database.
  
 ## <a href="" id="sec02"></a>Create the deployment database
 
 The MDT database is by default created and managed from the Deployment Workbench. In these steps, we assume you have installed SQL Server 2012 SP1 Express on MDT01.
 
-**Note**  
-Since SQL Server 2012 SP1 Express runs by default on a separate instance (SQLEXPRESS), the SQL Server Browser service must be running, and the firewall configured to allow traffic to it. Port 1433 TCP and port 1434 UDP need to be opened for inbound traffic on MDT01.
+>[!NOTE]
+>Since SQL Server 2012 SP1 Express runs by default on a separate instance (SQLEXPRESS), the SQL Server Browser service must be running, and the firewall configured to allow traffic to it. Port 1433 TCP and port 1434 UDP need to be opened for inbound traffic on MDT01.
  
 1.  On MDT01, using Deployment Workbench, expand the MDT Production deployment share, expand **Advanced Configuration**, right-click **Database**, and select **New Database**.
 2.  In the New DB Wizard, on the **SQL Server Details** page, enter the following settings and click **Next**:
diff --git a/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md b/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md
index 5ecbefe38b..e1c1d22bc7 100644
--- a/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md
+++ b/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md
@@ -20,6 +20,7 @@ ms.topic: article
 -   Windows 8.1
 -   Windows 8
 -   Windows 7
+-   Windows Server 2016
 -   Windows Server 2012
 -   Windows Server 2008 R2
 
@@ -29,10 +30,28 @@ After you deploy and store the customized databases on each of your local comput
 
 ## Command-Line Options for Deploying Customized Database Files
 
+Sample output from the command `Sdbinst.exe /?` in an elevated CMD window:
 
-The command-line options use the following conventions.
+```
+Microsoft Windows [Version 10.0.14393]
+(c) 2016 Microsoft Corporation. All rights reserved.
 
-Sdbinst.exe \[-q\] \[-?\] \[-u\] \[-g\] \[-p\] \[-u filepath\] \[-g *GUID*\] \[-n *"name"*\]
+C:\Windows\system32>Sdbinst.exe /?
+Usage: Sdbinst.exe [-?] [-q] [-u] [-g] [-p] [-n[:WIN32|WIN64]] myfile.sdb | {guid} | "name"
+
+    -? - print this help text.
+    -p - Allow SDBs containing patches.
+    -q - Quiet mode: prompts are auto-accepted.
+    -u - Uninstall.
+    -g {guid} - GUID of file (uninstall only).
+    -n "name" - Internal name of file (uninstall only).
+
+C:\Windows\system32>_
+```
+
+The command-line options use the following conventions:
+
+Sdbinst.exe \[-?\] \[-p\] \[-q\] \[-u\] \[-g\] \[-u filepath\] \[-g *GUID*\] \[-n *"name"*\]
 
 The following table describes the available command-line options.
 
@@ -49,6 +68,18 @@ The following table describes the available command-line options.
 </thead>
 <tbody>
 <tr class="odd">
+<td align="left"><p>-?</p></td>
+<td align="left"><p>Displays the Help for the Sdbinst.exe tool.</p>
+<p>For example,</p>
+<p><code>sdbinst.exe -?</code></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>-p</p></td>
+<td align="left"><p>Allows SDBs installation with Patches</p>
+<p>For example,</p>
+<p><code>sdbinst.exe -p C:\Windows\AppPatch\Myapp.sdb</code></p></td>
+</tr>
+<tr class="odd">
 <td align="left"><p>-q</p></td>
 <td align="left"><p>Performs a silent installation with no visible window, status, or warning information. Fatal errors appear only in Event Viewer (Eventvwr.exe).</p>
 <p>For example,</p>
@@ -72,18 +103,6 @@ The following table describes the available command-line options.
 <p>For example,</p>
 <p><code>sdbinst.exe -n &quot;My_Database&quot;</code></p></td>
 </tr>
-<tr class="odd">
-<td align="left"><p>-?</p></td>
-<td align="left"><p>Displays the Help for the Sdbinst.exe tool.</p>
-<p>For example,</p>
-<p><code>sdbinst.exe -?</code></p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>-p</p></td>
-<td align="left"><p>Allows SDBs installation with Patches</p>
-<p>For example,</p>
-<p><code>sdbinst.exe -p C:\Windows\AppPatch\Myapp.sdb</code></p></td>
-</tr>
 </tbody>
 </table>
 
diff --git a/windows/deployment/planning/windows-10-1803-removed-features.md b/windows/deployment/planning/windows-10-1803-removed-features.md
index 8afb576298..9a42ba6489 100644
--- a/windows/deployment/planning/windows-10-1803-removed-features.md
+++ b/windows/deployment/planning/windows-10-1803-removed-features.md
@@ -33,7 +33,7 @@ We've removed the following features and functionalities from the installed prod
 |Language control in the Control Panel|	Use the Settings app to change your language settings.|
 |HomeGroup|We are removing [HomeGroup](https://support.microsoft.com/help/17145) but not your ability to share printers, files, and folders.<br><br>When you update to Windows 10, version 1803, you won't see HomeGroup in File Explorer, the Control Panel, or Troubleshoot (**Settings > Update & Security > Troubleshoot**). Any printers, files, and folders that you shared using HomeGroup **will continue to be shared**.<br><br>Instead of using HomeGroup, you can now share printers, files and folders by using features that are built into Windows 10: <br>- [Share your network printer](https://www.bing.com/search?q=share+printer+windows+10) <br>- [Share files in File Explorer](https://support.microsoft.com/help/4027674/windows-10-share-files-in-file-explorer) |
 |**Connect to suggested open hotspots** option in Wi-Fi settings |We previously [disabled the **Connect to suggested open hotspots** option](https://privacy.microsoft.com/windows-10-open-wi-fi-hotspots) and are now removing it from the Wi-Fi settings page. You can manually connect to free wireless hotspots with **Network & Internet** settings, from the taskbar or Control Panel, or by using Wi-Fi Settings (for mobile devices).|
-|XPS Viewer|We're changing the way you get XPS Viewer. In Windows 10, version 1709 and earlier versions, the app is included in the installation image. If you have XPS Viewer and you update to Windows 10, version 1803, there's no action required. You'll still have XPS Viewer. <br><br>However, if you install Windows 10, version 1803, on a new device (or as a clean installation), you may need to [install XPS Viewer from **Apps and Features** in the Settings app](https://docs.microsoft.com/windows/application-management/add-apps-and-features) or through [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). If you had XPS Viewer in Windows 10, version 1709, but manually removed it before updating, you'll need to manually reinstall it.|
+|XPS Viewer|We're changing the way you get XPS Viewer. In Windows 10, version 1709 and earlier versions, the app is included in the installation image. <br><br>However, if you install Windows 10, version 1803, you may need to [install XPS Viewer from **Apps and Features** in the Settings app](https://docs.microsoft.com/windows/application-management/add-apps-and-features) or through [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). If you had XPS Viewer in Windows 10, version 1709, but manually removed it before updating, you'll need to manually reinstall it.|
 
 
 ## Features we’re no longer developing
diff --git a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
index 7a7dfcc5d0..37103745b0 100644
--- a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
+++ b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
@@ -26,7 +26,7 @@ ms.topic: article
 >
 >Due to [naming changes](waas-overview.md#naming-changes), older terms like CB, CBB and LTSB may still be displayed in some of our products.
 
-Semi-Annual Channel (Targeted) is the default servicing channel for all Windows 10 devices except those with the LTSB edition installed. The following table shows the servicing channels available to each edition of Windows 10. 
+Semi-Annual Channel is the default servicing channel for all Windows 10 devices except those with the LTSB edition installed. The following table shows the servicing channels available to each Windows 10 edition. 
 
 | Windows 10 edition | Semi-Annual Channel (Targeted) | Semi-Annual Channel | Long-Term Servicing Channel | Insider Program |
 | --- | --- | --- | --- | --- |
@@ -44,6 +44,9 @@ Semi-Annual Channel (Targeted) is the default servicing channel for all Windows
 >[!NOTE]
 >The LTSB edition of Windows 10 is only available through the [Microsoft Volume Licensing Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
 
+>[!NOTE]
+>Semi-Annual Channel (Targeted) should be used only by the customers that are using [Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb). For those, who don't use Windows Update for Business, Semi-Annual Channel (Targeted) would be the same as Semi-Annual Channel.
+
 ## Assign devices to Semi-Annual Channel
 
 >[!IMPORTANT]
diff --git a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md
index c1f447026d..ea9214c57b 100644
--- a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md
+++ b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md
@@ -195,6 +195,11 @@ Upgrade Readiness only collects app inventory on devices that are not yet upgrad
 Double-check that IE site discovery opt-in has been configured in the deployment script. (See the [Upgrade Readiness deployment script](../upgrade/upgrade-readiness-deployment-script.md) topic for information about obtaining and running the script, and for a description of the error codes that can be displayed. See ["Understanding connectivity scenarios and the deployment script"](https://blogs.technet.microsoft.com/upgradeanalytics/2017/03/10/understanding-connectivity-scenarios-and-the-deployment-script/) on the Windows Analytics blog for a summary of setting the ClientProxy for the script, which will enable the script properly check for diagnostic data endpoint connectivity.)
 
 Also, on Windows 10 devices remember that IE site discovery requires data diagnostics set to the Enhanced level.
+
+There are two additional configurations to check:
+1. Make sure Flip Ahead with Page Prediction is enabled. It can be configured at Internet Options -> Advanced -> Browsing -> Enable flip ahead with page prediction.
+2. Make sure IE is not running in InPrivate mode. 
+
 Finally, Upgrade Readiness only collects IE site discovery data on devices that are not yet upgraded to the target operating system version specified in the Upgrade Readiness Overview blade. This is because Upgrade Readiness targets upgrade planning (for devices not yet upgraded).
 
 >[!NOTE]
diff --git a/windows/deployment/update/windows-update-logs.md b/windows/deployment/update/windows-update-logs.md
index b65bcc0c93..df6c14cfbf 100644
--- a/windows/deployment/update/windows-update-logs.md
+++ b/windows/deployment/update/windows-update-logs.md
@@ -141,3 +141,5 @@ There are different identifiers for the same update in different contexts. It’
    - Small integers (especially in Datastore) can be local IDs 
       ![Windows Update inconsisten terminology](images/update-inconsistent.png)
 
+## Windows Setup log files analysis using SetupDiag tool
+SetupDiag is a diagnostic tool that can be used for analysis of logs related to installation of Windows Updates. For detailed information, see [SetupDiag](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag).
diff --git a/windows/deployment/update/windows-update-troubleshooting.md b/windows/deployment/update/windows-update-troubleshooting.md
index 5f09b45f16..4c56170e4d 100644
--- a/windows/deployment/update/windows-update-troubleshooting.md
+++ b/windows/deployment/update/windows-update-troubleshooting.md
@@ -20,7 +20,8 @@ If you run into problems when using Windows Update, start with the following ste
 1. Run the built-in Windows Update troubleshooter to fix common issues. Navigate to **Settings > Update & Security > Troubleshoot > Windows Update**. 
 2. Install the most recent Servicing Stack Update (SSU) that matches your version of Windows from the Microsoft Update Catalog. See [Servicing stack updates](servicing-stack-updates.md) for more details on SSU. 
 3. Make sure that you install the latest Windows updates, cumulative updates, and rollup updates. To verify the update status, refer to the appropriate update history for your system: 
-   
+
+   - [Windows 10, version 1809 and Windows Server 2019](https://support.microsoft.com/help/4464619/windows-10-update-history)
    - [Windows 10, version 1803](https://support.microsoft.com/help/4099479/windows-10-update-history) 
    - [Windows 10, version 1709](https://support.microsoft.com/help/4043454) 
    - [Windows 10, version 1703](https://support.microsoft.com/help/4018124)  
diff --git a/windows/deployment/usmt/usmt-scanstate-syntax.md b/windows/deployment/usmt/usmt-scanstate-syntax.md
index ca8aab7167..3090160049 100644
--- a/windows/deployment/usmt/usmt-scanstate-syntax.md
+++ b/windows/deployment/usmt/usmt-scanstate-syntax.md
@@ -89,7 +89,7 @@ To create an encrypted store using the Config.xml file and the default migration
 <tbody>
 <tr class="odd">
 <td align="left"><p><em>StorePath</em></p></td>
-<td align="left"><p>Indicates a folder where files and settings will be saved. Note that <em>StorePath</em> cannot be <strong>c:\</strong>. You must specify the <em>StorePath</em> option in the <strong>ScanState</strong> command, except when using the <strong>/genconfig</strong> option. You cannot specify more than one <em>StorePath</em> location.</p></td>
+<td align="left"><p>Indicates a folder where files and settings will be saved. Note that <em>StorePath</em> cannot be <strong>C:&#92;</strong>. You must specify the <em>StorePath</em> option in the <strong>ScanState</strong> command, except when using the <strong>/genconfig</strong> option. You cannot specify more than one <em>StorePath</em> location.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p><strong>/apps</strong></p></td>
diff --git a/windows/deployment/volume-activation/volume-activation-management-tool.md b/windows/deployment/volume-activation/volume-activation-management-tool.md
index 172989517e..1880d0e682 100644
--- a/windows/deployment/volume-activation/volume-activation-management-tool.md
+++ b/windows/deployment/volume-activation/volume-activation-management-tool.md
@@ -15,17 +15,12 @@ ms.topic: article
 
 The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process.
 VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in that requires the Microsoft Management Console (MMC) 3.0. VAMT can be installed on any computer that has one of the following Windows operating systems:
--   Windows® 7
--   Windows 8
--   Windows 8.1
--   Windows 10
--   Windows Server 2008 R2
--   Windows Server® 2012
--   Windows Server 2012 R2
+-   Windows® 7 or above
+-   Windows Server 2008 R2 or above
+
 
 **Important**  
-VAMT is designed to manage volume activation for: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Microsoft Office 2010, and Microsoft Office 2013. Computers installed with volume editions of 
-**Windows XP** or **Windows Server 2003** cannot be managed using VAMT. However, Office 2010 and Office 2013 products installed on these two operating systems can still be managed.
+VAMT is designed to manage volume activation for: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 (or obove), Microsoft Office 2010 (or above). 
 
 VAMT is only available in an EN-US (x86) package.
 
@@ -42,4 +37,4 @@ VAMT is only available in an EN-US (x86) package.
 |[Manage VAMT Data](manage-vamt-data.md) |Describes how to save, import, export, and merge a Computer Information List (CILX) file using VAMT. |
 |[VAMT Step-by-Step Scenarios](vamt-step-by-step.md) |Provides step-by-step instructions for using VAMT in typical environments. |
 |[VAMT Known Issues](vamt-known-issues.md) |Lists known issues in VAMT. |
- 
\ No newline at end of file
+ 
diff --git a/windows/deployment/windows-10-enterprise-subscription-activation.md b/windows/deployment/windows-10-enterprise-subscription-activation.md
index 767a8c0724..a8baa55101 100644
--- a/windows/deployment/windows-10-enterprise-subscription-activation.md
+++ b/windows/deployment/windows-10-enterprise-subscription-activation.md
@@ -63,7 +63,7 @@ The following figure illustrates how deploying Windows 10 has evolved with each
 
 For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following: 
 
-- Windows 10 (Pro or Enterprise) version 1703 or later installed and **activated** on the devices to be upgraded.
+- Windows 10 (Pro or Enterprise) version 1703 or later installed on the devices to be upgraded.
 - Azure Active Directory (Azure AD) available for identity management.
 - Devices must be Azure AD-joined or Active Directory joined with Azure AD Connect. Workgroup-joined devices are not supported.
 
diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
index 59fa406a68..f8dd9eb38c 100644
--- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
+++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
@@ -1,7 +1,7 @@
 ---
 title: Demonstrate Autopilot deployment on a VM
 description: Step-by-step instructions on how to set-up a Virtual Machine with a Windows Autopilot deployment
-keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune, upgrade
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.localizationpriority: medium
@@ -11,6 +11,7 @@ author: greg-lindsay
 ms.author: greg-lindsay
 ms.collection: M365-modern-desktop
 ms.topic: article
+ms.custom: autopilot
 ---
 
 
@@ -20,194 +21,824 @@ ms.topic: article
 
 -   Windows 10
 
-In this topic you'll learn how to set-up a Windows Autopilot deployment for a Virtual Machine using Hyper-V. Watch the following video to see an overview of the process:
+In this topic you'll learn how to set-up a Windows Autopilot deployment for a virtual machine (VM) using Hyper-V. Note: Although there are [multiple platforms](administer.md) available to enable Autopilot, this lab primarily uses Intune.
+
+The following video provides an overview of the process:
 
 </br>
 <iframe width="560" height="315" src="https://www.youtube-nocookie.com/embed/KYVptkpsOqs" frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe> 
 
+>For a list of terms used in this guide, see the [Glossary](#glossary) section.
+
 ## Prerequisites
 
-These are the thing you'll need on your device to get started:
-* Installation media for the [latest version of Windows 10 Professional or Enterprise (ISO file)](https://www.microsoft.com/software-download/windows10)
-* Internet access (see [Network connectivity requirements](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot#network-connectivity-requirements))
-* Hypervisor needs to be unoccupied, or used by Hyper-V, as we will be using Hyper-V to create the Virtual Machine
+These are the things you'll need to complete this lab:
+<table><tr><td>Windows 10 installation media</td><td>Windows 10 Professional or Enterprise (ISO file), version 1703 or later is required. If you do not already have an ISO to use, a link is provided to download an [evaluation version of Windows 10 Enterprise](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise).</td></tr>
+<tr><td>Internet access</td><td>If you are behind a firewall, see the detailed [networking requirements](windows-autopilot-requirements-network.md). Otherwise, just ensure that you have a connection to the Internet.</td></tr>
+<tr><td>Hyper-V or a physical device running Windows 10</td><td>The guide assumes that you will use a Hyper-V VM, and provides instructions to install and configure Hyper-V if needed. To use a physical device, skip the steps to install and configure Hyper-V.</td></tr>
+<tr><td>A Premium Intune account</td><td>This guide will describe how to obtain a free 30-day trial premium account that can be used to complete the lab.</td></tr></table>
 
-See additional prerequisites in the [Windows Autopilot overview topic](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot#prerequisites).
+## Procedures
 
-## Create your Virtual Machine
+A summary of the sections and procedures in the lab is provided below. Follow each section in the order it is presented, skipping the sections that do not apply to you. Optional procedures are provided in the appendix.
 
-### Enable Hyper-V
-The first thing to do, is to enable the Hyper-V feature on your device.
->[!IMPORTANT]
->If you already have Hyper-V enabled, skip this step.
+[Verify support for Hyper-V](#verify-support-for-hyper-v)
+<br>[Enable Hyper-V](#enable-hyper-v)
+<br>[Create a demo VM](#create-a-demo-vm)
+<br>&nbsp;&nbsp;&nbsp; [Set ISO file location](#set-iso-file-location)
+<br>&nbsp;&nbsp;&nbsp; [Determine network adapter name](#determine-network-adapter-name)
+<br>&nbsp;&nbsp;&nbsp;  [Use Windows PowerShell to create the demo VM](#use-windows-powershell-to-create-the-demo-vm)
+<br>&nbsp;&nbsp;&nbsp; [Install Windows 10](#install-windows-10)
+<br>[Capture the hardware ID](#capture-the-hardware-id)
+<br>[Reset the VM back to Out-Of-Box-Experience (OOBE)](#reset-the-vm-back-to-out-of-box-experience-oobe)
+<br>[Verify subscription level](#verify-subscription-level)
+<br>[Configure company branding](#configure-company-branding)
+<br>[Configure Microsoft Intune auto-enrollment](#configure-microsoft-intune-auto-enrollment)
+<br>[Register your VM](#register-your-vm)
+<br>&nbsp;&nbsp;&nbsp; [Autopilot registration using Intune](#autopilot-registration-using-intune)
+<br>&nbsp;&nbsp;&nbsp; [Autopilot registration using MSfB](#autopilot-registration-using-msfb)
+<br>[Create and assign a Windows Autopilot deployment profile](#create-and-assign-a-windows-autopilot-deployment-profile)
+<br>&nbsp;&nbsp;&nbsp; [Create a Windows Autopilot deployment profile using Intune](#create-a-windows-autopilot-deployment-profile-using-intune)
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [Assign the profile](#assign-the-profile)
+<br>&nbsp;&nbsp;&nbsp; [Create a Windows Autopilot deployment profile using MSfB](#create-a-windows-autopilot-deployment-profile-using-msfb)
+<br>[See Windows Autopilot in action](#see-windows-autopilot-in-action)
+<br>[Remove devices from Autopilot](#remove-devices-from-autopilot)
+<br>&nbsp;&nbsp;&nbsp; [Delete (deregister) Autopilot device](#delete-deregister-autopilot-device)
+<br>[Appendix A: Verify support for Hyper-V](#appendix-a-verify-support-for-hyper-v)
+<br>[Appendix B: Adding apps to your profile](#appendix-b-adding-apps-to-your-profile)
+<br>&nbsp;&nbsp;&nbsp; [Add a Win32 app](#add-a-win32-app)
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [Prepare the app for Intune](#prepare-the-app-for-intune)
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [Create app in Intune](#create-app-in-intune)
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [Assign the app to your Intune profile](#assign-the-app-to-your-intune-profile)
+<br>&nbsp;&nbsp;&nbsp; [Add Office 365](#add-office-365)
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [Create app in Intune](#create-app-in-intune)
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [Assign the app to your Intune profile](#assign-the-app-to-your-intune-profile)
+<br>[Glossary](#glossary)
+
+## Verify support for Hyper-V
+
+If you don't already have Hyper-V, we must first enable this on a computer running Windows 10 or Windows Server (2012 R2 or later). 
+
+>If you already have Hyper-V enabled, skip to the [create a demo VM](#create-a-demo-vm) step. If you are using a physical device instead of a VM, skip to [Install Windows 10](#install-windows-10).
+
+If you are not sure that your device supports Hyper-V, or you have problems installing Hyper-V, see [appendix A](#appendix-a-verify-support-for-hyper-v) below for details on verifying that Hyper-V can be successfully installed.
+
+## Enable Hyper-V
+
+To enable Hyper-V, open an elevated Windows PowerShell prompt and run the following command:
 
-Open a PowerShell prompt **as an administrator** and run the following:
 ```powershell
 Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All
 ```
 
-You will be prompted to restart your device, so save all your work and restart it before you continue.
+This command works on all operating systems that support Hyper-V, but on Windows Server operating systems you must type an additional command (below) to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. The following command will also install Hyper-V if it isn't already installed, so if you're using Windows Server, you can just type the following command instead of using the Enable-WindowsOptionalFeature command:
 
-### Create and start your demo Virtual Machine
-
-Now that Hyper-V is enabled, proceed to create your Virtual Machine.
-
-Open a PowerShell prompt **as an administrator** and run the following:
 ```powershell
-New-VMSwitch -Name AutopilotExternal -NetAdapterName <Name of Network Adapter with internet access> -AllowManagementOS $true
+Install-WindowsFeature -Name Hyper-V -IncludeManagementTools
+```
+
+When you are prompted to restart the computer, choose **Yes**. The computer might restart more than once. 
+
+>Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below:
+
+   ![hyper-v feature](../images/hyper-v-feature.png)
+
+   ![hyper-v](../images/svr_mgr2.png)
+
+<P>If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under **Role Administration Tools\Hyper-V Management Tools**.
+
+After installation is complete, open Hyper-V Manager by typing **virtmgmt.msc** at an elevated command prompt, or by typing **Hyper-V** in the Start menu search box.
+
+To read more about Hyper-V, see [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/virtualization/hyper-v-on-windows/about/) and [Hyper-V on Windows Server](https://docs.microsoft.com/windows-server/virtualization/hyper-v/hyper-v-on-windows-server).
+
+## Create a demo VM
+
+Now that Hyper-V is enabled, we need to create a VM running Windows 10. We can [create a VM](https://docs.microsoft.com/virtualization/hyper-v-on-windows/quick-start/create-virtual-machine) and [virtual network](https://docs.microsoft.com/virtualization/hyper-v-on-windows/quick-start/connect-to-network) using Hyper-V Manager, but it is simpler to use Windows PowerShell. 
+
+To use Windows Powershell we just need to know two things:
+
+1. The location of the Windows 10 ISO file.
+   - In the example, we assume the location is **c:\iso\win10-eval.iso**. 
+2. The name of the network interface that connects to the Internet.
+   - In the example, we use a Windows PowerShell command to determine this automatically. 
+
+After we have set the ISO file location and determined the name of the appropriate network interface, we can install Windows 10.
+
+### Set ISO file location
+
+You can download an ISO file for an evaluation version of the latest release of Windows 10 Enterprise [here](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise). 
+- When asked to select a platform, choose **64 bit**. 
+
+After you download this file, the name will be extremely long (ex: 17763.107.101029-1455.rs5_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso). 
+
+1. So that it is easier to type and remember, rename the file to **win10-eval.iso**. 
+2. Create a directory on your computer named **c:\iso** and move the **win10-eval.iso** file there, so the path to the file is **c:\iso\win10-eval.iso**.
+3. If you wish to use a different name and location for the file, you must modify the Windows PowerShell commands below to use your custom name and directory.
+
+### Determine network adapter name
+
+The Get-NetAdaper cmdlet is used below to automatically find the network adapter that is most likely to be the one you use to connect to the Internet. You should test this command first by running the following at an elevated Windows PowerShell prompt:
+
+```powershell
+(Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name
+```
+
+The output of this command should be the name of the network interface you use to connect to the Internet. Verify that this is the correct interface name. If it is not the correct interface name, you'll need to edit the first command below to use your network interface name. 
+
+For example, if the command above displays Ethernet but you wish to use Ethernet2, then the first command below would be New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName **Ethernet2**.
+
+###  Use Windows PowerShell to create the demo VM 
+
+All VM data will be created under the current path in your PowerShell prompt. Consider navigating into a new folder before running the following commands.
+
+>[!IMPORTANT]
+>**VM switch**: a VM switch is how Hyper-V connects VMs to a network. <br><br>If you have previously enabled Hyper-V and your Internet-connected network interface is already bound to a VM switch, then the PowerShell commands below will fail. In this case, you can either delete the existing VM switch (so that the commands below can create one), or you can reuse this VM switch by skipping the first command below and either modifying the second command to replace the switch name **AutopilotExternal** with the name of your switch, or by renaming your existing switch to "AutopilotExternal."<br><br>If you have never created an external VM switch before, then just run the commands below.
+
+```powershell
+New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name 
 New-VM -Name WindowsAutopilot -MemoryStartupBytes 2GB -BootDevice VHD -NewVHDPath .\VMs\WindowsAutopilot.vhdx -Path .\VMData -NewVHDSizeBytes 80GB -Generation 2 -Switch AutopilotExternal
-Add-VMDvdDrive -Path <Path to Windows 10 ISO> -VMName WindowsAutopilot
+Add-VMDvdDrive -Path c:\iso\win10-eval.iso -VMName WindowsAutopilot
 Start-VM -VMName WindowsAutopilot
 ```
 
->[!IMPORTANT]
->Make sure to replace <*Name of Network Adapter with internet access*> and <*Path to Windows 10 ISO*> with the appropriate values.
->Additionally, note that all Virtual Machine related data will be created under the current path in your PowerShell prompt. Consider navigating into a new folder before running the above.
+After entering these commands, connect to the VM that you just created and wait for a prompt to press a key and boot from the DVD.  You can connect to the VM by double-clicking it in Hyper-V Manager.
+
+See the sample output below. In this sample, the VM is created under the **c:\autopilot** directory and the vmconnect.exe command is used (which is only available on Windows Server). If you installed Hyper-V on Windows 10, use Hyper-V Manager to connect to your VM.
+
+<pre style="overflow-y: visible">
+PS C:\autopilot> dir c:\iso
+
+
+    Directory: C:\iso
+
+
+Mode                LastWriteTime         Length Name
+----                -------------         ------ ----
+-a----        3/12/2019   2:46 PM     4627343360 win10-eval.iso
+
+PS C:\autopilot> (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name
+Ethernet
+PS C:\autopilot> New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name
+
+Name              SwitchType NetAdapterInterfaceDescription
+----              ---------- ------------------------------
+AutopilotExternal External   Intel(R) Ethernet Connection (2) I218-LM
+
+PS C:\autopilot> New-VM -Name WindowsAutopilot -MemoryStartupBytes 2GB -BootDevice VHD -NewVHDPath .\VMs\WindowsAutopilot.vhdx -Path .\VMData -NewVHDSizeBytes 80GB -Generation 2 -Switch AutopilotExternal
+
+Name             State CPUUsage(%) MemoryAssigned(M) Uptime   Status             Version
+----             ----- ----------- ----------------- ------   ------             -------
+WindowsAutopilot Off   0           0                 00:00:00 Operating normally 8.0
+
+PS C:\autopilot> Add-VMDvdDrive -Path c:\iso\win10-eval.iso -VMName WindowsAutopilot
+PS C:\autopilot> Start-VM -VMName WindowsAutopilot
+PS C:\autopilot> vmconnect.exe localhost WindowsAutopilot
+PS C:\autopilot> dir
+
+    Directory: C:\autopilot
+
+Mode                LastWriteTime         Length Name
+----                -------------         ------ ----
+d-----        3/12/2019   3:15 PM                VMData
+d-----        3/12/2019   3:42 PM                VMs
+
+PS C:\autopilot>
+</pre>
 
 ### Install Windows 10
 
-Now that the Virtual Machine was created and started, open **Hyper-V Manager** and connect to the **WindowsAutopilot** Virtual Machine.
-Make sure the Virtual Machine booted from the installation media you've provided and complete the Windows installation process.
+Ensure the VM booted from the installation ISO, click **Next** then click **Install now** and complete the Windows installation process. See the following examples:
 
-Once the installation is complete, create a checkpoint. You will create multiple checkpoints throughout this process, which you can later use to go through the process again.
+   ![Windows setup](images/winsetup1.png)
+   ![Windows setup](images/winsetup2.png)
+   ![Windows setup](images/winsetup3.png)
+   ![Windows setup](images/winsetup4.png)
+   ![Windows setup](images/winsetup5.png)
+   ![Windows setup](images/winsetup6.png)
+
+>After the VM restarts, during OOBE, it’s fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen.  This will offer the fastest way to the desktop. For example:
+
+   ![Windows setup](images/winsetup7.png) 
+
+Once the installation is complete, sign in and verify that you are at the Windows 10 desktop, then create your first Hyper-V checkpoint. Checkpoints are used to restore the VM to a previous state. You will create multiple checkpoints throughout this lab, which can be used later to go through the process again.
+
+   ![Windows setup](images/winsetup8.png) 
+
+To create your first checkpoint, open an elevated Windows PowerShell prompt on the computer running Hyper-V (not on the VM) and run the following:
 
-To create the checkpoint, open a PowerShell prompt **as an administrator** and run the following:
 ```powershell
 Checkpoint-VM -Name WindowsAutopilot -SnapshotName "Finished Windows install"
 ```
 
-## Capture your Virtual Machine's hardware ID
+Click on the **WindowsAutopilot** VM in Hyper-V Manager and verify that you see **Finished Windows Install** listed in the Checkpoints pane.
 
-On the newly created Virtual Machine, open a PowerShell prompt **as an administrator** and run the following:
-```powershell
-md c:\HWID
-Set-Location c:\HWID
-Set-ExecutionPolicy Unrestricted
-Install-Script -Name Get-WindowsAutopilotInfo
-Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
-```
+## Capture the hardware ID
+
+>NOTE: Normally, the Device ID is captured by the OEM as they run the OA3 Tool on each device in the factory.  The OEM then submits the 4K HH created by the OA3 Tool to Microsoft by submitting it with a Computer Build Report (CBR).  For purposes of this lab, you are acting as the OEM (capturing the 4K HH), but you’re not going to use the OA3 Tool to capture the full 4K HH for various reasons (you’d have to install the OA3 tool, your device couldn’t have a volume license version of Windows, it’s a more complicated process than using a PS script, etc.).  Instead, you’ll simulate running the OA3 tool by running a PowerShell script, which captures the device 4K HH just like the OA3 tool.
+
+Follow these steps to run the PS script:
+
+1.	Open an elevated Windows PowerShell prompt and run the following commands. These commands are the same regardless of whether you are using a VM or a physical device:
+
+    ```powershell
+    md c:\HWID
+    Set-Location c:\HWID
+    Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force
+    Install-Script -Name Get-WindowsAutopilotInfo -Force
+    $env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
+    Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
+    ```
+
+When you are prompted to install the NuGet package, choose **Yes**.
+
+See the sample output below.
+
+<pre>
+PS C:\> md c:\HWID
+
+    Directory: C:\
+
+Mode                LastWriteTime         Length Name
+----                -------------         ------ ----
+d-----        3/14/2019  11:33 AM                HWID
+
+PS C:\> Set-Location c:\HWID
+PS C:\HWID> Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force
+PS C:\HWID> Install-Script -Name Get-WindowsAutopilotInfo -Force
+
+NuGet provider is required to continue
+PowerShellGet requires NuGet provider version '2.8.5.201' or newer to interact with NuGet-based repositories. The NuGet
+ provider must be available in 'C:\Program Files\PackageManagement\ProviderAssemblies' or
+'C:\Users\user1\AppData\Local\PackageManagement\ProviderAssemblies'. You can also install the NuGet provider by running
+ 'Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force'. Do you want PowerShellGet to install and
+import the NuGet provider now?
+[Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): Y
+PS C:\HWID> $env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
+PS C:\HWID> Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
+PS C:\HWID> dir
+
+    Directory: C:\HWID
+
+Mode                LastWriteTime         Length Name
+----                -------------         ------ ----
+-a----        3/14/2019  11:33 AM           8184 AutopilotHWID.csv
+
+PS C:\HWID>
+</pre>
+
+Verify that there is an **AutopilotHWID.csv** file in the **c:\HWID** directory that is about 8 KB in size.  This file contains the complete 4K HH.  
+
+**Note**: Although the .csv extension might be associated with Microsoft Excel, you cannot view the file properly by double-clicking it. To correctly parse the comma delimiters and view the file in Excel, you must use the **Data** > **From Text/CSV** function in Excel to import the appropriate data columns. You don't need to view the file in Excel unless you are curious. The file format will be validated when it is imported into Autopilot. An example of the data in this file is shown below.
+
+![Serial number and hardware hash](images/hwid.png)
+
+You will need to upload this data into Intune to register your device for Autopilot, so it needs to be transferred to the computer you will use to access the Azure portal.  If you are using a physical device instead of a VM, you can copy the file to a USB stick.  If you’re using a VM, you can right-click the AutopilotHWID.csv file and copy it, then right-click and paste the file to your desktop (outside the VM). 
+
+If you have trouble copying and pasting the file, just view the contents in Notepad on the VM and copy the text into Notepad outside the VM. Do not use another text editor to do this.
 
 >[!NOTE]
->Accept all prompts while running the above cmdlets.
+>When copying and pasting to or from VMs, avoid clicking other things with your mouse cursor between the copy and paste process as this can empty or overwrite the clipboard and require that you start over. Go directly from copy to paste.
 
-### Mount the Virtual Hard Drive (VHD)
+## Reset the VM back to Out-Of-Box-Experience (OOBE)
 
-To gain access to the AutopilotHWID.csv that contains the hardware ID, stop the Virtual Machine to unlock the Virtual Hard Drive. 
-
-To do that, on your device (**not** on the Virtual Machine), open a PowerShell prompt **as an administrator** and run the following:
-```powershell
-Stop-VM -VMName WindowsAutopilot
-```
-
-Once the Virtual Machine has stopped, create a checkpoint:
-```powershell
-Checkpoint-VM -Name WindowsAutopilot -SnapshotName "HWID captured"
-```
-
-With the checkpoint created, continue to mount the VHD:
-```powershell
-Mount-VHD -path (Get-VMHardDiskDrive -VMName WindowsAutopilot).Path
-```
-
-Once mounted, navigate to the new drive and copy **AutopilotHWID.csv** to a location on your device.
-
-Before you proceed, unmount the VHD to unlock it and start the Virtual Machine:
-```powershell
-Dismount-VHD -path (Get-VMHardDiskDrive -VMName WindowsAutopilot).Path
-Start-VM -VMName WindowsAutopilot
-```
-
-## Reset Virtual Machine back to Out-Of-Box-Experience (OOBE)
-
-With the hardware ID captured, prepare your Virtual Machine for Windows Autopilot deployment by resetting it back to OOBE.
+With the hardware ID captured in a file, prepare your Virtual Machine for Windows Autopilot deployment by resetting it back to OOBE.
 
 On the Virtual Machine, go to **Settings > Update & Security > Recovery** and click on **Get started** under **Reset this PC**.
 Select **Remove everything** and **Just remove my files**. Finally, click on **Reset**.
 
 ![Reset this PC final prompt](images/autopilot-reset-prompt.jpg)
 
-Resetting your Virtual Machine can take a while. Proceed to the next steps while your Virtual Machine is resetting.
+Resetting the VM or device can take a while. Proceed to the next step (verify subscription level) during the reset process.
 
 ![Reset this PC screen capture](images/autopilot-reset-progress.jpg)
 
+## Verify subscription level
+
+For this lab, you need an AAD Premium subscription.  You can tell if you have a Premium subscription by navigating to the [MDM enrollment configuration](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Mobility) blade. See the following example:
+
+**Azure Active Directory** > **Mobility (MDM and MAM)** > **Microsoft Intune**
+
+![MDM and Intune](images/mdm-intune2.png)
+
+If the configuration blade shown above does not appear, it’s likely that you don’t have a **Premium** subscription.  Auto-enrollment is a feature only available in AAD Premium.  
+
+To convert your Intune trial account to a free Premium trial account, navigate to **Azure Active Directory** > **Licenses** > **All products** > **Try / Buy** and select **Free trial** for Azure AD Premium, or EMS E5.
+
+![Reset this PC final prompt](images/aad-lic1.png)
+
 ## Configure company branding
 
->[!IMPORTANT]
->If you already have company branding configured in Azure Active Directory, you can skip this step.
-
-Navigate to [Company branding in Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/LoginTenantBranding).
+If you already have company branding configured in Azure Active Directory, you can skip this step.
 
 >[!IMPORTANT]
 >Make sure to sign-in with a Global Administrator account.
 
-Click on **Configure** and configure any type of company branding you'd like to see during the OOBE.
+Navigate to [Company branding in Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/LoginTenantBranding), click on **Configure** and configure any type of company branding you'd like to see during the OOBE.
 
-![Configure button in Company branding](images/autopilot-aad-configure.jpg)
+![Configure company branding](images/branding.png)
 
-Once finished, click **Save**.
+When you are finished, click **Save**.
 
 >[!NOTE]
 >Changes to company branding can take up to 30 minutes to apply.
 
-
 ## Configure Microsoft Intune auto-enrollment
 
->[!IMPORTANT]
->If you already have MDM auto-enrollment configured in Azure Active Directory, you can skip this step.
+If you already have MDM auto-enrollment configured in Azure Active Directory, you can skip this step.
 
-Navigate to [Mobility (MDM and MAM) in Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Mobility) and select **Microsoft Intune**.
+Open [Mobility (MDM and MAM) in Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Mobility) and select **Microsoft Intune**. If you do not see Microsoft Intune, click **Add application** and choose **Intune**.
 
 For the purposes of this demo, select **All** under the **MDM user scope** and click **Save**.
 
-![MDM user scope in the Mobility blade](images/autopilot-aad-mdm.jpg)
+![MDM user scope in the Mobility blade](images/autopilot-aad-mdm.png)
 
-## Register your Virtual Machine to your organization
+## Register your VM
 
-Navigate to [Microsoft Store for Business device management](https://businessstore.microsoft.com/en-us/manage/devices). Click on **Add devices** and select the **AutopilotHWID.csv** you've saved earlier. A message will appear indicating your request is being processed. Wait a few moments before refreshing to see your Virtual Machine added.
+Your VM (or device) can be registered either via Intune or Microsoft Store for Business (MSfB).  Both processes are shown here, but <u>only pick one</u> for purposes of this lab. We highly recommend using Intune rather than MSfB.
 
-![Add devices through Microsoft Store for Business](images/autopilot-devices-add.jpg)
+### Autopilot registration using Intune
+
+1. In Intune in the Azure portal, choose **Device enrollment** > **Windows enrollment** > **Devices** > **Import**.
+
+    ![Intune device import](images/device-import.png)
+
+    >[!NOTE]
+    >If menu items like **Windows enrollment** are not active for you, then look to the far-right blade in the UI.  You might need to provide Intune configuration privileges in a challenge window that appeared.
+
+2. Under **Add Windows Autopilot devices** in the far right pane, browse to the **AutopilotHWID.csv** file you previously copied to your local computer.  The file should contain the serial number and 4K HH of your VM (or device).  It’s okay if other fields (Windows Product ID) are left blank.
+
+    ![HWID CSV](images/hwid-csv.png)
+
+    You should receive confirmation that the file is formatted correctly before uploading it, as shown above.
+
+3. Click **Import** and wait until the import process completes. This can take up to 15 minutes. 
+
+4. Click **Sync** to sync the device you just registered. Wait a few moments before refreshing to verify your VM or device has been added. See the following example.
+
+   ![Import HWID](images/import-vm.png)
+
+### Autopilot registration using MSfB
+
+>[!IMPORTANT]
+>If you've already registered your VM (or device) using Intune, then skip this step.
+
+Optional: see the following video for an overview of the process.
+
+&nbsp;
+
+> [!video https://www.youtube.com/embed/IpLIZU_j7Z0]
+
+First, you need a MSfB account.  You can use the same one you created above for Intune, or follow [these instructions](https://docs.microsoft.com/en-us/microsoft-store/windows-store-for-business-overview) to create a new one.
+
+Next, sign in to [Microsoft Store for Business](https://businessstore.microsoft.com/en-us/store) using your test account by clicking **Sign in** in the upper-right-corner of the main page.
+
+Select **Manage** from the top menu, then click the **Windows Autopilot Deployment Program** link under the **Devices** card. See the following example:
+
+![Microsoft Store for Business](images/msfb.png)
+
+Click the **Add devices** link to upload your CSV file. A message will appear indicating your request is being processed. Wait a few moments before refreshing to see your new device has been added.
+
+![Devices](images/msfb-device.png)
 
 ## Create and assign a Windows Autopilot deployment profile
 
-Navigate to [Windows enrollment in Microsoft Intune](https://portal.azure.com/#blade/Microsoft_Intune_Enrollment/OverviewBlade/windowsEnrollment).
+>[!IMPORTANT]
+>Autopilot profiles can be created and assigned to your registered VM or device either through Intune or MSfB.  Both processes are shown here, but only <U>pick one for purposes of this lab</U>:
 
-Make sure to sync the device you've just registered, by clicking on **Devices** under **Windows Autopilot Deployment Program (Preview)** and selecting **Sync**. Wait a few moments before refreshing to see your Virtual Machine added.
+Pick one:
+- [Create profiles using Intune](#create-a-windows-autopilot-deployment-profile-using-intune)
+- [Create profiles using MSfB](#create-a-windows-autopilot-deployment-profile-using-msfb)
 
-![Microsoft Intune sync Windows devices](images/autopilot-intune-sync.jpg)
+### Create a Windows Autopilot deployment profile using Intune
 
-### Create a Windows Autopilot deployment profile
+>[!NOTE]
+>Even if you registered your device in MSfB, it will still appear in Intune, though you might have to **sync** and then **refresh** your device list first:
 
-Click on **Deployment profiles** under **Windows Autopilot Deployment Program (Preview)** and select **Create profile**.
+![Devices](images/intune-devices.png)
 
-![Microsoft Intune create deployment profile](images/autopilot-intune-profile-add.jpg)
+>The example above lists both a physical device and a VM. Your list should only include only one of these.
 
-In the **Create profile** blade, set the name to **Autopilot Intune Demo**, click on **Out-of-box experience (OOBE)** and configure the following:
-| Setting name | Value |
+To create a Windows Autopilot profile, select **Device enrollment** > **Windows enrollment** > **Deployment profiles**
+
+![Deployment profiles](images/deployment-profiles.png)
+
+Click on **Create profile**.
+
+![Create deployment profile](images/create-profile.png)
+
+On the **Create profile** blade, use the following values:
+
+| Setting | Value |
 |---|---|
-|Privacy Settings|Hide|
-|End user license agreement (EULA)|Hide|
-|User account type|Standard|
+| Name | Autopilot Lab profile |
+| Description | blank |
+| Convert all targeted devices to Autopilot | No |
+| Deployment mode | User-driven |
+| Join to Azure AD as | Azure AD joined |
 
-Click on **Save** and **Create**.
+Click on **Out-of-box experience (OOBE)** and configure the following settings:
 
-![Create a new deployment profile in Microsoft Intune](images/autopilot-intune-profile-configure.jpg)
+| Setting | Value |
+|---|---|
+| EULA | Hide |
+| Privacy Settings | Hide |
+| Hide change account options | Hide |
+| User account type | Standard |
+| Apply device name template | No |
 
-### Assign a Windows Autopilot deployment profile
+See the following example:
 
-With the deployment profile created, go back to **Devices** under **Windows Autopilot Deployment Program (Preview)** and select your Virtual Machine. Click on **Assign profile** and in the **Assign Profile** blade select **Autopilot Intune Demo** under the **Autopilot profile**. Click on **Assign**.
+![Deployment profile](images/profile.png)
 
-![Assign Autopilot Profile in Microsoft Intune](images/autopilot-intune-profile-assign.jpg)
+Click on **OK** and then click on **Create**.
 
-Wait a few minutes for all changes to apply.
+>If you want to add an app to your profile via Intune, the OPTIONAL steps for doing so can be found in [Appendix B: Adding apps to your profile](#appendix-b-adding-apps-to-your-profile).
+
+#### Assign the profile
+
+Profiles can only be assigned to Groups, so first you must create a group that contains the devices to which the profile should be applied. This guide will provide simple instructions to assign a profile, for more detailed instructions, see [Create an Autopilot device group](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Assign an Autopilot deployment profile to a device group](https://docs.microsoft.com/en-us/intune/enrollment-autopilot#assign-an-autopilot-deployment-profile-to-a-device-group), as optional reading.
+
+To create a Group, open the Azure Portal and select **Azure Active Directory** > **Groups** > **All groups**:
+
+![All groups](images/all-groups.png)
+
+Select New group from the Groups blade to open the new groups UI.  Select the “Security” group type, name the group, and select the “Assigned” membership type:
+
+Before clicking **Create**, expand the **Members** panel, click your device's serial number (it will then appear under **Selected members**) and then click **Select** to add that device to this group.
+
+![New group](images/new-group.png)
+
+Now click **Create** to finish creating the new group.
+
+Click on **All groups** and click **Refresh** to verify that your new group has been successfully created.
+
+With a group created containing your device, you can now go back and assign your profile to that group. Navigate back to the Intune page in the Azure portal (one way is to type **Intune** in the top banner search bar and select **Intune** from the results).
+
+From Intune, select **Device enrollment** > **Windows enrollment** > **Deployment Profiles** to open the profile blade.  Click on the name of the profile you previously created (Autopilot Lab profile) to open the details blade for that profile:
+
+![Lab profile](images/deployment-profiles2.png)
+
+Under **Manage**, click **Assignments**, and then with the **Include** tab highlighted, expand the **Select groups** blade and click **AP Lab Group 1** (the group will appear under **Selected members**).
+
+![Include group](images/include-group.png)
+
+Click **Select** and then click **Save**.
+
+![Include group](images/include-group2.png)
+
+It’s also possible to assign specific users to a profile, but we will not cover this scenario in the lab. For more detailed information, see [Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/intune/enrollment-autopilot).
+
+### Create a Windows Autopilot deployment profile using MSfB
+
+If you have already created and assigned a profile via Intune by using the steps immediately above, then skip this section.
+
+A [video](https://www.youtube.com/watch?v=IpLIZU_j7Z0) is available that covers the steps required to create and assign profiles in MSfB. These steps are also summarized below.
+
+First, sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com/manage/dashboard) using the Intune account you initially created for this lab.
+
+Click **Manage** from the top menu, then click **Devices** from the left navigation tree.
+
+![MSfB manage](images/msfb-manage.png)
+
+Click the **Windows Autopilot Deployment Program** link in the **Devices** tile.
+
+To CREATE the profile:
+
+Select your device from the **Devices** list:
+
+![MSfB create](images/msfb-create1.png)
+
+On the Autopilot deployment dropdown menu, select **Create new profile**:
+
+![MSfB create](images/msfb-create2.png)
+
+Name the profile, choose your desired settings, and then click **Create**:
+
+![MSfB create](images/msfb-create3.png)
+
+The new profile is added to the Autopilot deployment list.
+
+To ASSIGN the profile:
+
+To assign (or reassign) the profile to a device, select the checkboxes next to the device you registered for this lab, then select the profile you want to assign from the **Autopilot deployment** dropdown menu as shown:
+
+![MSfB assign](images/msfb-assign1.png)
+
+Confirm the profile was successfully assigned to the intended device by checking the contents of the **Profile** column:
+
+![MSfB assign](images/msfb-assign2.png)
+
+>[!IMPORTANT]
+>The new profile will only be applied if the device has not been started, and gone through OOBE. Settings from a different profile can't be applied when another profile has been applied. Windows would need to be reinstalled on the device for the second profile to be applied to the device.
 
 ## See Windows Autopilot in action
 
-By now, your Virtual Machine should be back to OOBE. Make sure to wait at least 30 minutes from the time you've [configured company branding](#configure-company-branding)
-, otherwise those changes might not show up.
+If you shut down your VM after the last reset, it’s time to start it back up again, so it can progress through the Autopilot OOBE experience but do not attempt to start your device again until the **PROFILE STATUS** for your device in Intune has changed from **Not assigned** to **Assigning** and finally **Assigned**:
+
+![Device status](images/device-status.png)
+
+Also, make sure to wait at least 30 minutes from the time you've [configured company branding](#configure-company-branding), otherwise these changes might not show up.
+
+>[!TIP]
+>If you reset your device previously after collecting the 4K HH info, and then let it restart back to the first OOBE screen, then you might need to restart the device again to ensure the device is recognized as an Autopilot device and displays the Autopilot OOBE experience you’re expecting.  If you do not see the Autopilot OOBE experience, then reset the device again (Settings > Update & Security > Recovery and click on Get started.  Under Reset this PC, select Remove everything and Just remove my files. Click on Reset).
+
+- Ensure your device has an internet connection.
+- Turn on the device
+- Verify that the appropriate OOBE screens (with appropriate Company Branding) appear.  You should see the region selection screen, the keyboard selection screen, and the second keyboard selection screen (which you can skip).
+
+![OOBE sign-in page](images/autopilot-oobe.jpg) 
+
+Soon after reaching the desktop, the device should show up in Intune as an **enabled** Autopilot device.  Go into the Intune Azure portal, and select **Devices > All devices**, then **Refresh** the data to verify that your device has changed from disabled to enabled, and the name of the device is updated.
+
+![Device enabled](images/enabled-device.png)
 
 Once you select a language and a keyboard layout, your company branded sign-in screen should appear. Provide your Azure Active Directory credentials and you're all done.
 
-![OOBE sign-in page](images/autopilot-oobe.jpg)
+Windows Autopilot will now take over to automatically join your device into Azure Active Directory and enroll it to Microsoft Intune. Use the checkpoints you've created to go through this process again with different settings.
 
-Windows Autopilot will now take over to automatically join your Virtual Machine into Azure Active Directory and enroll it to Microsoft Intune. Use the checkpoints you've created to go through this process again with different settings.
+## Remove devices from Autopilot
 
+To use the device (or VM) for other purposes after completion of this lab, you will need to remove (deregister) it from Autopilot via either Intune or MSfB, and then reset it.  Instructions for deregistering devices can be found [here](https://docs.microsoft.com/en-us/intune/enrollment-autopilot#create-an-autopilot-device-group) and [here](https://docs.microsoft.com/en-us/intune/devices-wipe#delete-devices-from-the-azure-active-directory-portal) and below.
+
+### Delete (deregister) Autopilot device
+
+You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure Active Directory), log into your Intune Azure portal, then navigate to **Intune > Devices > All Devices**.  Select the checkbox next to the device you want to delete, then click the Delete button along the top menu.
+
+![Delete device](images/delete-device1.png) 
+
+Click **X** when challenged to complete the operation:
+
+![Delete device](images/delete-device2.png) 
+
+This will remove the device from Intune management, and it will disappear from **Intune > Devices > All devices**. But this does not yet deregister the device from Autopilot, so the device should still appear under **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices**.
+
+![Delete device](images/delete-device3.png) 
+
+The **Intune > Devices > All Devices** list and the **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices** list mean different things and are two completely separate datastores.  The former (All devices) is the list of devices currently enrolled into Intune.  Note: A device will only appear in the All devices list once it has booted.  The latter (Windows Autopilot Deployment Program > Devices) is the list of devices currently registered from that Intune account into the Autopilot program - which may or may not be enrolled to Intune.
+
+To remove the device from the Autopilot program, select the device and click Delete.
+
+![Delete device](images/delete-device4.png) 
+
+A warning message appears reminding you to first remove the device from Intune, which we previously did.
+
+![Delete device](images/delete-device5.png) 
+
+At this point, your device has been unenrolled from Intune and also deregistered from Autopilot.  After several minutes, click the **Sync** button, followed by the **Refresh** button to confirm the device is no longer listed in the Autopilot program:
+
+![Delete device](images/delete-device6.png) 
+
+Once the device no longer appears, you are free to reuse it for other purposes.
+
+If you also (optionally) want to remove your device from AAD, navigate to **Azure Active Directory > Devices > All Devices**, select your device, and click the delete button:
+
+![Delete device](images/delete-device7.png) 
+
+## Appendix A: Verify support for Hyper-V
+
+Starting with Windows 8, the host computer’s microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](https://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information.
+
+To verify your computer supports SLAT, open an administrator command prompt,  type **systeminfo**, press ENTER, scroll down, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example:
+
+<pre style="overflow-y: visible">
+C:\>systeminfo
+
+...
+Hyper-V Requirements:      VM Monitor Mode Extensions: Yes
+                           Virtualization Enabled In Firmware: Yes
+                           Second Level Address Translation: Yes
+                           Data Execution Prevention Available: Yes
+</pre>
+
+In this example, the computer supports SLAT and Hyper-V.
+
+>If one or more requirements are evaluated as **No** then the computer does not support installing Hyper-V.  However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the **Virtualization Enabled In Firmware** setting from **No** to **Yes**. The location of this setting will depend on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings.
+
+You can also identify Hyper-V support using [tools](https://blogs.msdn.microsoft.com/taylorb/2008/06/19/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v/) provided by the processor manufacturer, the [msinfo32](https://technet.microsoft.com/library/cc731397.aspx) tool, or you can download the [coreinfo](https://technet.microsoft.com/sysinternals/cc835722) utility and run it, as shown in the following example:
+
+<pre style="overflow-y: visible">
+C:\>coreinfo -v
+
+Coreinfo v3.31 - Dump information on system CPU and memory topology
+Copyright (C) 2008-2014 Mark Russinovich
+Sysinternals - www.sysinternals.com
+
+Intel(R) Core(TM) i7-2600 CPU @ 3.40GHz
+Intel64 Family 6 Model 42 Stepping 7, GenuineIntel
+Microcode signature: 0000001B
+HYPERVISOR      -       Hypervisor is present
+VMX             *       Supports Intel hardware-assisted virtualization
+EPT             *       Supports Intel extended page tables (SLAT)
+</pre>
+
+Note: A 64-bit operating system is required to run Hyper-V.
+
+## Appendix B: Adding apps to your profile
+
+### Add a Win32 app
+
+#### Prepare the app for Intune
+
+Before we can pull an application into Intune to make it part of our AP profile, we need to “package” the application for delivery using the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Intune-Win32-App-Packaging-Tool).  After downloading the tool, gather the following three bits of information to use the tool:
+
+1.	The source folder for your application
+2.	The name of the setup executable file 
+3.	The output folder for the new file
+
+For the purposes of this lab, we’ll use the Notepad++ tool as our Win32 app.
+
+Download the Notepad++ msi package [here](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available) and then opy the file to a known location, such as C:\Notepad++msi.
+
+Run the IntuneWinAppUtil tool, supplying answers to the three questions, for example:
+
+![Add app](images/app01.png) 
+
+After the tool finishes running, you should have an .intunewin file in the Output folder, which you can now upload into Intune using the following steps.
+
+#### Create app in Intune
+
+Log into the Azure portal and select **Intune**.
+
+Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package.
+
+![Add app](images/app02.png) 
+
+Under **App Type**, select **Windows app (Win32)**:
+
+![Add app](images/app03.png) 
+
+On the **App package file** blade, browse to the **npp.7.6.3.installer.x64.intunewin** file in your output folder, open it, then click **OK**:
+
+![Add app](images/app04.png) 
+
+On the **App Information Configure** blade, provide a friendly name, description, and publisher, such as:
+
+![Add app](images/app05.png) 
+
+On the **Program Configuration** blade, supply the install and uninstall commands:
+
+Install:  msiexec /i "npp.7.6.3.installer.x64.msi" /q
+Uninstall:  msiexec /x "{F188A506-C3C6-4411-BE3A-DA5BF1EA6737}" /q
+
+NOTE:  Likely, you do not have to write the install and uninstall commands yourself because the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Intune-Win32-App-Packaging-Tool) automatically generated them when it converted the .msi file into a .intunewin file.
+
+![Add app](images/app06.png) 
+
+Simply using an install command like “notepad++.exe /S” will not actually install Notepad++; it will only launch the app.  To actually install the program, we need to use the .msi file instead.  Notepad++ doesn’t actually have an .msi version of their program, but we got an .msi version from a [third party provider](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available).  
+
+Click **OK** to save your input and activate the **Requirements** blade.
+
+On the **Requirements Configuration** blade, specify the **OS architecture** and the **Minimum OS version**:
+
+![Add app](images/app07.png) 
+
+Next, configure the **Detection rules**.  For our purposes, we will select manual format:
+
+![Add app](images/app08.png) 
+
+Click **Add** to define the rule properties.  For **Rule type**, select **MSI**, which will automatically import the right MSI product code into the rule:
+
+![Add app](images/app09.png) 
+
+Click **OK** twice to save, as you back out to the main **Add app** blade again for the final configuration.  
+
+**Return codes**:  For our purposes, leave the return codes at their default values:
+
+![Add app](images/app10.png) 
+
+Click **OK** to exit.
+
+You may skip configuring the final **Scope (Tags)** blade.
+
+Click the **Add** button to finalize and save your app package.
+
+Once the indicator message says the addition has completed.
+
+![Add app](images/app11.png) 
+
+You will be able to find your app in your app list:
+
+![Add app](images/app12.png) 
+
+#### Assign the app to your Intune profile
+
+**NOTE**: The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#assign-the-profile).  If you have not done that, please return to the main part of the lab and complete those steps before returning here.
+	
+In the **Intune > Client Apps > Apps** pane, select the app package you already created to reveal its properties blade.  Then click **Assignments** from the menu:
+
+![Add app](images/app13.png) 
+
+Select **Add Group** to open the **Add group** pane that is related to the app.
+
+For our purposes, select *8Required** from the **Assignment type** dropdown menu:
+
+>**Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website.
+
+Select **Included Groups** and assign the groups you previously created that will use this app:
+
+![Add app](images/app14.png) 
+
+![Add app](images/app15.png) 
+
+In the **Select groups** pane, click the **Select** button.
+
+In the **Assign group** pane, select **OK**.
+
+In the **Add group** pane, select **OK**.
+
+In the app **Assignments** pane, select **Save**.
+
+![Add app](images/app16.png) 
+
+At this point, you have completed steps to add a Win32 app to Intune.
+
+For more information on adding adds to Intune, see [Intune Standalone - Win32 app management](https://docs.microsoft.com/en-us/intune/apps-win32-app-management).
+
+### Add Office 365
+
+#### Create app in Intune
+
+Log into the Azure portal and select **Intune**.
+
+Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package.
+
+![Add app](images/app17.png) 
+
+Under **App Type**, select **Office 365 Suite > Windows 10**:
+
+![Add app](images/app18.png) 
+
+Under the **Configure App Suite** pane, select the Office apps you want to install.  For the purposes of this labe we have only selected Excel:
+
+![Add app](images/app19.png) 
+
+Click **OK**.
+
+In the **App Suite Information** pane, enter a <i>unique</i> suite name, and a suitable description.  
+
+>Enter the name of the app suite as it is displayed in the company portal. Make sure that all suite names that you use are unique. If the same app suite name exists twice, only one of the apps is displayed to users in the company portal. 
+
+![Add app](images/app20.png) 
+
+Click **OK**.
+
+In the **App Suite Settings** pane, select **Monthly** for the **Update channel** (any selection would be fine for the purposes of this lab).  Also select **Yes** for **Automatically accept the app end user license agreement**:
+
+![Add app](images/app21.png) 
+
+Click **OK** and then click **Add**.
+
+#### Assign the app to your Intune profile
+
+**NOTE**: The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#assign-the-profile).  If you have not done that, please return to the main part of the lab and complete those steps before returning here.
+	
+In the **Intune > Client Apps > Apps** pane, select the Office package you already created to reveal its properties blade.  Then click **Assignments** from the menu:
+
+![Add app](images/app22.png) 
+
+Select **Add Group** to open the **Add group** pane that is related to the app.
+
+For our purposes, select **Required** from the **Assignment type** dropdown menu:
+
+>**Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website.
+
+Select **Included Groups** and assign the groups you previously created that will use this app:
+
+![Add app](images/app23.png) 
+
+![Add app](images/app24.png) 
+
+In the **Select groups** pane, click the **Select** button.
+
+In the **Assign group** pane, select **OK**.
+
+In the **Add group** pane, select **OK**.
+
+In the app **Assignments** pane, select **Save**.
+
+![Add app](images/app25.png) 
+
+At this point, you have completed steps to add Office to Intune.
+
+For more information on adding Office apps to Intune, see [Assign Office 365 apps to Windows 10 devices with Microsoft Intune](https://docs.microsoft.com/en-us/intune/apps-add-office365).
+
+If you installed both the win32 app (Notepad++) and Office (just Excel) per the instructions in this lab, your VM will show them in the apps list, although it could take several minutes to populate:
+
+![Add app](images/app26.png) 
+
+## Glossary
+
+<table border="1">
+<tr><td>OEM</td><td>Original Equipment Manufacturer</td></tr>
+<tr><td>CSV</td><td>Comma Separated Values</td></tr>
+<tr><td>MPC</td><td>Microsoft Partner Center</td></tr>
+<tr><td>CSP</td><td>Cloud Solution Provider</td></tr>
+<tr><td>MSfB</td><td>Microsoft Store for Business</td></tr>
+<tr><td>AAD</td><td>Azure Active Directory</td></tr>
+<tr><td>4K HH</td><td>4K Hardware Hash</td></tr>
+<tr><td>CBR</td><td>Computer Build Report</td></tr>
+<tr><td>EC</td><td>Enterprise Commerce (server)</td></tr>
+<tr><td>DDS</td><td>Device Directory Service</td></tr>
+<tr><td>OOBE</td><td>Out of the Box Experience</td></tr>
+<tr><td>VM</td><td>Virtual Machine</td></tr>
+</table>
diff --git a/windows/deployment/windows-autopilot/images/aad-lic1.png b/windows/deployment/windows-autopilot/images/aad-lic1.png
new file mode 100644
index 0000000000..569d601066
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/aad-lic1.png differ
diff --git a/windows/deployment/windows-autopilot/images/all-groups.png b/windows/deployment/windows-autopilot/images/all-groups.png
new file mode 100644
index 0000000000..6ae904ed62
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/all-groups.png differ
diff --git a/windows/deployment/windows-autopilot/images/app01.png b/windows/deployment/windows-autopilot/images/app01.png
new file mode 100644
index 0000000000..f551c5ca68
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/app01.png differ
diff --git a/windows/deployment/windows-autopilot/images/app02.png b/windows/deployment/windows-autopilot/images/app02.png
new file mode 100644
index 0000000000..e5036043cc
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/app02.png differ
diff --git a/windows/deployment/windows-autopilot/images/app03.png b/windows/deployment/windows-autopilot/images/app03.png
new file mode 100644
index 0000000000..63ef76b3f8
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/app03.png differ
diff --git a/windows/deployment/windows-autopilot/images/app04.png b/windows/deployment/windows-autopilot/images/app04.png
new file mode 100644
index 0000000000..bd307c4a46
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/app04.png differ
diff --git a/windows/deployment/windows-autopilot/images/app05.png b/windows/deployment/windows-autopilot/images/app05.png
new file mode 100644
index 0000000000..83861dcd51
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/app05.png differ
diff --git a/windows/deployment/windows-autopilot/images/app06.png b/windows/deployment/windows-autopilot/images/app06.png
new file mode 100644
index 0000000000..9563e0514c
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/app06.png differ
diff --git a/windows/deployment/windows-autopilot/images/app07.png b/windows/deployment/windows-autopilot/images/app07.png
new file mode 100644
index 0000000000..59025e69fa
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/app07.png differ
diff --git a/windows/deployment/windows-autopilot/images/app08.png b/windows/deployment/windows-autopilot/images/app08.png
new file mode 100644
index 0000000000..cea5edfc57
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/app08.png differ
diff --git a/windows/deployment/windows-autopilot/images/app09.png b/windows/deployment/windows-autopilot/images/app09.png
new file mode 100644
index 0000000000..250c85dd8a
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/app09.png differ
diff --git a/windows/deployment/windows-autopilot/images/app10.png b/windows/deployment/windows-autopilot/images/app10.png
new file mode 100644
index 0000000000..8d5af2ece1
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/app10.png differ
diff --git a/windows/deployment/windows-autopilot/images/app11.png b/windows/deployment/windows-autopilot/images/app11.png
new file mode 100644
index 0000000000..9ca5bc10eb
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/app11.png differ
diff --git a/windows/deployment/windows-autopilot/images/app12.png b/windows/deployment/windows-autopilot/images/app12.png
new file mode 100644
index 0000000000..3f82bf78a9
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/app12.png differ
diff --git a/windows/deployment/windows-autopilot/images/app13.png b/windows/deployment/windows-autopilot/images/app13.png
new file mode 100644
index 0000000000..2b499f4ec2
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/app13.png differ
diff --git a/windows/deployment/windows-autopilot/images/app14.png b/windows/deployment/windows-autopilot/images/app14.png
new file mode 100644
index 0000000000..e809db6134
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/app14.png differ
diff --git a/windows/deployment/windows-autopilot/images/app15.png b/windows/deployment/windows-autopilot/images/app15.png
new file mode 100644
index 0000000000..b85a96bf9e
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/app15.png differ
diff --git a/windows/deployment/windows-autopilot/images/app16.png b/windows/deployment/windows-autopilot/images/app16.png
new file mode 100644
index 0000000000..f22f74a091
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/app16.png differ
diff --git a/windows/deployment/windows-autopilot/images/app17.png b/windows/deployment/windows-autopilot/images/app17.png
new file mode 100644
index 0000000000..5adfc9218f
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/app17.png differ
diff --git a/windows/deployment/windows-autopilot/images/app18.png b/windows/deployment/windows-autopilot/images/app18.png
new file mode 100644
index 0000000000..24c4b9f331
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/app18.png differ
diff --git a/windows/deployment/windows-autopilot/images/app19.png b/windows/deployment/windows-autopilot/images/app19.png
new file mode 100644
index 0000000000..281ba9fb40
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/app19.png differ
diff --git a/windows/deployment/windows-autopilot/images/app20.png b/windows/deployment/windows-autopilot/images/app20.png
new file mode 100644
index 0000000000..a5a066b45e
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/app20.png differ
diff --git a/windows/deployment/windows-autopilot/images/app21.png b/windows/deployment/windows-autopilot/images/app21.png
new file mode 100644
index 0000000000..d2e23f2db4
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/app21.png differ
diff --git a/windows/deployment/windows-autopilot/images/app22.png b/windows/deployment/windows-autopilot/images/app22.png
new file mode 100644
index 0000000000..4541a69204
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/app22.png differ
diff --git a/windows/deployment/windows-autopilot/images/app23.png b/windows/deployment/windows-autopilot/images/app23.png
new file mode 100644
index 0000000000..19b951c653
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/app23.png differ
diff --git a/windows/deployment/windows-autopilot/images/app24.png b/windows/deployment/windows-autopilot/images/app24.png
new file mode 100644
index 0000000000..aa77e4083f
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/app24.png differ
diff --git a/windows/deployment/windows-autopilot/images/app25.png b/windows/deployment/windows-autopilot/images/app25.png
new file mode 100644
index 0000000000..544d1ae37a
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/app25.png differ
diff --git a/windows/deployment/windows-autopilot/images/app26.png b/windows/deployment/windows-autopilot/images/app26.png
new file mode 100644
index 0000000000..e210faa31b
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/app26.png differ
diff --git a/windows/deployment/windows-autopilot/images/autopilot-aad-mdm.png b/windows/deployment/windows-autopilot/images/autopilot-aad-mdm.png
new file mode 100644
index 0000000000..1533f68c7c
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/autopilot-aad-mdm.png differ
diff --git a/windows/deployment/windows-autopilot/images/branding.png b/windows/deployment/windows-autopilot/images/branding.png
new file mode 100644
index 0000000000..46dd37bc4a
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/branding.png differ
diff --git a/windows/deployment/windows-autopilot/images/create-profile.png b/windows/deployment/windows-autopilot/images/create-profile.png
new file mode 100644
index 0000000000..52f087721d
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/create-profile.png differ
diff --git a/windows/deployment/windows-autopilot/images/delete-device1.png b/windows/deployment/windows-autopilot/images/delete-device1.png
new file mode 100644
index 0000000000..e73f929fbd
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/delete-device1.png differ
diff --git a/windows/deployment/windows-autopilot/images/delete-device2.png b/windows/deployment/windows-autopilot/images/delete-device2.png
new file mode 100644
index 0000000000..ed764ac1ed
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/delete-device2.png differ
diff --git a/windows/deployment/windows-autopilot/images/delete-device3.png b/windows/deployment/windows-autopilot/images/delete-device3.png
new file mode 100644
index 0000000000..a2daa1c39a
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/delete-device3.png differ
diff --git a/windows/deployment/windows-autopilot/images/delete-device4.png b/windows/deployment/windows-autopilot/images/delete-device4.png
new file mode 100644
index 0000000000..c0119fbc39
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/delete-device4.png differ
diff --git a/windows/deployment/windows-autopilot/images/delete-device5.png b/windows/deployment/windows-autopilot/images/delete-device5.png
new file mode 100644
index 0000000000..33b539d33c
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/delete-device5.png differ
diff --git a/windows/deployment/windows-autopilot/images/delete-device6.png b/windows/deployment/windows-autopilot/images/delete-device6.png
new file mode 100644
index 0000000000..23cbcb7c44
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/delete-device6.png differ
diff --git a/windows/deployment/windows-autopilot/images/delete-device7.png b/windows/deployment/windows-autopilot/images/delete-device7.png
new file mode 100644
index 0000000000..dcdeee5205
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/delete-device7.png differ
diff --git a/windows/deployment/windows-autopilot/images/deployment-profiles.png b/windows/deployment/windows-autopilot/images/deployment-profiles.png
new file mode 100644
index 0000000000..7888da55d1
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/deployment-profiles.png differ
diff --git a/windows/deployment/windows-autopilot/images/deployment-profiles2.png b/windows/deployment/windows-autopilot/images/deployment-profiles2.png
new file mode 100644
index 0000000000..6ff9fbb89e
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/deployment-profiles2.png differ
diff --git a/windows/deployment/windows-autopilot/images/device-import.png b/windows/deployment/windows-autopilot/images/device-import.png
new file mode 100644
index 0000000000..3be4cff996
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/device-import.png differ
diff --git a/windows/deployment/windows-autopilot/images/device-status.png b/windows/deployment/windows-autopilot/images/device-status.png
new file mode 100644
index 0000000000..5a78973ce5
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/device-status.png differ
diff --git a/windows/deployment/windows-autopilot/images/enabled-device.png b/windows/deployment/windows-autopilot/images/enabled-device.png
new file mode 100644
index 0000000000..96dc935309
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/enabled-device.png differ
diff --git a/windows/deployment/windows-autopilot/images/hwid-csv.png b/windows/deployment/windows-autopilot/images/hwid-csv.png
new file mode 100644
index 0000000000..ac177e0b5a
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/hwid-csv.png differ
diff --git a/windows/deployment/windows-autopilot/images/hwid.png b/windows/deployment/windows-autopilot/images/hwid.png
new file mode 100644
index 0000000000..fcc73fa0b0
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/hwid.png differ
diff --git a/windows/deployment/windows-autopilot/images/import-vm.png b/windows/deployment/windows-autopilot/images/import-vm.png
new file mode 100644
index 0000000000..5fb97cda5d
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/import-vm.png differ
diff --git a/windows/deployment/windows-autopilot/images/include-group.png b/windows/deployment/windows-autopilot/images/include-group.png
new file mode 100644
index 0000000000..fb7bca7efa
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/include-group.png differ
diff --git a/windows/deployment/windows-autopilot/images/include-group2.png b/windows/deployment/windows-autopilot/images/include-group2.png
new file mode 100644
index 0000000000..585d006bac
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/include-group2.png differ
diff --git a/windows/deployment/windows-autopilot/images/intune-devices.png b/windows/deployment/windows-autopilot/images/intune-devices.png
new file mode 100644
index 0000000000..bc29c76511
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/intune-devices.png differ
diff --git a/windows/deployment/windows-autopilot/images/mdm-intune.png b/windows/deployment/windows-autopilot/images/mdm-intune.png
new file mode 100644
index 0000000000..db9b144fad
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/mdm-intune.png differ
diff --git a/windows/deployment/windows-autopilot/images/mdm-intune2.png b/windows/deployment/windows-autopilot/images/mdm-intune2.png
new file mode 100644
index 0000000000..d464863f37
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/mdm-intune2.png differ
diff --git a/windows/deployment/windows-autopilot/images/msfb-assign1.png b/windows/deployment/windows-autopilot/images/msfb-assign1.png
new file mode 100644
index 0000000000..c1e8e27e21
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/msfb-assign1.png differ
diff --git a/windows/deployment/windows-autopilot/images/msfb-assign2.png b/windows/deployment/windows-autopilot/images/msfb-assign2.png
new file mode 100644
index 0000000000..fd3be16853
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/msfb-assign2.png differ
diff --git a/windows/deployment/windows-autopilot/images/msfb-create1.png b/windows/deployment/windows-autopilot/images/msfb-create1.png
new file mode 100644
index 0000000000..f76aa82991
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/msfb-create1.png differ
diff --git a/windows/deployment/windows-autopilot/images/msfb-create2.png b/windows/deployment/windows-autopilot/images/msfb-create2.png
new file mode 100644
index 0000000000..ec6c260fcd
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/msfb-create2.png differ
diff --git a/windows/deployment/windows-autopilot/images/msfb-create3.png b/windows/deployment/windows-autopilot/images/msfb-create3.png
new file mode 100644
index 0000000000..a6241fb5ea
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/msfb-create3.png differ
diff --git a/windows/deployment/windows-autopilot/images/msfb-device.png b/windows/deployment/windows-autopilot/images/msfb-device.png
new file mode 100644
index 0000000000..d338056013
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/msfb-device.png differ
diff --git a/windows/deployment/windows-autopilot/images/msfb-manage.png b/windows/deployment/windows-autopilot/images/msfb-manage.png
new file mode 100644
index 0000000000..9bf684d844
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/msfb-manage.png differ
diff --git a/windows/deployment/windows-autopilot/images/msfb-manage2.png b/windows/deployment/windows-autopilot/images/msfb-manage2.png
new file mode 100644
index 0000000000..406aaf5948
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/msfb-manage2.png differ
diff --git a/windows/deployment/windows-autopilot/images/msfb-manage3.png b/windows/deployment/windows-autopilot/images/msfb-manage3.png
new file mode 100644
index 0000000000..bf5fb1ccf9
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/msfb-manage3.png differ
diff --git a/windows/deployment/windows-autopilot/images/msfb.png b/windows/deployment/windows-autopilot/images/msfb.png
new file mode 100644
index 0000000000..af937c2c5f
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/msfb.png differ
diff --git a/windows/deployment/windows-autopilot/images/new-group.png b/windows/deployment/windows-autopilot/images/new-group.png
new file mode 100644
index 0000000000..c18c1865f6
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/new-group.png differ
diff --git a/windows/deployment/windows-autopilot/images/profile.png b/windows/deployment/windows-autopilot/images/profile.png
new file mode 100644
index 0000000000..40cf26bee2
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/profile.png differ
diff --git a/windows/deployment/windows-autopilot/images/winsetup1.png b/windows/deployment/windows-autopilot/images/winsetup1.png
new file mode 100644
index 0000000000..c8048256c4
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/winsetup1.png differ
diff --git a/windows/deployment/windows-autopilot/images/winsetup2.png b/windows/deployment/windows-autopilot/images/winsetup2.png
new file mode 100644
index 0000000000..43db844334
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/winsetup2.png differ
diff --git a/windows/deployment/windows-autopilot/images/winsetup3.png b/windows/deployment/windows-autopilot/images/winsetup3.png
new file mode 100644
index 0000000000..dbea3969de
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/winsetup3.png differ
diff --git a/windows/deployment/windows-autopilot/images/winsetup4.png b/windows/deployment/windows-autopilot/images/winsetup4.png
new file mode 100644
index 0000000000..1121b1dff5
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/winsetup4.png differ
diff --git a/windows/deployment/windows-autopilot/images/winsetup5.png b/windows/deployment/windows-autopilot/images/winsetup5.png
new file mode 100644
index 0000000000..2757253097
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/winsetup5.png differ
diff --git a/windows/deployment/windows-autopilot/images/winsetup6.png b/windows/deployment/windows-autopilot/images/winsetup6.png
new file mode 100644
index 0000000000..e91843e1ff
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/winsetup6.png differ
diff --git a/windows/deployment/windows-autopilot/images/winsetup7.png b/windows/deployment/windows-autopilot/images/winsetup7.png
new file mode 100644
index 0000000000..dadf85485e
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/winsetup7.png differ
diff --git a/windows/deployment/windows-autopilot/images/winsetup8.png b/windows/deployment/windows-autopilot/images/winsetup8.png
new file mode 100644
index 0000000000..9d7a499db0
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/winsetup8.png differ
diff --git a/windows/deployment/windows-autopilot/user-driven-hybrid.md b/windows/deployment/windows-autopilot/user-driven-hybrid.md
index c084916d3e..d69c5869ba 100644
--- a/windows/deployment/windows-autopilot/user-driven-hybrid.md
+++ b/windows/deployment/windows-autopilot/user-driven-hybrid.md
@@ -32,7 +32,7 @@ To perform a user-driven hybrid AAD joined deployment using Windows Autopilot:
 - The device must be connected to the Internet and have access to an Active Directory domain controller.
 - The Intune Connector for Active Directory must be installed.
     - Note: The Intune Connector will perform an on-prem AD join, therefore users do not need on-prem AD-join permission, assuming the Connector is [configured to perform this action](https://docs.microsoft.com/intune/windows-autopilot-hybrid#increase-the-computer-account-limit-in-the-organizational-unit) on the user's behalf. 
-- If using Proxy, WDAP Proxy settings option must be enabled and configured.
+- If using Proxy, WPAD Proxy settings option must be enabled and configured.
 
 **AAD device join**: The hybrid AAD join process uses the system context to perform device AAD join, therefore it is not affected by user based AAD join permission settings. In addition, all users are enabled to join devices to AAD by default.
 
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md b/windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md
index 30fb733eb0..7e67c7eca1 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md
@@ -21,7 +21,7 @@ ms.topic: article
 
 When performing a remote Windows Autopilot Reset, an MDM service such an Microsoft Intune can be used to initiate the reset process, avoiding the need for IT staff or other administrators to visit each machine to initiate the process.
 
-To enable a device for a remote Windows Autopilot Reset, the device must be MDM managed, joined to Azure AD, and configured to use the [enrollment status page](enrollment-status.md).
+To enable a device for a remote Windows Autopilot Reset, the device must be MDM managed, joined to Azure AD, and configured to use the [enrollment status page](enrollment-status.md). This feature is not supported on devices that were enrolled using [Autopilot self deploying mode](self-deploying.md).
 
 ## Triggering a remote Windows Autopilot Reset
 
@@ -34,5 +34,8 @@ To trigger a remote Windows Autopilot Reset via Intune, follow these steps:
 >[!NOTE]
 >The Autopilot Reset option will not be enabled in Microsoft Intune for devices not running Windows 10 build 17672 or higher.
 
+>[!IMPORTANT]
+>The feature for Autopilot Reset (preview) will stay grayed out, **unless** you reset the device using Autopilot (either using Fresh Reset or manually sysprep the device).
+
 Once the reset is complete, the device is again ready for use.
- 
\ No newline at end of file
+ 
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-reset.md b/windows/deployment/windows-autopilot/windows-autopilot-reset.md
index 1a5c9e982d..78eca0eb39 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot-reset.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-reset.md
@@ -33,6 +33,9 @@ Windows Autopilot Reset will block the user from accessing the desktop until thi
 >[!IMPORTANT] 
 >To reestablish Wi-Fi connectivity after reset, make sure the **Connect automatically** box is checked for the device's wireless network connection. 
 
+>[!NOTE]
+>The Autopilot Reset does not support Hybrid Azure AD joined devices.
+
 ## Scenarios
 
 Windows Autopilot Reset supports two scenarios:
diff --git a/windows/hub/TOC.md b/windows/hub/TOC.md
index a811ff7119..1883594880 100644
--- a/windows/hub/TOC.md
+++ b/windows/hub/TOC.md
@@ -1,6 +1,6 @@
 # [Windows 10 and Windows 10 Mobile](index.md)
 ## [What's new](/windows/whats-new)
-## [Release information](/windows/release-information)
+## [Release information](release-information.md)
 ## [Deployment](/windows/deployment)
 ## [Configuration](/windows/configuration)
 ## [Client management](/windows/client-management)
diff --git a/windows/hub/release-information.md b/windows/hub/release-information.md
new file mode 100644
index 0000000000..2aa38be1de
--- /dev/null
+++ b/windows/hub/release-information.md
@@ -0,0 +1,30 @@
+---
+title: Windows 10 - release information
+description: Learn release information for Windows 10 releases
+keywords: ["Windows 10", "Windows 10 October 2018 Update"]
+ms.prod: w10
+layout: LandingPage  
+ms.topic: landing-page
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: lizap
+ms.author: elizapo
+ms.localizationpriority: high
+---
+# Windows 10 release information
+
+Feature updates for Windows 10 are released twice a year, targeting March and September, via the Semi-Annual Channel (SAC) and will be serviced with monthly quality updates for 18 months from the date of the release. We recommend that you begin deployment of each SAC release immediately to devices selected for early adoption and ramp up to full deployment at your discretion. This will enable you to gain access to new features, experiences, and integrated security as soon as possible.
+
+Starting with Windows 10, version 1809, feature updates for Windows 10 Enterprise and Education editions with a targeted release month of September will be serviced for 30 months from their release date. For information about servicing timelines, see the [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853).
+
+>[!NOTE]
+>If you are not using Windows Update for Business today, the "Semi-Annual Channel (Targeted)" servicing option has no impact on when your devices will be updated. It merely reflects a milestone for the semi-annual release, the period of time during which Microsoft recommends that your IT team make the release available to specific, "targeted" devices for the purpose of validating and generating data in order to get to a broad deployment decision. For more information, see [this blog post](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523).
+
+
+<div class="m-rich-content-block" data-grid="col-12">
+    <div id="winrelinfo" xmlns="http://www.w3.org/1999/xhtml"><iframe width="100%" height="866px" id="winrelinfo_iframe" src="https://winreleaseinfoprod.blob.core.windows.net/winreleaseinfoprod/en-US.html" frameborder="0" marginwidth="0" marginheight="0" scrolling="auto"></iframe></div>
+    <script src="https://winreleaseinfoprod.blob.core.windows.net/winreleaseinfoprod/iframe.js" xmlns="http://www.w3.org/1999/xhtml"></script>
+    <script xmlns="http://www.w3.org/1999/xhtml">/*<![CDATA[*/winrelinfo_setup("https://winreleaseinfoprod.blob.core.windows.net/winreleaseinfoprod/en-US.html")/*]]>*/</script>
+</div>
+
+
diff --git a/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml b/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml
index da694ca9c8..58f6c1cbac 100644
--- a/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml
+++ b/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml
@@ -1,12 +1,12 @@
 ### YamlMime:YamlDocument
 
 documentType: LandingData
-title: Resolved issues in Windows 7 and Windows Server 2008 R2 SP1
+title: Resolved issues in Windows 8.1 and Windows Server 2012 R2
 metadata:
   document_id: 
-  title: Resolved issues in Windows 7 and Windows Server 2008 R2 SP1
+  title: Resolved issues in Windows 8.1 and Windows Server 2012 R2
   description: Resolved issues in Windows 8.1 and Windows Server 2012 R2
-  keywords: ["Resolved issues in Windows 7", "Windows 7", "Windows Server 2012 R2"]
+  keywords: ["Resolved issues in Windows 8.1", "Windows 8.1", "Windows Server 2012 R2"]
   ms.localizationpriority: high
   author: greg-lindsay
   ms.author: greglin
diff --git a/windows/security/identity-protection/access-control/active-directory-security-groups.md b/windows/security/identity-protection/access-control/active-directory-security-groups.md
index 0b2f989db7..3b7f39ee7e 100644
--- a/windows/security/identity-protection/access-control/active-directory-security-groups.md
+++ b/windows/security/identity-protection/access-control/active-directory-security-groups.md
@@ -258,279 +258,286 @@ The following tables provide descriptions of the default groups that are located
 <td><p>Yes</p></td>
 </tr>
 <tr class="odd">
+<td><p>[Device Owners](#bkmk-device-owners)</p></td>
+<td><p>Yes</p></td>
+<td><p>Yes</p></td>
+<td><p>Yes</p></td>
+<td><p>Yes</p></td>
+</tr>
+<tr class="even">
 <td><p>[Distributed COM Users](#bkmk-distributedcomusers)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td><p>[DnsUpdateProxy](#bkmk-dnsupdateproxy)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td><p>[DnsAdmins](#bkmk-dnsadmins)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td><p>[Domain Admins](#bkmk-domainadmins)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td><p>[Domain Computers](#bkmk-domaincomputers)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td><p>[Domain Controllers](#bkmk-domaincontrollers)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td><p>[Domain Guests](#bkmk-domainguests)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td><p>[Domain Users](#bkmk-domainusers)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td><p>[Enterprise Admins](#bkmk-entadmins)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 </tr>
-<tr class="even">
-<td><p>[Enterprise Key Admins](#bkmk-enterprise-key-admins)</p></td>
+<tr class="odd">
+<td><p>[Enterprise Key Admins](#enterprise-key-admins)</p></td>
 <td><p>Yes</p></td>
 <td><p></p></td>
 <td><p></p></td>
 <td><p></p></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td><p>[Enterprise Read-only Domain Controllers](#bkmk-entrodc)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td><p>[Event Log Readers](#bkmk-eventlogreaders)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td><p>[Group Policy Creator Owners](#bkmk-gpcreatorsowners)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td><p>[Guests](#bkmk-guests)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td><p>[Hyper-V Administrators](#bkmk-hypervadministrators)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p></p></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td><p>[IIS_IUSRS](#bkmk-iis-iusrs)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td><p>[Incoming Forest Trust Builders](#bkmk-inforesttrustbldrs)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td><p>[Key Admins](#key-admins)</p></td>
 <td><p>Yes</p></td>
 <td><p></p></td>
 <td><p></p></td>
 <td><p></p></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td><p>[Network Configuration Operators](#bkmk-networkcfgoperators)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td><p>[Performance Log Users](#bkmk-perflogusers)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td><p>[Performance Monitor Users](#bkmk-perfmonitorusers)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td><p>[Pre–Windows 2000 Compatible Access](#bkmk-pre-ws2kcompataccess)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td><p>[Print Operators](#bkmk-printoperators)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td><p>[Protected Users](#bkmk-protectedusers)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p></p></td>
 <td><p></p></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td><p>[RAS and IAS Servers](#bkmk-rasandias)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td><p>[RDS Endpoint Servers](#bkmk-rdsendpointservers)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p></p></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td><p>[RDS Management Servers](#bkmk-rdsmanagementservers)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p></p></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td><p>[RDS Remote Access Servers](#bkmk-rdsremoteaccessservers)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p></p></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td><p>[Read-only Domain Controllers](#bkmk-rodc)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td><p>[Remote Desktop Users](#bkmk-remotedesktopusers)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td><p>[Remote Management Users](#bkmk-remotemanagementusers)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p></p></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td><p>[Replicator](#bkmk-replicator)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td><p>[Schema Admins](#bkmk-schemaadmins)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td><p>[Server Operators](#bkmk-serveroperators)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td><p>[Storage Replica Administrators](#storage-replica-administrators)</p></td>
 <td><p>Yes</p></td>
 <td><p></p></td>
 <td><p></p></td>
 <td><p></p></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td><p>[System Managed Accounts Group](#system-managed-accounts-group)</p></td>
 <td><p>Yes</p></td>
 <td><p></p></td>
 <td><p></p></td>
 <td><p></p></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td><p>[Terminal Server License Servers](#bkmk-terminalserverlic)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td><p>[Users](#bkmk-users)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td><p>[Windows Authorization Access Group](#bkmk-winauthaccess)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td><p>[WinRMRemoteWMIUsers_](#bkmk-winrmremotewmiusers-)</p></td>
 <td><p></p></td>
 <td><p>Yes</p></td>
@@ -1208,6 +1215,68 @@ This security group includes the following changes since Windows Server 2008:
 </tbody>
 </table>
 
+### <a href="" id="bkmk-device-owners"></a>Device Owners
+This group is not currently used in Windows. 
+
+Microsoft does not recommend changing the default configuration where this security group has zero members. Changing the default configuration could hinder future scenarios that rely on this group.
+
+The Device Owners group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th>Attribute</th>
+<th>Value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td><p>Well-Known SID/RID</p></td>
+<td><p>S-1-5-32-583</p></td>
+</tr>
+<tr class="even">
+<td><p>Type</p></td>
+<td><p>BuiltIn Local</p></td>
+</tr>
+<tr class="odd">
+<td><p>Default container</p></td>
+<td><p>CN=BuiltIn, DC=&lt;domain&gt;, DC=</p></td>
+</tr>
+<tr class="even">
+<td><p>Default members</p></td>
+<td><p>None</p></td>
+</tr>
+<tr class="odd">
+<td><p>Default member of</p></td>
+<td><p>None</p></td>
+</tr>
+<tr class="even">
+<td><p>Protected by ADMINSDHOLDER?</p></td>
+<td><p>No</p></td>
+</tr>
+<tr class="odd">
+<td><p>Safe to move out of default container?</p></td>
+<td><p>Can be moved out but it is not recommended</p></td>
+</tr>
+<tr class="even">
+<td><p>Safe to delegate management of this group to non-Service admins?</p></td>
+<td><p>No</p></td>
+</tr>
+<tr class="odd">
+<td><p>Default User Rights</p></td>
+<td><p>[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight</p>
+<p>[Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight</p>
+<p>[Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege</p>
+<p>[Change the time zone](/windows/device-security/security-policy-settings/change-the-time-zone): SeTimeZonePrivilege</p>
+</td>
+</tr>
+</tbody>
+</table>
+
  
 
 ### <a href="" id="bkmk-distributedcomusers"></a>Distributed COM Users
@@ -3692,6 +3761,7 @@ This security group was introduced in Windows Server 2012, and it has not chang
 </tbody>
 </table>
 
+
 ## See also
 
 - [Security Principals](security-principals.md)
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
index 0e10a79093..a588960870 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
@@ -22,8 +22,6 @@ ms.date: 08/17/2017
 - Windows Server 2016  
 
 
-Prefer video? See [Windows Defender Credential Guard Design](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=mD3geLJyC_8304300474) in the **Deep Dive into Windows Defender Credential Guard** video series.
-
 Kerberos, NTLM, and Credential manager isolate secrets by using virtualization-based security. Previous versions of Windows stored secrets in the Local Security Authority (LSA). Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Windows Defender Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using virtualization-based security and is not accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
 
 For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment.
@@ -46,4 +44,4 @@ Here's a high-level overview on how the LSA is isolated by using virtualization-
 
 [Virtualization-based security](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=1CoELLJyC_6704300474)
 
-[Credentials protected by Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
\ No newline at end of file
+[Credentials protected by Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
index 626de0ca3e..b315be80ea 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@@ -21,10 +21,9 @@ ms.date: 03/01/2019
 -   Windows 10
 -   Windows Server 2016
 
-Prefer video? See [Windows Defender Credential Guard Deployment](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=sRcyvLJyC_3304300474) in the Deep Dive into Windows Defender Credential Guard video series.
 
 ## Enable Windows Defender Credential Guard
-Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-credential-guard-by-using-group-policy), the [registry](#enable-credential-guard-by-using-the-registry), or the Windows Defender Device Guard and Windows Defender Credential Guard [hardware readiness tool](#hardware-readiness-tool). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine.
+Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy), the [registry](#enable-windows-defender-credential-guard-by-using-the-registry), or the Windows Defender Device Guard and Windows Defender Credential Guard [hardware readiness tool](#hardware-readiness-tool). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine.
 The same set of procedures used to enable Windows Defender Credential Guard on physical machines applies also to virtual machines.
 
 
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
index 01d5a2d5a7..efceecd400 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
@@ -21,9 +21,6 @@ ms.date: 01/12/2018
 -   Windows 10
 -   Windows Server 2016
 
-Prefer video? See
-[Windows Defender Credential Guard Deployment](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=sRcyvLJyC_3304300474)
-in the Deep Dive into Windows Defender Credential Guard video series.
 
 For Windows Defender Credential Guard to provide protection, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally, Windows Defender Credential Guard blocks specific authentication capabilities, so applications that require such capabilities will break. We will refer to this as [Application requirements](#application-requirements). Beyond that, computers can meet additional hardware and firmware qualifications, and receive additional protections. Those computers will be more hardened against certain threats. For detailed information on baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017, refer to the tables in [Security Considerations](#security-considerations).
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
index a7abd09380..d82576afc9 100644
--- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
+++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
@@ -71,7 +71,7 @@ To allow fingerprint matching, you must have devices with fingerprint sensors an
 ### Facial recognition sensors
 To allow facial recognition, you must have devices with integrated special infrared (IR) sensors and software. Facial recognition sensors use special cameras that see in IR light, letting them tell the difference between a photo and a living person while scanning an employee’s facial features. These sensors, like the fingerprint sensors, must also include anti-spoofing measures (required) and a way to configure them (optional).
 
--   False Accept Rate (FAR): &lt;0.001
+-   False Accept Rate (FAR): &lt;0.001%
 
 -   False Reject Rate (FRR) without Anti-spoofing or liveness detection: &lt;5%
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
index 4c066287ac..febe2008ee 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
@@ -22,11 +22,11 @@ ms.date: 08/19/2018
 Windows Hello for Business authentication is passwordless, two-factor authentication.  Authenticating with Windows Hello for Business provides a convenient sign-in experience that authenticates the user to both Azure Active Directory and Active Directory resources.<br>
 Azure Active Directory joined devices authenticate to Azure during sign-in and can optional authenticate to Active Directory.  Hybrid Azure Active Directory joined devices authenticate to Active Directory during sign-in, and authenticate to Azure Active Directory in the background.<br>
 
-[Azure AD join authentication to Azure Active Directory](#Azure-AD-join-authentication-to-Azure-Active-Directory)<br>
-[Azure AD join authentication to Active Directory using a Key](#Azure-AD-join-authentication-to-Active-Directory-using-a-Key)<br>
-[Azure AD join authentication to Active Directory using a Certificate](#Azure-AD-join-authentication-to-Active-Directory-using-a-Certificate)<br>
-[Hybrid Azure AD join authentication using a Key](#Hybrid-Azure-AD-join-authentication-using-a-Key)<br>
-[Hybrid Azure AD join authentication using a Certificate](#Hybrid-Azure-AD-join-authentication-using-a-Certificate)<br>
+[Azure AD join authentication to Azure Active Directory](#azure-ad-join-authentication-to-azure-active-directory)<br>
+[Azure AD join authentication to Active Directory using a Key](#azure-ad-join-authentication-to-active-directory-using-a-key)<br>
+[Azure AD join authentication to Active Directory using a Certificate](#azure-ad-join-authentication-to-active-directory-using-a-certificate)<br>
+[Hybrid Azure AD join authentication using a Key](#hybrid-azure-ad-join-authentication-using-a-key)<br>
+[Hybrid Azure AD join authentication using a Certificate](#hybrid-azure-ad-join-authentication-using-a-certificate)<br>
 
 
 ## Azure AD join authentication to Azure Active Directory
@@ -40,7 +40,6 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c
 |D | The Cloud AP provider receives the encrypted PRT with session key.  Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.|
 |E | The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT, and informs winlogon of the success authentication.  Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.| 
 
-[Return to top](#Windows-Hello-for-Business-and-Authentication)
 ## Azure AD join authentication to Active Directory using a Key
 ![Azure AD join authentication to Active Directory using a Key](images/howitworks/auth-aadj-keytrust-kerb.png)
 
@@ -52,7 +51,6 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c
 |C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device.  Next, it ensures the certificate is within its validity period and that it has not be revoked.  The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it is cached and used for subsequent service ticket requests.|
 
 
-[Return to top](#Windows-Hello-for-Business-and-Authentication)
 ## Azure AD join authentication to Active Directory using a Certificate
 ![Azure AD join authentication to Active Directory using a Certificate](images/howitworks/auth-aadj-certtrust-kerb.png)
 
@@ -62,7 +60,6 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c
 |B | The Kerberos provider sends the signed pre-authentication data and  user's certificate, which includes the public key, to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.<br>The domain controller determines the certificate is not self-signed certificate.  The domain controller ensures the certificate chains to trusted root certificate, is within its validity period, can be used for authentication, and has not been revoked.  It retrieves the public key and UPN from the certificate included in the KERB_AS_REQ and searches for the UPN in Active Directory.  It validates the signed pre-authentication data using the public key from the certificate.  On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
 |C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device.  Next, it ensures the certificate is within its validity period and that it has not be revoked.  The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it is cached and used for subsequent service ticket requests.|
 
-[Return to top](#Windows-Hello-for-Business-and-Authentication)
 ## Hybrid Azure AD join authentication using a Key
 ![Hybrid Azure AD join authentication using a Key](images/howitworks/auth-haadj-keytrust.png)
 
@@ -76,7 +73,6 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c
 |F | While Windows loads the user's desktop, lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider.  The Cloud AP provider requests a nonce from Azure Active Directory.  Azure AD returns a nonce.|
 |G |  The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Azure Active Directory.  Azure Active Directory validates the signed nonce using the user's securely registered public key against the nonce signature.  After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.<br>The Cloud AP provider receives the encrypted PRT with session key.  Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.<br>The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT.|
 
-[Return to top](#Windows-Hello-for-Business-and-Authentication)
 ## Hybrid Azure AD join authentication using a Certificate
 ![Hybrid Azure AD join authentication using a Certificate](images/howitworks/auth-haadj-certtrust.png)
 
@@ -90,6 +86,3 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c
 |F | While Windows loads the user's desktop, lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider.  The Cloud AP provider requests a nonce from Azure Active Directory.  Azure AD returns a nonce.|
 |G |  The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Azure Active Directory.  Azure Active Directory validates the signed nonce using the user's securely registered public key against the nonce signature.  After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.<br>The Cloud AP provider receives the encrypted PRT with session key.  Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.<br>The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT.|
 
-[Return to top](#Windows-Hello-for-Business-and-Authentication)
-
-
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
index 7eeaa651d5..23eed38ace 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
@@ -28,6 +28,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
 [Azure AD joined provisioning in a Federated environment](#azure-ad-joined-provisioning-in-a-federated-environment)<br>
 [Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed environment](#hybrid-azure-ad-joined-provisioning-in-a-key-trust-deployment-in-a-managed-environment)<br>
 [Hybrid Azure AD joined provisioning in a Certificate Trust deployment in a Managed environment](#hybrid-azure-ad-joined-provisioning-in-a-certificate-trust-deployment-in-a-managed-environment)<br>
+[Hybrid Azure AD joined provisioning in a Certificate Trust deployment in a Federated environment](#hybrid-azure-ad-joined-provisioning-in-a-certificate-trust-deployment-in-a-managed-environment)<br>
 [Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Managed environment](#hybrid-azure-ad-joined-provisioning-in-a-synchronous-certificate-trust-deployment-in-a-managed-environment)<br>
 [Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Federated environment](#hybrid-azure-ad-joined-provisioning-in-a-synchronous-certificate-trust-deployment-in-a-federated-environment)<br>
 [Domain joined provisioning in an On-premises Key Trust deployment](#domain-joined-provisioning-in-an-on-premises-key-trust-deployment)<br>
@@ -56,7 +57,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
 |C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration.  Azure DRS validates MFA claim remains current.  On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns key ID to the application which signals the end of user provisioning and the application exits.|
 
 [Return to top](#windows-hello-for-business-provisioning)
-## Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed envrionment
+## Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed environment
 ![Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed ennvironment](images/howitworks/prov-haadj-keytrust-managed.png)
 
 | Phase  | Description  |
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
index ac6315a04d..6b4a465a9c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
@@ -71,7 +71,7 @@ The minimum required enterprise certificate authority that can be used with Wind
 ## Directory Synchronization ##
 The two directories used in hybrid deployments must be synchronized.  You need Azure Active Directory Connect to synchronize user accounts in the on-premises Active Directory with Azure Active Directory.
   
-Organizations using older directory synchronization technology, such as DirSync or Azure AD sync need to upgrade to Azure AD Connect
+Organizations using older directory synchronization technology, such as DirSync or Azure AD sync, need to upgrade to Azure AD Connect. In case the schema of your local AD DS was changed since the last directory synchronization, you may need to [refresh directory schema](https://docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-installation-wizard#refresh-directory-schema).
  
 ### Section Review 
 > [!div class="checklist"]
diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
index 9879494122..1325357065 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
@@ -29,12 +29,14 @@ Enterprises can use [Microsoft BitLocker Administration and Monitoring (MBAM)](h
 
 ## Managing devices joined to Azure Active Directory
 
-Devices joined to Azure AD are managed using Mobile Device Management (MDM) policy from an MDM solution such as Microsoft Intune. [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access) to services like Exchange Online and SharePoint Online.
+Devices joined to Azure AD are managed using Mobile Device Management (MDM) policy from an MDM solution such as Microsoft Intune. Without Windows 10, version 1809, only local administrators can enable BitLocker via Intune policy. Starting with Windows 10, version 1809, Intune can enable BitLocker for standard users. [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access) to services like Exchange Online and SharePoint Online.
 
-Starting with Windows 10 version 1703 (also known as the Windows Creators Update), the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) or the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 10 Business or Enterprise editions and on Windows Phones.
+Starting with Windows 10 version 1703 (also known as the Windows Creators Update), the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) or the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 10 and on Windows phones.
 
 For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if required. For older devices that are not yet encrypted, beginning with Windows 10 version 1703 (the Windows 10 Creators Update), admins can use the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) to trigger encryption and store the recovery key in Azure AD.
 
+This is applicable to Azure Hybrid AD as well. 
+
 
 ## Managing workplace-joined PCs and phones
 
@@ -51,7 +53,7 @@ If you are installing a server manually, such as a stand-alone server, then choo
 
  Additionally, lights out data centers can take advantage of the enhanced security of a second factor while avoiding the need for user intervention during reboots by optionally using a combination of BitLocker (TPM+PIN) and BitLocker Network Unlock. BitLocker Network Unlock brings together the best of hardware protection, location dependence, and automatic unlock, while in the trusted location. For the configuration steps, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md). 
 
- For more information, see the Bitlocker FAQs article and other useful links in [Related Articles](#articles).
+ For more information, see the Bitlocker FAQs article and other useful links in [Related Articles](#related-articles).
  
 ## PowerShell examples
 
@@ -134,4 +136,4 @@ PS C:\> Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpace
 
 [BitLocker cmdlets for Windows PowerShell](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#a-href-idbkmk-blcmdletsabitlocker-cmdlets-for-windows-powershell) 
 
-[Surface Pro Specifications](https://www.microsoft.com/surface/support/surface-pro-specs)
\ No newline at end of file
+[Surface Pro Specifications](https://www.microsoft.com/surface/support/surface-pro-specs)
diff --git a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
index eacf850aab..5493d4428d 100644
--- a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
+++ b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
@@ -50,6 +50,24 @@ As a result, if the currently used PCR bank is switched all keys that have been
 
 Before switching PCR banks you should suspend or disable BitLocker – or have your recovery key ready. For steps on how to switch PCR banks on your PC, you should contact your OEM or UEFI vendor.
 
+## How can I identify which PCR bank is being used?
+
+A TPM can be configured to have multiple PCR banks active. When BIOS is performing measurements it will do so into all active PCR banks, depending on its capability to make these measurements. BIOS may chose to deactivate PCR banks that it does not support or "cap" PCR banks that it does not support by extending a separator. The following registry value identifies which PCR banks are active.
+
+- Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices<br>
+- DWORD: TPMActivePCRBanks<br>
+- Defines which PCR banks are currently active. This is a bitmap defined in the TCG Algorithm Registry.<br>
+
+Windows checks which PCR banks are active and supported by the BIOS. Windows also checks if the measured boot log supports measurements for all active PCR banks. Windows will prefer the use of the SHA-256 bank for measurements and will fall back to SHA1 PCR bank if one of the pre-conditions is not met.
+
+You can identify which PCR bank is currently used by Windows by looking at the registry.
+
+- Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices<br>
+- DWORD: TPMDigestAlgID<br>
+- Algorithm ID of the PCR bank that Windows is currently using. (For the full list of supported algorithms, see the TCG Algorithm Registry.)<br>
+
+Windows only uses one PCR bank to continue boot measurements. All other active PCR banks will be extended with a separator to indicate that they are not used by Windows and measurements that appear to be from Windows should not be trusted.
+
 ## Related topics
 
 - [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
index 7728af0c4f..2a82682a3c 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -11,7 +11,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 04/17/2019
+ms.date: 04/29/2019
 ---
 
 # Create a Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune
@@ -27,13 +27,15 @@ Microsoft Intune has an easy way to create and deploy a Windows Information Prot
 
 You can create an app protection policy in Intune either with device enrollment for MDM or without device enrollment for MAM. The process to create either policy is similar, but there are important differences: 
 
-- If the same user and device are targeted for both MDM and MAM, the MDM policy will be applied to devices joined to Azure AD. For personal devices that are workplace-joined (that is, added by using **Settings** > **Email & accounts** > **Add a work or school account**), the MAM-only policy will be preferred but it's possible to upgrade the device management to MDM in **Settings**. Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Home edition will revoke WIP-protected data access. 
-- MAM supports only one user per device.  
-- MAM can only manage [enlightened apps](enlightened-microsoft-apps-and-wip.md).
 - MAM has additional **Access** settings for Windows Hello for Business.
 - MAM can [selectively wipe company data](https://docs.microsoft.com/intune/apps-selective-wipe) from a user's personal device.
 - MAM requires an [Azure Active Direcory (Azure AD) Premium license](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses).
 - An Azure AD Premium license is also required for WIP auto-recovery, where a device can re-enroll and re-gain access to protected data. WIP auto-recovery depends on Azure AD registration to back up the encryption keys, which requires device auto-enrollment with MDM.
+- MAM supports only one user per device.  
+- MAM can only manage [enlightened apps](enlightened-microsoft-apps-and-wip.md).
+- Only MDM can use [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) policies.
+- If the same user and device are targeted for both MDM and MAM, the MDM policy will be applied to devices joined to Azure AD. For personal devices that are workplace-joined (that is, added by using **Settings** > **Email & accounts** > **Add a work or school account**), the MAM-only policy will be preferred but it's possible to upgrade the device management to MDM in **Settings**. Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Home edition will revoke WIP-protected data access. 
+
 
 ## Prerequisites
 
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md
index bc6a097de4..5df397e284 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md
@@ -14,7 +14,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 04/22/2019
+ms.date: 04/26/2019
 ---
 
 # Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager
@@ -480,6 +480,8 @@ After you've decided where your protected apps can access enterprise data on you
         
         - **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you’re migrating between Mobile Device Management (MDM) solutions.
 
+    - **Allow Azure RMS.** Enables secure sharing of files by using removable media such as USB drives. For more information, see [Choose to set up Azure Rights Management with WIP](create-wip-policy-using-intune-azure.md#choose-to-set-up-azure-rights-management-with-wip).
+
 2. After you pick all of the settings you want to include, click **Summary**.
 
 ## Review your configuration choices in the Summary screen
diff --git a/windows/security/information-protection/windows-information-protection/wip-learning.md b/windows/security/information-protection/windows-information-protection/wip-learning.md
index 6574cf15e2..bb80483994 100644
--- a/windows/security/information-protection/windows-information-protection/wip-learning.md
+++ b/windows/security/information-protection/windows-information-protection/wip-learning.md
@@ -24,7 +24,7 @@ ms.date: 02/26/2019
 - Windows 10, version 1703 and later
 - Windows 10 Mobile, version 1703 and later
 
-With WIP Learning, you can intelligently tune which apps and websites are included in your WIP policy to help reduce disruptive prompts and keep it accurate and relevant. WIP Learning generates two reports: The **App learning report** and the **Website learning report**. Both reports are accessed from Microsoft Azure Intune, and you can alternately access the App learning report from Microsoft Operations Management Suite (OMS).
+With WIP Learning, you can intelligently tune which apps and websites are included in your WIP policy to help reduce disruptive prompts and keep it accurate and relevant. WIP Learning generates two reports: The **App learning report** and the **Website learning report**. Both reports can be accessed from Microsoft Azure Intune.
 
 The **App learning report** monitors your apps, not in policy, that attempt to access work data. You can identify these apps using the report and add them to your WIP policies to avoid productivity disruption before fully enforcing WIP with [“Block”](protect-enterprise-data-using-wip.md#bkmk-modes) mode. Frequent monitoring of the report will help you continuously identify access attempts so you can update your policy accordingly.
 
@@ -44,59 +44,42 @@ In the **Website learning report**, you can view a summary of the devices that h
 
    ![Image showing the UI with for app and website learning reports](images/wip-learning-select-report.png) 
 
-Once you have the apps and websites showing up in the WIP Learning logging reports, you can decide whether to add them to your app protection policies. Next, we'll look at how to do that in Operations Management Suite (OMS).
+Once you have the apps and websites showing up in the WIP Learning logging reports, you can decide whether to add them to your app protection policies. 
 
-## View the WIP app learning report in Microsoft Operations Management Suite
+## Use the WIP section of Device Health
 
-From Intune, you can open OMS by choosing **WIP in the OMS console**. Then you can view the WIP App learning blade to monitor access events per app, and devices that have reported WIP access events:
+You can use Device Health to adjust your WIP protection policy. See [Using Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-using#windows-information-protection) to learn more.
 
-![View in Intune of the link to OMS](images/wip-in-oms-console-link.png) 
-
-If you don't have OMS linked to your Microsoft Azure Account, and want to configure your environment for Windows Analytics: Device Health, see [Get Started with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-get-started) for more information.
-
->[!NOTE]
->Intune has a 14 day data retention capacity, while OMS offers better querying capabilities and longer data retention.
+If you want to configure your environment for Windows Analytics: Device Health, see [Get Started with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-get-started) for more information.
 
 Once you have WIP policies in place, by using the WIP section of Device Health, you can:
 
 - Reduce disruptive prompts by adding rules to allow data sharing from approved apps.
 - Tune WIP rules by confirming that certain apps are allowed or denied by current policy.
 
-![Main Windows Information Protection view](images/oms-wip-app-learning-tile.png)
+## Use Device Health and Intune to adjust WIP protection policy
 
-The **APP LEARNING** tile shows details of app statistics that you can use to evaluate each incident and update app policies by using WIP AppIDs.
+The information needed for the following steps can be found using Device Health, which you will first have to set up. Learn more about how you can  [Monitor the health of devices with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor).
 
-![Details view](images/WIPNEW1-chart-selected-sterile.png)
+1. In **Device Health** click the app you want to add to your policy and copy the publisher information.
 
-In this chart view, you can see apps that have been used on connected devices which, when clicked on, will open additional details on the app, including details you need to adjust your WIP Policy:
-    
-![Details view for a specific app](images/WIPappID-sterile.png)
+2. In Intune, click **App protection policies** and then choose the app policy you want to add an application to.
 
-Here, you can copy the **WipAppid** and use it to adjust your WIP protection policies.
+3. Click **Protected apps**, and then click **Add Apps**.
 
-## Use OMS and Intune to adjust WIP protection policy
-
-1. Click the **APP LEARNING** tile in OMS, as described above, to determine which apps are being used for work so you can add those you choose to your WIP policy.
-
-2. Click the app you want to add to your policy and copy the publisher information from the app details screen.
-
-3. Back in Intune, click **App protection policies** and then choose the app policy you want to add an application to.
-
-4. Click **Protected apps**, and then click **Add Apps**.
-
-5. In the **Recommended apps** drop down menu, choose either **Store apps** or **Desktop apps**, depending on the app you've chosen (for example, an executable (EXE) is a desktop app). 
+4. In the **Recommended apps** drop down menu, choose either **Store apps** or **Desktop apps**, depending on the app you've chosen (for example, an executable (EXE) is a desktop app). 
 
     ![View of drop down menu for Store or desktop apps](images/wip-learning-choose-store-or-desktop-app.png)
 
-6. In **NAME** (optional), type the name of the app, and then in **PUBLISHER** (required), paste the publisher information that you copied in step 2 above.
+5. In **NAME** (optional), type the name of the app, and then in **PUBLISHER** (required), paste the publisher information that you copied in step 1 above.
 
     ![View of Add Apps app info entry boxes](images/wip-learning-app-info.png)
 
-7. Type the name of the product in **PRODUCT NAME** (required)  (this will probably be the same as what you typed for **NAME**).
+6. Type the name of the product in **PRODUCT NAME** (required)  (this will probably be the same as what you typed for **NAME**).
 
-8. Back in OMS, copy the name of the executable (for example, snippingtool.exe) and then go back to Intune and paste it in **FILE** (required).
+7. Copy the name of the executable (for example, snippingtool.exe) and paste it in **FILE** (required).
 
-9. Go back to OMS one more time and note the version number of the app and type it in **MIN VERSION** in Intune (alternately, you can specify the max version, but one or the other is required), and then select the **ACTION**: **Allow** or **Deny**
+8. Type the version number of the app into **MIN VERSION** in Intune (alternately, you can specify the max version, but one or the other is required), and then select the **ACTION**: **Allow** or **Deny**
 
 When working with WIP-enabled apps and WIP-unknown apps, it is recommended that you start with **Silent** or **Allow overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Block**. For more information about WIP modes, see: [Protect enterprise data using WIP: WIP-modes](protect-enterprise-data-using-wip.md#bkmk-modes)
 
diff --git a/windows/security/threat-protection/auditing/event-4769.md b/windows/security/threat-protection/auditing/event-4769.md
index ea200b936f..4387af7e0b 100644
--- a/windows/security/threat-protection/auditing/event-4769.md
+++ b/windows/security/threat-protection/auditing/event-4769.md
@@ -224,7 +224,7 @@ The most common values:
 | 0x18 | KDC\_ERR\_PREAUTH\_FAILED              | Pre-authentication information was invalid                                  | The wrong password was provided.<br>This error code cannot occur in event “[4768](event-4768.md). A Kerberos authentication ticket (TGT) was requested”. It occurs in “[4771](event-4771.md). Kerberos pre-authentication failed” event.                                                                                                                                                                                                                                                                                                                                                     |
 | 0x19 | KDC\_ERR\_PREAUTH\_REQUIRED            | Additional pre-authentication required                                      | This error often occurs in UNIX interoperability scenarios. MIT-Kerberos clients do not request pre-authentication when they send a KRB\_AS\_REQ message. If pre-authentication is required (the default), Windows systems will send this error. Most MIT-Kerberos clients will respond to this error by giving the pre-authentication, in which case the error can be ignored, but some clients might not respond in this way.                                                                                                                                                                                              |
 | 0x1A | KDC\_ERR\_SERVER\_NOMATCH              | KDC does not know about the requested server                                | No information.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| 0x1B | KDC\_ERR\_SVC\_UNAVAILABLE             | KDC is unavailable                                                          | No information.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
+| 0x1B | KDC\_ERR\_MUST\_USE\_USER2USER         | Server principal valid for user2user only                                   | This error occurs because the service is missing an SPN.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
 | 0x1F | KRB\_AP\_ERR\_BAD\_INTEGRITY           | Integrity check on decrypted field failed                                   | The authenticator was encrypted with something other than the session key. The result is that the client cannot decrypt the resulting message. The modification of the message could be the result of an attack or it could be because of network noise.                                                                                                                                                                                                                                                                                                                                                                     |
 | 0x20 | KRB\_AP\_ERR\_TKT\_EXPIRED             | The ticket has expired                                                      | The smaller the value for the “Maximum lifetime for user ticket” Kerberos policy setting, the more likely it is that this error will occur. Because ticket renewal is automatic, you should not have to do anything if you get this message.                                                                                                                                                                                                                                                                                                                                                                                 |
 | 0x21 | KRB\_AP\_ERR\_TKT\_NYV                 | The ticket is not yet valid                                                 | The ticket presented to the server is not yet valid (in relationship to the server time). The most probable cause is that the clocks on the KDC and the client are not synchronized.<br>If cross-realm Kerberos authentication is being attempted, then you should verify time synchronization between the KDC in the target realm and the KDC in the client realm, as well.                                                                                                                                                                                                                                           |
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
index b5d15d6b55..ad62a5c02a 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 09/03/2018
+ms.date: 04/29/2019
 ---
 
 # Enable block at first sight
@@ -68,6 +68,23 @@ For more information about configuring Windows Defender Antivirus device restric
 
 For a list of Windows Defender Antivirus device restrictions in Intune, see [Device restriction for Windows 10 (and newer) settings in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus).
 
+### Enable block at first sight with SCCM
+
+1. In System Center Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **AntiMalware Policies**.
+1. Click **Home** > **Create Antimalware Policy**.
+1. Enter a name and a description, and add these settings:
+   - **Real time protection**
+   - **Advanced**
+   - **Cloud Protection Service**
+1. In the left column, click **Real time protection**, set **Enable real-time protection** to **Yes**, and set **Scan system files** to **Scan incoming and outgoing files**.
+   ![Enable real-time protection](images/defender/sccm-real-time-protection.png)
+1. Click **Advanced**, set **Enable real-time protection** to **Yes**, and set **Scan system files** to **Scan incoming and outgoing files**.
+   ![Enable Advanced settings](images/defender/sccm-advanced-settings.png)
+1. Click **Cloud Protection Service**, set **Cloud Protection Service membership type** to **Advanced membership**, set **Level for blocking malicious files** to **High**, and set **Allow extended cloud check to block and scan suspicious files for up to (seconds)** to **50** seconds.
+   ![Enable Cloud Protection Service](images/defender/sccm-cloud-protection-service.png)
+1. Click **OK** to create the policy.
+
+
 ### Confirm block at first sight is enabled with Group Policy
 
 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
index 37859694d9..3d7368b36a 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
@@ -20,9 +20,9 @@ ms.date: 10/02/2018
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-The potentially unwanted application (PUA) protection feature in Windows Defender Antivirus can identify and block PUAs from downloading and installing on endpoints in your network.
+The potentially unwanted application (PUA) protection feature in Windows Defender Antivirus can detect and block PUAs on endpoints in your network.
 
-These applications are not considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use. PUA can also refer to applications that are considered to have a poor reputation.
+These applications are not considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use. PUA can also refer to applications that are considered to have poor reputation.
 
 Typical PUA behavior includes:
 
@@ -37,25 +37,17 @@ These applications can increase the risk of your network being infected with mal
 
 ## How it works
 
-PUAs are blocked when a user attempts to download or install the detected file, and if the file meets one of the following conditions:
+Windows Defender Antivirus blocks detected PUA files and attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantined.
 
-- The file is being scanned from the browser
-- The file is in a folder with "**downloads**" in the path
-- The file is in a folder with "**temp**" in the path
-- The file is on the user's desktop
-- The file does not meet one of these conditions and is not under *%programfiles%*, *%appdata%*, or *%windows%*
-
-The file is placed in the quarantine section so it won't run.
-
-When a PUA is detected on an endpoint, the endpoint will present a notification to the user ([unless notifications have been disabled](configure-notifications-windows-defender-antivirus.md)) in the same format as normal threat detections (prefaced with "PUA:"). 
+When a PUA is detected on an endpoint, Windows Defender Antivirus presents a notification to the user ([unless notifications have been disabled](configure-notifications-windows-defender-antivirus.md)) in the same format as normal threat detections (prefaced with "PUA:"). 
 
 They will also appear in the usual [quarantine list in the Windows Security app](windows-defender-security-center-antivirus.md#detection-history).
 
 ## View PUA events
 
-PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager or Intune.
+PUA events are reported in the Windows Event Viewer, but not in System Center Configuration Manager or Intune. 
 
-Hoever, PUA detections will be reported if you have set up email notifications for detections.
+You can turn on email notifications for PUA detections.
 
 See [Troubleshoot event IDs](troubleshoot-windows-defender-antivirus.md) for details on viewing Windows Defender Antivirus events. PUA events are recorded under event ID 1160.
 
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/sccm-advanced-settings.png b/windows/security/threat-protection/windows-defender-antivirus/images/defender/sccm-advanced-settings.png
new file mode 100644
index 0000000000..1fb1745a5f
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/defender/sccm-advanced-settings.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/sccm-cloud-protection-service.png b/windows/security/threat-protection/windows-defender-antivirus/images/defender/sccm-cloud-protection-service.png
new file mode 100644
index 0000000000..3a47dcf6d8
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/defender/sccm-cloud-protection-service.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/sccm-real-time-protection.png b/windows/security/threat-protection/windows-defender-antivirus/images/defender/sccm-real-time-protection.png
new file mode 100644
index 0000000000..1a7467f581
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/defender/sccm-real-time-protection.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/partner-applications.md b/windows/security/threat-protection/windows-defender-atp/partner-applications.md
index 24ba042fc8..4f2cd61854 100644
--- a/windows/security/threat-protection/windows-defender-atp/partner-applications.md
+++ b/windows/security/threat-protection/windows-defender-atp/partner-applications.md
@@ -31,7 +31,7 @@ The support for third-party solutions help to further streamline, integrate, and
 Microsoft Defender ATP seamlessly integrates with existing security solutions - providing out of the box integration with SIEM, ticketing and IT service management solutions, managed security service providers (MSSP), IoC indicators ingestions and matching, automated device investigation and remediation based on external alerts, and integration with Security orchestration and automation response (SOAR) systems. 
 
 ## SIEM integration
-Microsoft Defender ATP supports SIEM integration through a variety of methods � specialized SIEM system interface with out of the box connectors, a generic alert API enabling custom implementations, and an action API enabling alert status management.  For more information, see [Enable SIEM integration](enable-siem-integration-windows-defender-advanced-threat-protection.md).
+Microsoft Defender ATP supports SIEM integration through a variety of methods - specialized SIEM system interface with out of the box connectors, a generic alert API enabling custom implementations, and an action API enabling alert status management.  For more information, see [Enable SIEM integration](enable-siem-integration-windows-defender-advanced-threat-protection.md).
 
 ## Ticketing and IT service management 
 Ticketing solution integration helps to implement manual and automatic response processes. Microsoft Defender ATP can help to create tickets automatically when an alert is generated and resolve the alerts when tickets are closed using the alerts API. 
@@ -49,12 +49,12 @@ External alerts can be pushed into Microsoft Defender ATP and is presented side-
 ## Indicators matching
 You can use threat-intelligence from providers and aggregators to maintain and use indicators of compromise (IOCs).
 
-Microsoft Defender ATP allows you to integrate with such solutions and act on IoCs by correlating its rich telemetry and creating alerts when there's a match; leveraging prevention and automated response capabilities to block execution and take remediation actions when there�s a match.
+Microsoft Defender ATP allows you to integrate with such solutions and act on IoCs by correlating its rich telemetry and creating alerts when there's a match; leveraging prevention and automated response capabilities to block execution and take remediation actions when there's a match.
 
 Microsoft Defender ATP currently supports IOC matching and remediation for file and network indicators. Blocking is supported for file indicators.  
 
 ## Support for non-Windows platforms
-Microsoft Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in the portal and better protect your organization's network. This experience leverages on a third-party security products� sensor data giving you a unified experience.
+Microsoft Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in the portal and better protect your organization's network. This experience leverages on a third-party security products' sensor data giving you a unified experience.
 
 
 
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
index 5d82fb8254..1c4e998102 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
@@ -27,7 +27,9 @@ You might want to do this when testing how the features will work in your organi
 
 While the features will not block or prevent apps, scripts, or files from being modified, the Windows Event Log will record events as if the features were fully enabled. This means you can enable audit mode and then review the event log to see what impact the feature would have had were it enabled.
 
-You can use Windows Defender Advanced Threat Protection to get greater deatils for each event, especially for investigating attack surface reduction rules. Using the Windows Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
+To find the audited entries, go to **Applications and Services** > **Microsoft** > **Windows** > **Windows Defender** > **Operational**.
+
+You can use Windows Defender Advanced Threat Protection to get greater details for each event, especially for investigating attack surface reduction rules. Using the Windows Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
 
 This topic provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer. 
 
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
index b772be4c4c..204fad8ca0 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 12/19/2018
+ms.date: 04/26/2019
 ---
 
 # Customize attack surface reduction rules
@@ -35,7 +35,7 @@ This could potentially allow unsafe files to run and infect your devices.
 >[!WARNING]
 >Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded.
 > 
->If you are encountering problems with rules detecting files that you believe should not be detected, you should [use audit mode first to test the rule](enable-attack-surface-reduction.md#enable-and-audit-attack-surface-reduction-rules).
+>If you are encountering problems with rules detecting files that you believe should not be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md).
 
 You can specify individual files or folders (using folder paths or fully qualified resource names) but you cannot specify if the exclusions should only be applied to individual rules: the exclusions will apply to all rules that are enabled (or placed in audit mode) and that allow exclusions.
 
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
index 7a4da07a33..1a68651c4f 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
@@ -11,14 +11,31 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
+ms.date: 04/29/2019
 ---
 
 # Enable attack surface reduction rules
 
 [Attack surface reduction rules](attack-surface-reduction-exploit-guard.md) help prevent actions and apps that malware often uses to infect computers. You can set attack surface reduction rules for computers running Windows 10 or Windows Server 2019. 
 
+Each ASR rule contains three settings:
+
+* Not configured: Disable the ASR rule
+* Block: Enable the ASR rule
+* Audit: Evaluate how the ASR rule would impact your organization if enabled
+
 To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in Windows Defender Advanced Threat Protection (Windows Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjunction with ASR rules.
 
+You can enable attack surface reduction rules by using any of the these methods:
+
+- [Microsoft Intune](#intune) 
+- [Mobile Device Management (MDM)](#mdm)
+- [System Center Configuration Manager (SCCM)](#sccm)
+- [Group Policy](#group-policy)
+- [PowerShell](#powershell)
+
+Enterprise-level management such as Intune or SCCM is recommended. Enterprise-level management will overwrite any conflicting Group Policy or PowerShell settings on startup.
+
 ## Exclude files and folders from ASR rules
 
 You can exclude files and folders from being evaluated by most attack surface reduction rules. This means that even if an ASR rule determines the file or folder contains malicious behavior, it will not block the file from running. This could potentially allow unsafe files to run and infect your devices.
@@ -26,7 +43,7 @@ You can exclude files and folders from being evaluated by most attack surface re
 >[!WARNING]
 >Excluding files or folders can severely reduce the protection provided by ASR rules. Excluded files will be allowed to run, and no report or event will be recorded.
 > 
->If ASR rules are detecting files that you believe shouldn't be detected, you should [use audit mode first to test the rule](enable-attack-surface-reduction.md#enable-and-audit-attack-surface-reduction-rules).
+>If ASR rules are detecting files that you believe shouldn't be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md).
 
 >[!IMPORTANT]
 >File and folder exclusions do not apply to the following ASR rules:
@@ -36,31 +53,11 @@ You can exclude files and folders from being evaluated by most attack surface re
 
 You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules the exclusions apply to.
 
->[!IMPORTANT] 
->The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered protection to update its trusted list regularly. 
-
 ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). 
 
 The following procedures for enabling ASR rules include instructions for how to exclude files and folders.
 
-## Enable and audit attack surface reduction rules
-
-It's best to use an enterprise-level management platform like Intune or System Center Configuration Manager (SCCM) to configure ASR rules, but you can also use Group Policy, PowerShell, or third-party mobile device management (MDM) CSPs.
-
->[!WARNING]
->If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting Group Policy or PowerShell settings on startup.
-
-For a complete list of ASR rules, see [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md).
-
-Each ASR rule contains three settings:
-
-* Not configured: Disable the ASR rule
-* Block: Enable the ASR rule
-* Audit: Evaluate how the ASR rule would impact your organization if enabled
-
-For further details on how audit mode works and when to use it, see [Audit Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md).
-
-### Intune
+## Intune
 
 1. In Intune, select **Device configuration** > **Profiles**. Choose an existing endpoint protection profile or create a new one. To create a new one, select **Create profile** and enter information for this profile. For **Profile type**, select **Endpoint protection**. If you've chosen an existing profile, select **Properties** and then select **Settings**.
 
@@ -68,11 +65,38 @@ For further details on how audit mode works and when to use it, see [Audit Windo
 
 3. Under **Attack Surface Reduction exceptions**, you can enter individual files and folders, or you can select **Import** to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be in the following format:
 	
-   *C:\folder*, *%ProgramFiles%\folder\file*, *path*	
+   *C:\folder*, *%ProgramFiles%\folder\file*, *C:\path*	
 
 4. Select **OK** on the three configuration panes and then select **Create** if you're creating a new endpoint protection file or **Save** if you're editing an existing one.
 
-### SCCM
+## MDM
+
+Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule.
+
+The following is a sample for reference, using [GUID values for ASR rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules). 
+
+OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules
+
+Value: {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}=2|{3B576869-A4EC-4529-8536-B80A7769E899}=1|{D4F940AB-401B-4EfC-AADC-AD5F3C50688A}=2|{D3E037E1-3EB8-44C8-A917-57927947596D}=1|{5BEB7EFE-FD9A-4556-801D-275E5FFC04CC}=0|{BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550}=1
+
+The values to enable, disable, or enable in audit mode are:
+
+-  Disable = 0
+-  Block (enable ASR rule) = 1
+-  Audit = 2
+
+Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions.
+
+Example:
+
+OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions
+
+Value: c:\path|e:\path|c:\Whitelisted.exe
+
+>[!NOTE]
+>Be sure to enter OMA-URI values without spaces.
+
+## SCCM
 
 1. In System Center Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
 1. Click **Home** > **Create Exploit Guard Policy**.
@@ -81,7 +105,7 @@ For further details on how audit mode works and when to use it, see [Audit Windo
 1. Review the settings and click **Next** to create the policy.
 1. After the policy is created, click **Close**. 
 
-### Group Policy
+## Group Policy
 
 >[!WARNING]
 >If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting Group Policy settings on startup.
@@ -102,7 +126,7 @@ For further details on how audit mode works and when to use it, see [Audit Windo
 
 5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. 
  
-### PowerShell
+## PowerShell
 
 >[!WARNING]
 >If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting PowerShell settings on startup.
@@ -153,32 +177,6 @@ For further details on how audit mode works and when to use it, see [Audit Windo
 	>[!IMPORTANT]
 	>Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. 
 
-### MDM
-
-Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule.
-
-The following is a sample for reference, using [GUID values for ASR rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules). 
-
-OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules
-
-Value: {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}=2|{3B576869-A4EC-4529-8536-B80A7769E899}=1|{D4F940AB-401B-4EfC-AADC-AD5F3C50688A}=2|{D3E037E1-3EB8-44C8-A917-57927947596D}=1|{5BEB7EFE-FD9A-4556-801D-275E5FFC04CC}=0|{BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550}=1
-
-The values to enable, disable, or enable in audit mode are:
-
--  Disable = 0
--  Block (enable ASR rule) = 1
--  Audit = 2
-
-Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions.
-
-Example:
-
-OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions
-
-Value: c:\path|e:\path|c:\Whitelisted.exe
-
->[!NOTE]
->Be sure to enter OMA-URI values without spaces.
 
 ## Related topics
 
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
index 7fe9b0d463..d761ebfc85 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 04/22/2019
+ms.date: 04/29/2019
 ---
 
 # Enable controlled folder access
@@ -75,6 +75,8 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt
 1. Click **Home** > **Create Exploit Guard Policy**.
 1. Enter a name and a description, click **Controlled folder access**, and click **Next**.
 1. Choose whether block or audit changes, allow other apps, or add other folders, and click **Next**.
+   >[!NOTE]
+   >Wilcard is supported for applications, but not for folders. Subfolders are not protected.  
 1. Review the settings and click **Next** to create the policy.
 1. After the policy is created, click **Close**. 
 
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
index 93e5640492..707aa20197 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
@@ -9,8 +9,8 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: andreabichsel
-ms.author: v-anbic
+author: Justinha
+ms.author: justinha
 ms.date: 04/02/2019
 ---
 
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md
index 708142ccf5..aac22be513 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md
@@ -72,11 +72,11 @@ If you've tested the feature with the demo site and with audit mode, and network
 When you report a problem with network protection, you are asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues. 
 
 1. Open an elevated command prompt and change to the Windows Defender directory:
-   ```console
+   ```
    cd c:\program files\windows defender
    ```
 2. Run this command to generate the diagnostic logs:
-   ```console
+   ```
    mpcmdrun -getfiles
    ```
 3. By default, they are saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. Attach the file to the submission form.