diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 107a70bff1..bf51ddcd42 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -1352,6 +1352,11 @@
 "redirect_document_id": true
 },
 {
+"source_path": "windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md",
+"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-siem",
+"redirect_document_id": false
+},
+{
 "source_path": "windows/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md",
 "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection",
 "redirect_document_id": true
diff --git a/devices/hololens/hololens2-autopilot.md b/devices/hololens/hololens2-autopilot.md
index 5589ec096d..02c0a61b10 100644
--- a/devices/hololens/hololens2-autopilot.md
+++ b/devices/hololens/hololens2-autopilot.md
@@ -71,7 +71,7 @@ Review the "[Requirements](https://docs.microsoft.com/windows/deployment/windows
 Before you start the OOBE and provisioning process, make sure that the HoloLens devices meet the following requirements:
 
 - The devices are not already members of Azure AD, and are not enrolled in Intune (or another MDM system). The Autopilot self-deploying process completes these steps. To make sure that all the device-related information is cleaned up, check the **Devices** pages in both Azure AD and Intune.
-- Every device can connect to the internet. You can use a wired or wireless connection.
+- Every device can connect to the internet. You can "USB C to Ethernet" adapters for wired internet connectivity or "USB C to Wifi" adapters for wireless internet connectivity. 
 - Every device can connect to a computer by using a USB-C cable, and that computer has the following available:
   - Advanced Recovery Companion (ARC)
   - The latest Windows update: Windows 10, version 19041.1002.200107-0909 or a later version)
diff --git a/mdop/mbam-v1/evaluating-mbam-10.md b/mdop/mbam-v1/evaluating-mbam-10.md
index c7a6729376..f4c72234bf 100644
--- a/mdop/mbam-v1/evaluating-mbam-10.md
+++ b/mdop/mbam-v1/evaluating-mbam-10.md
@@ -55,21 +55,21 @@ Even when you set up a non-production instance of MBAM to evaluate in a lab envi
 <td align="left"><p></p>
 <p>Prepare your computing environment for the MBAM installation. To do so, you must enable the Transparent Data Encryption (TDE) on the SQL Server instances that will host MBAM databases. To enable TDE in your lab environment, you can create a .sql file to run against the master database that is hosted on the instance of the SQL Server that MBAM will use.</p>
 <div class="alert">
-<strong>Note</strong><br/><p>You can use the following example to create a .sql file for your lab environment to quickly enable TDE on the SQL Server instance that will host the MBAM databases. These SQL Server commands will enable TDE by using a locally signed SQL Server certificate. Make sure to back up the TDE certificate and its associated encryption key to the example local backup path of <em>C:\Backup&lt;/em&gt;. The TDE certificate and key are required when recover the database or move the certificate and key to another server that has TDE encryption in place.</p>
+<strong>Note</strong><br/><p>You can use the following example to create a .sql file for your lab environment to quickly enable TDE on the SQL Server instance that will host the MBAM databases. These SQL Server commands will enable TDE by using a locally signed SQL Server certificate. Make sure to back up the TDE certificate and its associated encryption key to the example local backup path of <em>C:\Backup</em>. The TDE certificate and key are required when recover the database or move the certificate and key to another server that has TDE encryption in place.</p>
 </div>
 <div>
 
 </div>
 <pre class="syntax" space="preserve"><code>USE master;
 GO
-CREATE MASTER KEY ENCRYPTION BY PASSWORD = &amp;amp;#39;P@55w0rd&#39;;
+CREATE MASTER KEY ENCRYPTION BY PASSWORD = &#39;P@55w0rd&#39;;
 GO
 CREATE CERTIFICATE tdeCert WITH SUBJECT = &#39;TDE Certificate&#39;;
 GO
 BACKUP CERTIFICATE tdeCert TO FILE = &#39;C:\Backup\TDECertificate.cer&#39;
    WITH PRIVATE KEY (
          FILE = &#39;C:\Backup\TDECertificateKey.pvk&#39;,
-         ENCRYPTION BY PASSWORD = &amp;amp;#39;P@55w0rd&#39;);
+         ENCRYPTION BY PASSWORD = &#39;P@55w0rd&#39;);
 GO</code></pre></td>
 <td align="left"><p><a href="mbam-10-deployment-prerequisites.md" data-raw-source="[MBAM 1.0 Deployment Prerequisites](mbam-10-deployment-prerequisites.md)">MBAM 1.0 Deployment Prerequisites</a></p>
 <p><a href="https://go.microsoft.com/fwlink/?LinkId=269703" data-raw-source="[Database Encryption in SQL Server 2008 Enterprise Edition](https://go.microsoft.com/fwlink/?LinkId=269703)">Database Encryption in SQL Server 2008 Enterprise Edition</a></p></td>
diff --git a/windows/client-management/mdm/get-seat.md b/windows/client-management/mdm/get-seat.md
index 2169488622..598d24ea19 100644
--- a/windows/client-management/mdm/get-seat.md
+++ b/windows/client-management/mdm/get-seat.md
@@ -1,6 +1,6 @@
 ---
 title: Get seat
-description: The Get seat operation retrieves the information about an active seat for a specified user in the Micosoft Store for Business.
+description: The Get seat operation retrieves the information about an active seat for a specified user in the Microsoft Store for Business.
 ms.assetid: 715BAEB2-79FD-4945-A57F-482F9E7D07C6
 ms.reviewer: 
 manager: dansimp
@@ -14,7 +14,7 @@ ms.date: 09/18/2017
 
 # Get seat
 
-The **Get seat** operation retrieves the information about an active seat for a specified user in the Micosoft Store for Business.
+The **Get seat** operation retrieves the information about an active seat for a specified user in the Microsoft Store for Business.
 
 ## Request
 
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md
index 60ae0ffa10..9b2fcfb9c3 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md
@@ -16,10 +16,10 @@ manager: dansimp
 
 To provide feedback on an individual request or response, select the item in the conversation history and then select **Give feedback**. This opens the Feedback Hub application where you can provide more information to help diagnose reported issues.
 
-:::image type="content" source="../../../images/screenshot11.png" alt-text="Screenshot: Send feedback page":::
+:::image type="content" source="../screenshot1.png" alt-text="Screenshot: Send feedback page":::
 
 To provide feedback about the application in general, go to the **Settings** menu by selecting the three dots in the top left of the application, and select **Feedback**. This opens the Feedback Hub where more information on the issue can be provided.
 
-:::image type="content" source="../../../images/screenshot12.png" alt-text="Screenshot: Select Feedback to go to the Feedback Hub":::
+:::image type="content" source="../screenshot12.png" alt-text="Screenshot: Select Feedback to go to the Feedback Hub":::
 
 In order for enterprise users to provide feedback, admins must unblock the Feedback Hub in the [Azure portal](https://portal.azure.com/). Go to the **Enterprise applications section** and enable **Users can allow apps to access their data**.
\ No newline at end of file
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-overview.md b/windows/configuration/cortana-at-work/cortana-at-work-overview.md
index 7156ab49ea..9bdf2f0ae6 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-overview.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-overview.md
@@ -17,7 +17,7 @@ ms.author: dansimp
 
 Cortana is a personal productivity assistant in Microsoft 365, helping your users achieve more with less effort and focus on what matters. The Cortana app in Windows 10 helps users quickly get information across Microsoft 365, using typed or spoken queries to connect with people, check calendars, set reminders, add tasks, and more.
 
-:::image type="content" source="../../../images/screenshot1.png" alt-text="Screenshot: Cortana home page example":::
+:::image type="content" source="../screenshot1.png" alt-text="Screenshot: Cortana home page example":::
 
 ## Where is Cortana available for use in my organization?
 
@@ -30,7 +30,7 @@ The Cortana app in Windows 10, version 2004 requires the latest Microsoft Store
 Cortana requires a PC running Windows 10, version 1703 or later, as well as the following software to successfully run the included scenario in your organization.
 
 >[!NOTE]
->A microphone is not required to use Cortana.
+>A microphone isn't required to use Cortana.
 
 |**Software**  |**Minimum version**  |
 |---------|---------|
@@ -48,7 +48,7 @@ Cortana's approach to integration with Microsoft 365 has changed with Windows 10
 
 ### Cortana in Windows 10, version 2004 and later
 
-Cortana enterprise services that can be accessed using Azure AD through Cortana in Windows 10, version 2004 and later, meet the same enterprise-level privacy, security, and compliance promises as reflected in the [Online Services Terms (OST)](https://www.microsoft.com/en-us/licensing/product-licensing/products). For more information, see [Cortana in Microsoft 365](https://docs.microsoft.com/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide#what-data-is-processed-by-cortana-in-office-365).
+Cortana enterprise services that can be accessed using Azure AD through Cortana in Windows 10, version 2004 and later, meet the same enterprise-level privacy, security, and compliance promises as reflected in the [Online Services Terms (OST)](https://www.microsoft.com/en-us/licensing/product-licensing/products). To learn more, see [Cortana in Microsoft 365](https://docs.microsoft.com/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide#what-data-is-processed-by-cortana-in-office-365).
 
 #### How does Microsoft store, retain, process, and use Customer Data in Cortana?
 
@@ -71,7 +71,7 @@ First, the user must enable the wake word from within Cortana settings. Once it
 
 The first decision is made by the Windows Multiple Voice Assistant platform leveraging hardware optionally included in the user&#39;s PC for power savings. If the wake word is detected, Windows will show a microphone icon in the system tray indicating an assistant app is listening.
 
-:::image type="content" source="images/screenshot2.png" alt-text="Microphone icon in the system tray indicating an assistant app is listening":::
+:::image type="content" source="../screenshot2.png" alt-text="Screenshot: Microphone icon in the system tray indicating an assistant app is listening":::
 
 At that point, the Cortana app will receive the audio, run a second, more accurate wake word detector, and optionally send it to a Microsoft cloud service where a third wake word detector will confirm. If the service does not confirm that the activation was valid, the audio will be discarded and deleted from any further processing or server logs. On the user&#39;s PC, the Cortana app will be silently dismissed, and no query will be shown in conversation history because the query was discarded.
 
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
index 642a124de8..ae1cc6a4a5 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
@@ -22,9 +22,9 @@ manager: dansimp
 
 4. Say **Cortana, what can you do?**.
 
-When you say &quot;Cortana&quot;, Cortana will open in listening mode to acknowledge the wake word.
+When you say **Cortana**, Cortana will open in listening mode to acknowledge the wake word.
 
-:::image type="content" source="../../../images/screenshot4.png" alt-text="Screenshot: Cortana listening mode":::
+:::image type="content" source="../screenshot4.png" alt-text="Screenshot: Cortana listening mode":::
 
 Once you finish saying your query, Cortana will open with the result.
 
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md
index 55a3d754d6..cd8da63e37 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md
@@ -20,7 +20,7 @@ manager: dansimp
 
 Cortana will respond with the information from Bing.
 
-:::image type="content" source="../../../images/screenshot5.png" alt-text="Screenshot: Cortana showing current time in Hyderbad":::
+:::image type="content" source="../screenshot5.png" alt-text="Screenshot: Cortana showing current time in Hyderbad":::
 
 >[!NOTE]
->This scenario requires Bing Answers to be enabled. For more information, see [Set up and configure the Bing Answers feature](https://docs.microsoft.com/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10#set-up-and-configure-the-bing-answers-feature).
\ No newline at end of file
+>This scenario requires Bing Answers to be enabled. To learn more, see [Set up and configure the Bing Answers feature](https://docs.microsoft.com/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10#set-up-and-configure-the-bing-answers-feature).
\ No newline at end of file
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md
index 333199a0a5..5382e5665c 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md
@@ -16,11 +16,10 @@ manager: dansimp
 
 This scenario helps you set up, review, and edit a reminder. For example, you can remind yourself to send someone a link to a document after a meeting.
 
-1. Select the **Cortana** icon in the taskbar and type _Remind me to send a link to the deck at 3:05pm_ and press **Enter**.
+1. Select the **Cortana** icon in the taskbar and type **Remind me to send a link to the deck at 3:05pm** and press **Enter**.
 
 Cortana will create a reminder in Microsoft To Do and will remind you at the appropriate time.
 
-:::image type="content" source="../../../images/screenshot6.png" alt-text="Screenshot: Cortana set a reminder":::
-
-:::image type="content" source="../../../images/screenshot7.png" alt-text="Screenshot: Cortana showing reminder on page":::
+:::image type="content" source="../screenshot6.png" alt-text="Screenshot: Cortana set a reminder":::
 
+:::image type="content" source="../screenshot7.png" alt-text="Screenshot: Cortana showing reminder on page":::
\ No newline at end of file
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md
index ec22777755..1a34778608 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md
@@ -14,7 +14,7 @@ manager: dansimp
 
 # Test scenario 4 - Use Cortana to find free time on your calendar
 
-This process helps you find out if a time slot is free on your calendar.
+This scenario helps you find out if a time slot is free on your calendar.
 
 1. Select the  **Cortana**  icon in the taskbar.
 
@@ -24,4 +24,4 @@ This process helps you find out if a time slot is free on your calendar.
 
 Cortana will respond with your availability for that time, as well as nearby meetings.
 
-:::image type="content" source="../../../images/screenshot8.png" alt-text="Screenshot: Cortana showing free time on a calendar":::
\ No newline at end of file
+:::image type="content" source="../screenshot8.png" alt-text="Screenshot: Cortana showing free time on a calendar":::
\ No newline at end of file
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md
index ee0bbe9a6e..6312ad8983 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md
@@ -20,6 +20,6 @@ Cortana can help you quickly look up information about someone or the org chart.
 
 2. Type or select the mic and say, **Who is name of person in your organization's?**
 
-:::image type="content" source="../../../images/screenshot8.png" alt-text="Screenshot: Cortana showing name of person in your organization":::
+:::image type="content" source="../screenshot9.png" alt-text="Screenshot: Cortana showing name of person in your organization":::
 
-Cortana will respond with information about the person. You can select the person to open information about them in Microsoft Search.
\ No newline at end of file
+Cortana will respond with information about the person. You can select the person to see more information about them in Microsoft Search.
\ No newline at end of file
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md
index 739f5afbfd..b2c7bdd9dd 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md
@@ -14,7 +14,7 @@ manager: dansimp
 
 # Test scenario 6 – Change your language and perform a quick search with Cortana
 
-Cortana can help employees in regions outside the US search for quick answers like currency conversions, time zone conversions, or weather in their location or another.
+Cortana can help employees in regions outside the US search for quick answers like currency conversions, time zone conversions, or weather in their location.
 
 1. Select the  **Cortana**  icon in the taskbar.
 
@@ -22,4 +22,4 @@ Cortana can help employees in regions outside the US search for quick answers li
 
 3. Once the app has restarted, type or say **Convierte 100 Euros a Dólares**.
 
-:::image type="content" source="../../../images/screenshot10.png" alt-text="Screenshot: Cortana showing a change your language and showing search results in Spanish":::
\ No newline at end of file
+:::image type="content" source="../screenshot10.png" alt-text="Screenshot: Cortana showing a change your language and showing search results in Spanish":::
\ No newline at end of file
diff --git a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md
index c1b71aa782..14dfdcd3da 100644
--- a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md
+++ b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md
@@ -32,8 +32,8 @@ Users cannot enable or disable the Bing Answer feature individually. So, if you
 Sign in to the [Office Configuration Admin tool](https://config.office.com/).
 
 Follow the steps [here](https://docs.microsoft.com/deployoffice/overview-office-cloud-policy-service#steps-for-creating-a-policy-configuration) to create this policy configuration. Once completed, the policy will look as shown below:
-    
-:::image type="content" source="../../../images/screenshot3.png" alt-text="Screenshot: Bing policy example":::
+
+:::image type="content" source="../screenshot3.png" alt-text="Screenshot: Bing policy example":::
 
 ## How does Microsoft handle customer data for Bing Answers?
 
@@ -43,7 +43,7 @@ When a user enters a search query (by speech or text), Cortana evaluates if the
 
 2. If it is not for any of the first-party compliant skills, the query is sent to Bing for a search of public results from Bing.com. Because enterprise searches might be sensitive, similar to [Microsoft Search in Bing](https://docs.microsoft.com/MicrosoftSearch/security-for-search#microsoft-search-in-bing-protects-workplace-searches), Bing Answers in Cortana has implemented a set of trust measures, described below, that govern how the separate search of public results from Bing.com is handled. The Bing Answers in Cortana trust measures are consistent with the enhanced privacy and security measures described in [Microsoft Search in Bing](https://docs.microsoft.com/MicrosoftSearch/security-for-search). All Bing.com search logs that pertain to Cortana traffic are disassociated from users&#39; workplace identity. All Cortana queries issued via a work or school account are stored separately from public, non-Cortana traffic.
 
-Bing Answers is enabled by default for all users. However, admins can configure and change this for specific users/user groups in their organization.
+Bing Answers is enabled by default for all users. However, admins can configure and change this for specific users and user groups in their organization.
 
 ## How the Bing Answer policy configuration is applied
 Before a query is sent to Bing for a search of public results from Bing.com, the Bing Answers service checks with the Office Cloud Policy Service to see if there are any policy configurations that pertain to the user for allowing Bing Answers to respond to questions users ask Cortana. If the user is a member of an AAD group that is assigned that policy configuration, then the appropriate policy settings are applied and a check is made again in 10 minutes.
\ No newline at end of file
diff --git a/windows/configuration/images/Shared_PC_1.png b/windows/configuration/images/Shared_PC_1.png
new file mode 100644
index 0000000000..bf145f6c19
Binary files /dev/null and b/windows/configuration/images/Shared_PC_1.png differ
diff --git a/windows/configuration/images/Shared_PC_2.png b/windows/configuration/images/Shared_PC_2.png
new file mode 100644
index 0000000000..c9d2362634
Binary files /dev/null and b/windows/configuration/images/Shared_PC_2.png differ
diff --git a/windows/configuration/images/Shared_PC_3.png b/windows/configuration/images/Shared_PC_3.png
new file mode 100644
index 0000000000..83b3a66fc8
Binary files /dev/null and b/windows/configuration/images/Shared_PC_3.png differ
diff --git a/images/screenshot1.png b/windows/configuration/screenshot1.png
similarity index 100%
rename from images/screenshot1.png
rename to windows/configuration/screenshot1.png
diff --git a/images/screenshot10.png b/windows/configuration/screenshot10.png
similarity index 100%
rename from images/screenshot10.png
rename to windows/configuration/screenshot10.png
diff --git a/images/screenshot11.png b/windows/configuration/screenshot11.png
similarity index 100%
rename from images/screenshot11.png
rename to windows/configuration/screenshot11.png
diff --git a/images/screenshot12.png b/windows/configuration/screenshot12.png
similarity index 100%
rename from images/screenshot12.png
rename to windows/configuration/screenshot12.png
diff --git a/images/screenshot2.png b/windows/configuration/screenshot2.png
similarity index 100%
rename from images/screenshot2.png
rename to windows/configuration/screenshot2.png
diff --git a/images/screenshot3.png b/windows/configuration/screenshot3.png
similarity index 100%
rename from images/screenshot3.png
rename to windows/configuration/screenshot3.png
diff --git a/images/screenshot4.png b/windows/configuration/screenshot4.png
similarity index 100%
rename from images/screenshot4.png
rename to windows/configuration/screenshot4.png
diff --git a/images/screenshot5.png b/windows/configuration/screenshot5.png
similarity index 100%
rename from images/screenshot5.png
rename to windows/configuration/screenshot5.png
diff --git a/images/screenshot6.png b/windows/configuration/screenshot6.png
similarity index 100%
rename from images/screenshot6.png
rename to windows/configuration/screenshot6.png
diff --git a/images/screenshot7.png b/windows/configuration/screenshot7.png
similarity index 100%
rename from images/screenshot7.png
rename to windows/configuration/screenshot7.png
diff --git a/images/screenshot8.png b/windows/configuration/screenshot8.png
similarity index 100%
rename from images/screenshot8.png
rename to windows/configuration/screenshot8.png
diff --git a/images/screenshot9.png b/windows/configuration/screenshot9.png
similarity index 100%
rename from images/screenshot9.png
rename to windows/configuration/screenshot9.png
diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md
index 95cf9806b1..289a37a0b6 100644
--- a/windows/configuration/set-up-shared-or-guest-pc.md
+++ b/windows/configuration/set-up-shared-or-guest-pc.md
@@ -58,7 +58,7 @@ Apps can take advantage of shared PC mode with the following three APIs:
  
 
 ### Customization
-Shared PC mode exposes a set of customizations to tailor the behavior to your requirements. These customizations are the options that you'll set either using MDM or a provisioning package as explained in [Configuring shared PC mode on Windows](#configuring-shared-pc-mode-on-windows). The options are listed in the following table.
+Shared PC mode exposes a set of customizations to tailor the behavior to your requirements. These customizations are the options that you'll set either using MDM or a provisioning package as explained in [Configuring Shared PC mode for Windows](#configuring-shared-pc-mode-for-windows). The options are listed in the following table.
 
 | Setting | Value |
 |:---|:---|
@@ -80,16 +80,33 @@ Shared PC mode exposes a set of customizations to tailor the behavior to your re
 | Customization: SleepTimeout | Specifies all timeouts for when the PC should sleep. Enter the amount of idle time in seconds. If you don't set sleep timeout, the default of 1 hour applies.     |
 [Policies: Authentication](wcd/wcd-policies.md#authentication) (optional related setting) | Enables a quick first sign-in experience for a user by automatically connecting new non-admin Azure AD accounts to the pre-configured candidate local accounts.
 
+## Configuring Shared PC mode for Windows
 
-## Configuring shared PC mode on Windows
 You can configure Windows to be in shared PC mode in a couple different ways:
-- Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/mt723294.aspx). Your MDM policy can contain any of the options listed in the [Customization](#customization) section. The following image shows a Microsoft Intune policy with the shared PC options added as OMA-URI settings. [Learn more about Windows 10 policy settings in Microsoft Intune.](https://docs.microsoft.com/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune)
 
-![custom OMA-URI policy in Intune](images/oma-uri-shared-pc.png) 
+- Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/sharedpc-csp). To setup a shared device policy for Windows 10 in Intune, complete the following steps:
 
-- A provisioning package created with the Windows Configuration Designer: You can apply a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows 10 PC that is already in use. The provisioning package is created in Windows Configuration Designer. Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/mt723294.aspx), exposed in Windows Configuration Designer as **SharedPC**.
+  1. Go to the [Microsoft Endpoint Manager portal](https://endpoint.microsoft.com/#home).
+  2. Select **Devices** from the navigation. 
+  3. Under **Policy**, select **Configuration profiles**.
+  4. Select **Create profile**.
+  5. From the **Platform** menu, select **Windows 10 and later**.
+  6. From the **Profile** menu, select **Shared multi-user device**.
 
-![Shared PC settings in ICD](images/icd-adv-shared-pc.png)
+     ![custom OMA-URI policy in Intune](images/Shared_PC_1.png) 
+
+  7. Select **Create**.
+  8. Enter a name for the policy (e.g. My Win10 Shared devices policy). You can optionally add a description should you wish to do so.
+  9. Select **Next**.
+  10. On the **Configuration settings** page, set the ‘Shared PC Mode’ value to **Enabled**.
+
+     ![Shared PC settings in ICD](images/Shared_PC_3.png) 
+
+  11. From this point on, you can configure any additional settings you’d like to be part of this policy, and then follow the rest of the set-up flow to its completion by selecting **Create** after **Step 6**.
+
+- A provisioning package created with the Windows Configuration Designer: You can apply a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows 10 PC that is already in use. The provisioning package is created in Windows Configuration Designer. Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/sharedpc-csp), exposed in Windows Configuration Designer as **SharedPC**.
+
+     ![Shared PC settings in ICD](images/icd-adv-shared-pc.PNG)
 
 - WMI bridge: Environments that use Group Policy can use the [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224.aspx) to configure the [MDM_SharedPC class](https://msdn.microsoft.com/library/windows/desktop/mt779129.aspx). For all device settings, the WMI Bridge client must be executed under local system user; for more information, see [Using PowerShell scripting with the WMI Bridge Provider](https://docs.microsoft.com/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider). For example, open PowerShell as an administrator and enter the following:
 
diff --git a/windows/deployment/update/define-update-strategy.md b/windows/deployment/update/define-update-strategy.md
new file mode 100644
index 0000000000..d8fd47ee87
--- /dev/null
+++ b/windows/deployment/update/define-update-strategy.md
@@ -0,0 +1,59 @@
+---
+title: Define update strategy
+ms.reviewer: 
+manager: laurawi
+description: 
+keywords: updates, calendar, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
+ms.prod: w10
+ms.mktglfcycl: manage
+audience: itpro
+author: jaimeo
+ms.localizationpriority: medium
+ms.audience: itpro
+author: jaimeo
+ms.topic: article
+ms.collection: M365-modern-desktop
+---
+
+# Define update strategy
+
+Traditionally, organizations treated the deployment of operating system updates (especially feature updates) as a discrete project that had a beginning, a middle, and an end. A release was "built" (usually in the form of an image) and then distributed to users and their devices.
+
+Today, more organizations are treating deployment as a continual process of updates which roll out across the organization in waves. In this approach, an update is plugged into this process and while it runs, you monitor for anomalies, errors, or user impact and respond as issues arise--withouth interrupting the entire process. Microsoft has been evolving its Windows 10 release cycles, update mechanisms, and relevant tools to support this model. Feature updates are released twice per year, around March and September. All releases of Windows 10 have 18 months of servicing for all editions. Fall releases of the Enterprise and Education editions have an additional 12 months of servicing for specific Windows 10 releases, for a total of 30 months from initial release.
+
+Though we encourage you to deploy every available release and maintain a fast cadence for some portion of your environment, we also recognize that you might have a large number of devices, and a need for little or no disruption, an so you might choose to update annually. The 18/30 month lifecycle cadence lets you to allow some portion of you environment to move faster while a majority can move less quickly.
+
+
+
+## Calendar approaches
+
+You can use a calendar approach for either a faster 18-month or twice-per-year cadence or a 30-month or annual cadence. Depending on company size, installing Windows 10 feature updates less often than once annually risks devices going out of service and becoming vulnerable to security threats, because they will stop receiving the monthly security updates.
+
+
+### Annual
+
+Here's a calendar showing an example schedule that applies one Windows 10 feature update per calendar year, aligned with Microsoft Endpoint Configuration Manager and Microsoft 365 Apps release cycles:
+
+![annual calendar](images/annual-calendar.png)
+
+This approach provides approximately twelve months of use from each feature update before the next update is due to be installed. By aligning to the Windows 10, version 20H2 feature update, each release will be serviced for 30 months from the time of availability, giving you more flexibility when applying future feature updates.  
+
+This cadence might be most suitable for you if any of these conditions apply:
+
+- You are just starting your journey with the Windows 10 servicing process. If you are unfamiliar with new processes that support Windows 10 servicing, moving from a once every 3-5 year project to a twice a year feature update process can be daunting. This approach gives you time to learn new approaches and tools to reduce effort and cost.
+- You want to wait and see how successful other companies are at adopting a Windows 10 feature update.  
+- You want to go quickly with feature updates, and want the ability to skip a feature update while keeping Windows 10 serviced in case business priorities change. Aligning to the Windows 10 feature update released in the *second* half of each calendar year, you get additional servicing for Windows 10 (30 months of servicing compared to 18 months).
+
+
+### Rapid
+
+This calendar shows an example schedule that installs each feature update as it is released, twice per year:
+
+![rapid calendar](images/rapid-calendar.png)
+
+This cadence might be best for you if these conditions apply:
+
+- You have a strong appetite for change.
+- You want to continuously update supporting infrastructure and unlock new scenarios.
+- Your organization has a large population of information workers that can use the latest features and functionality in Windows 10 and Office.
+- You have experience with feature updates for Windows 10.
\ No newline at end of file
diff --git a/windows/deployment/update/images/DO-absolute-bandwidth.png b/windows/deployment/update/images/DO-absolute-bandwidth.png
new file mode 100644
index 0000000000..a13d5393e6
Binary files /dev/null and b/windows/deployment/update/images/DO-absolute-bandwidth.png differ
diff --git a/windows/deployment/update/images/annual-calendar.png b/windows/deployment/update/images/annual-calendar.png
new file mode 100644
index 0000000000..1ff15bed76
Binary files /dev/null and b/windows/deployment/update/images/annual-calendar.png differ
diff --git a/windows/deployment/update/images/rapid-calendar.png b/windows/deployment/update/images/rapid-calendar.png
new file mode 100644
index 0000000000..35aec71626
Binary files /dev/null and b/windows/deployment/update/images/rapid-calendar.png differ
diff --git a/windows/deployment/update/plan-define-readiness.md b/windows/deployment/update/plan-define-readiness.md
new file mode 100644
index 0000000000..a2ff53df19
--- /dev/null
+++ b/windows/deployment/update/plan-define-readiness.md
@@ -0,0 +1,115 @@
+---
+title: Define readiness criteria
+ms.reviewer: 
+manager: laurawi
+description: Identify important roles and figure out how to classify apps
+keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
+ms.prod: w10
+ms.mktglfcycl: manage
+audience: itpro
+author: jaimeo
+ms.localizationpriority: medium
+ms.audience: itpro
+author: jaimeo
+ms.topic: article
+ms.collection: M365-modern-desktop
+---
+
+# Define readiness criteria
+
+## Figure out roles and personnel
+
+Planning and managing a deployment involves a variety of distinct activies and roles best suited to each. As you plan, it's worth figuring out which roles you'll need to carry out the deployment and who should fill them. Different roles are active at various phases of a deployment. Depending on the size and complexity of your organization, some of the roles could be filled by the same person. However, it's best to have an established *process manager*, who will oversee all of the tasks for the deployment.
+
+### Process manager
+
+The process manager leads the update deployment process and has the authority to push the process forward--or halt it if necessary. They also have responsibilities in organizing these activities:
+
+
+|Compatibility workstream  |Deployment  |Capability and modernization  |
+|---------|---------|---------|
+|[Assigning application priority](#set-criteria-for-rating-apps)     |  Reviewing infrastructure requirements       | Determining infrastructure changes        |
+|Application assessment     | Validating infrastructure against requirements        | Determining configuration changes        |
+|Device assessment     |  Creating infrastructure update plan       | Create capability proposal        |
+
+It's the process manager's role to collect reports on remediation efforts, escalate failures, and to decide whether your environment is ready for pilot deployment and then broad deployment.
+
+
+This table sketches out one view of the other roles, with their responsibilities, relevant skills, and the deployment phases where they are needed:
+
+
+|Role  |Responsibilities  |Skills  |Active phases  |
+|---------|---------|---------|---------|
+|Process manager     | Manages the process end to end; ensures inputs and outputs are captures; ensures that activities progress        | IT service management        | Plan, prepare, pilot deployment, broad deployment        |
+|Application owner     | Define application test plan; assign user acceptance testers; certify the application         | Knowledge of critical and important applications        | Plan, prepare, pilot deployment        |
+|Application developer     | Ensure apps are developed to stay compatible with current Windows versions        | Application development; application remediation        | Plan, prepare        |
+|End-user computing     | Typically a group including infrastructure engineers or deployment engineers who ensure upgrade tools are compatible with Windows        | Bare-metal deployment; infrastructure management; application delivery; update management        | Plan, prepare, pilot deployment, broad deployment        |
+|Operations     | Ensure that support is available for current Windows version. Provide post-deployment support, including user communication and rollbacks.        | Platform security        | Prepare, pilot deployment, broad deployment        |
+|Security     | Review and approve the security baseline and tools        | Platform security        | Prepare, pilot deployment        |
+|Stakeholders     | Represent groups affected by updates, for example, heads of finance, end-user services, or change management        | Key decision maker for a business unit or department        | Plan, pilot deployment, broad deployment        |
+
+
+
+
+
+
+## Set criteria for rating apps
+
+Some apps in your environment are fundamental to your core business activities. Other apps help workers perform their roles, but aren’t critical to your business operations. Before you start inventorying and assessing the apps in your environment, you should establish some criteria for categorizing your apps, and then determine a priority for each. This will help you understand how best to deploy updates and how to resolve any issues that could arise.
+
+In the Prepare phase, you'll apply the criteria you define now to every app in your organization.
+
+Here's a suggested classification scheme:
+
+
+|Classification  |Definition|
+|---------|---------|
+|Critical     | The most vital applications that handle core business activities and processes. If these applications were not available, the business, or a business unit, couldn't function at all. |
+|Important     | Applications that individual staff members need to support their productivity. Downtime here would affect individual users, but would only have a minimal impact on the business.       |
+|Not important   | There is no impact on the business if these apps are not available for a while.        |
+
+Once you have classified your applications, you should agree what each classification means to the organization in terms of priority and severity. This will help ensure that you can triage problems with the right level of urgency. You should assign each app a time-based priority.
+
+Here's an example priority rating system; of course the specifics could vary for your organization:
+
+
+|Priority  |Definition  |
+|---------|---------|
+|1        | Any issues or risks identified must be investigated and resolved as soon as possible.        |
+|2     | Start investigating risks and issues within two business days and fix them *during* the current deployment cycle.    |
+|3     | Start investigating risks and issues within 10 business days. You don’t have to fix them all within the current deployment cycle. However, all issues must be fixed by the end of the next deployment cycle.        |
+|4     | Start investigating risks and issues within 20 business days. You can fix them in the current or any future development cycle.        |
+
+Related to priority, but distinct, is the concept of severity. You should define a severity ranking as well, based on how you feel a problem with an app should affect the deployment cycle.
+
+Here's an example:
+
+
+|Severity  |Effect  |
+|---------|---------|
+|1     | Work stoppage or loss of revenue        |
+|2     | Productivity loss for a business unit        |
+|3     | Productivity loss for individual users         |
+|4     | Minimal impact on users        |
+
+## Example: a large financial corporation
+
+Using the suggested scheme, a financial corporation might classify their apps like this:
+
+
+|App  |Classification  |
+|---------|---------|
+|Credit processing app     | Critical        |
+|Frontline customer service app     |  Critical       |
+|PDF viewer     | Important        |
+|Image processing app     | Not important        |
+
+Further, they might combine this classification with severity and priority rankings like this:
+
+
+|Classification  |Severity  |Priority  |Response  |
+|---------|---------|---------|---------|
+|Critical     |  1 or 2       |  1 or 2       | For 1, stop deployment until resolved; for 2, stop deployment for affected devices or users only.       |
+|Important     | 3 or 4        |  3 or 4       | For 3, continue deployment, even for affected devices, as long as there is workaround guidance.        |
+|Not important     |   4      | 4        |  Continue deployment for all devices.       |
+
diff --git a/windows/deployment/update/waas-delivery-optimization-reference.md b/windows/deployment/update/waas-delivery-optimization-reference.md
index a5d605d778..b4bb57aef5 100644
--- a/windows/deployment/update/waas-delivery-optimization-reference.md
+++ b/windows/deployment/update/waas-delivery-optimization-reference.md
@@ -119,7 +119,7 @@ Download mode dictates which download sources clients are allowed to use when do
 
 By default, peer sharing on clients using the group download mode is limited to the same domain in Windows 10, version 1511, and the same domain and Active Directory Domain Services site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but do not fall within those domain or Active Directory Domain Services site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example, you could create a sub-group representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to be peers. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group.
 
-[//]: # (Configuration Manager Boundary Group option; GroupID Source policy)
+[//]: # (Configuration Manager boundary group option; GroupID Source policy)
 
 >[!NOTE]
 >To generate a GUID using Powershell, use [```[guid]::NewGuid()```](https://blogs.technet.microsoft.com/heyscriptingguy/2013/07/25/powertip-create-a-new-guid-by-using-powershell/)
diff --git a/windows/deployment/update/waas-delivery-optimization-setup.md b/windows/deployment/update/waas-delivery-optimization-setup.md
index ac14bcf549..7bcf7c77c3 100644
--- a/windows/deployment/update/waas-delivery-optimization-setup.md
+++ b/windows/deployment/update/waas-delivery-optimization-setup.md
@@ -35,6 +35,9 @@ Delivery Optimization offers a great many settings to fine-tune its behavior (se
 >[!NOTE]
 >These scenarios (and the recommended settings for each) are not mutually exclusive. It's possible that your deployment might involve more than one of these scenarios, in which case you can employ the related settings in any combination as needed. In all cases, however, "download mode" is the most important one to set.
 
+> [!NOTE]
+> Microsoft Intune includes a profile to make it easier to set Delivery Optimization policies. For details, see [Delivery Optimization settings for Intune](https://docs.microsoft.com/mem/intune/configuration/delivery-optimization-settings).
+
 Quick-reference table:
 
 | Use case | Policy | Recommended value | Reason |
@@ -66,6 +69,9 @@ To do this in Group Policy go to **Configuration\Policies\Administrative Templat
 
 To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set **DODownloadMode** to **2**.
 
+> [!NOTE]
+> For more about using Delivery Optimization with Configuration Manager boundary groups, see [Delivery Optmization](https://docs.microsoft.com/mem/configmgr/core/plan-design/hierarchy/fundamental-concepts-for-content-management#delivery-optimization).
+
 
 ### Large number of mobile devices
 
@@ -139,7 +145,9 @@ Using the `-Verbose` option returns additional information:
 - Bytes from CDN (the number of bytes received over HTTP)
 - Average number of peer connections per download 
 
-Starting in Window 10, version 1903, `get-DeliveryOptimizationPerfSnap` has a new option `-CacheSummary` which provides a summary of the cache status.
+Starting in Windows 10, version 2004, `Get-DeliveryOptimizationPerfSnap` has a new option `-PeerInfo` which returns a real-time list of the connected peers.
+
+Starting in Windows 10, version 1903, `get-DeliveryOptimizationPerfSnap` has a new option `-CacheSummary` which provides a summary of the cache status.
 
 Starting in Windows 10, version 1803, `Get-DeliveryOptimizationPerfSnapThisMonth` returns data similar to that from `Get-DeliveryOptimizationPerfSnap` but limited to the current calendar month.
 
@@ -166,6 +174,30 @@ You can now "pin" files to keep them persistent in the cache. You can only do th
 
 #### Work with Delivery Optimization logs
 
+**Starting in Windows 10, version 2004:**
+
+`Get-DeliveryOptimizationLogAnalysis [ETL Logfile path] [-ListConnections]`
+
+With no options, this cmdlet returns these data:
+
+- total number of files
+- number of foreground files
+- minimum file size for it to be cached
+- number of eligible files
+- number of files with peers
+- number of peering files [how different from the above?]
+- overall efficiency
+- efficiency in the peered files
+
+Using the `-ListConnections` option returns these detauls about peers:
+
+- destination IP address
+- peer type
+- status code
+- bytes sent
+- bytes received
+- file ID
+
 **Starting in Windows 10, version 1803:**
 
 `Get-DeliveryOptimizationLog [-Path <etl file path, supports wildcards>] [-Flush]`
diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md
index d37589c3e6..40cf29568f 100644
--- a/windows/deployment/update/waas-delivery-optimization.md
+++ b/windows/deployment/update/waas-delivery-optimization.md
@@ -32,6 +32,15 @@ Delivery Optimization is a cloud-managed solution. Access to the Delivery Optimi
 >[!NOTE]
 >WSUS can also use [BranchCache](waas-branchcache.md) for content sharing and caching. If Delivery Optimization is enabled on devices that use BranchCache, Delivery Optimization will be used instead. 
 
+## New in Windows 10, version 2004
+
+- Enterprise network throttling: new settings have been added in Group Policy and MDM to control foreground and background throttling as absolute values (Maximum Background Download Bandwidth in (in KB/s)). These settings are also available in the Windows user interface:
+
+![absolute bandwidth settings in delivery optimization interface](images/DO-absolute-bandwidth.png)
+
+- Activity Monitor now identifies the cache server used for as the source for Microsoft Connected Cache. For more information about using Microsoft Connected Cache with Configuration Manager, see [Microsoft Connected Cache](https://docs.microsoft.com/mem/configmgr/core/plan-design/hierarchy/fundamental-concepts-for-content-management#microsoft-connected-cache).
+
+
 ## Requirements
 
 The following table lists the minimum Windows 10 version that supports Delivery Optimization:
@@ -54,8 +63,16 @@ The following table lists the minimum Windows 10 version that supports Delivery
 | Windows Defender definition updates | 1511 |
 | Office Click-to-Run updates | 1709 |
 | Win32 apps for Intune | 1709 |
+| Office installations and updates | 2004 |
+| Xbox game pass games | 2004 |
+| MSIX apps (HTTP downloads only) | 2004 |
 | Configuration Manager Express Updates | 1709 + Configuration Manager version 1711 |
 
+> [!NOTE]
+> Starting with Configuration Manager version 1910, you can use Delivery Optimization for the distribution of all Windows update content for clients running Windows 10 version 1709 or newer, not just express installation files. For more, see [Delivery Optimization starting in version 1910](https://docs.microsoft.com/mem/configmgr/sum/deploy-use/optimize-windows-10-update-delivery#bkmk_DO-1910).
+
+
+
 <!-- ### Network requirements
 
 {can you share with me what the network requirements are?}-->
@@ -124,6 +141,30 @@ For the payloads (optional):
 
 **How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN?**: Starting in Windows 10, version 1903, Delivery Optimization uses LEDBAT to relieve such congestion. For more details see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819).
 
+**How does Delivery Optimization handle VPNs?**
+Delivery Optimization attempts to identify VPNs by checking the network adapter type and details and will treat the connection as a VPN if the adapter description contains certain keywords, such as "VPN" or "secure."
+
+If the connection is identified as a VPN, Delivery Optimization will not use any peer-to-peer activity. However, you can allow peer-to-peer activity over a VPN by using the {WE SHOULD NAME OR POINT TO THIS POLICY} policy.
+
+If you have defined a boundary group in Configuration Manager and have for VPN IP ranges, you can set the DownloadMode policy to 0 for that boundary group to ensure that there will be no peer-to-peer activity over the VPN.
+
+With split tunnelling, it's best to exclude the boundary group for the VPN devices to exclude it from using peer-to-peer. (In this case, those devices won't get the policy and will default to using LAN.) If you're using split tunnelling, you should allow direct access for these endpoints:
+
+Delivery Optimization service endpoint:
+- `https://*.prod.do.dsp.mp.microsoft.com`
+
+Delivery Optimization metadata:
+- `http://emdl.ws.microsoft.com`
+- `http://*.dl.delivery.mp.microsoft.com`
+
+Windows Update and Microsoft Store backend services and Windows Update and Microsoft Store payloads
+
+- `http://*.windowsupdate.com`
+- `https://*.delivery.mp.microsoft.com`
+- `https://*.update.microsoft.com`
+- `https://tsfe.trafficshaping.dsp.mp.microsoft.com`
+
+For more information about this if you're using Configuration Manager, see this post on the [Configuration Manager blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-patch-tuesday-with-configuration-manager-in-a-remote/ba-p/1269444).
 
 ## Troubleshooting
 
diff --git a/windows/deployment/windows-autopilot/TOC.md b/windows/deployment/windows-autopilot/TOC.md
index d94b04fdcb..9b7c22ee03 100644
--- a/windows/deployment/windows-autopilot/TOC.md
+++ b/windows/deployment/windows-autopilot/TOC.md
@@ -22,6 +22,7 @@
 ## [DFCI management](dfci-management.md)
 ## [Windows Autopilot update](autopilot-update.md)
 ## [Troubleshooting](troubleshooting.md)
+## [Policy conflicts](policy-conflicts.md)
 ## [Known issues](known-issues.md)
 
 # Support
diff --git a/windows/deployment/windows-autopilot/policy-conflicts.md b/windows/deployment/windows-autopilot/policy-conflicts.md
new file mode 100644
index 0000000000..3fd528f206
--- /dev/null
+++ b/windows/deployment/windows-autopilot/policy-conflicts.md
@@ -0,0 +1,37 @@
+---
+title: Windows Autopilot policy conflicts
+ms.reviewer: 
+manager: laurawi
+description: Inform yourself about known issues that may occur during Windows Autopilot deployment.
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+ms.pagetype: deploy
+audience: itpro
+author: mtniehaus
+ms.author: mniehaus
+ms.collection: M365-modern-desktop
+ms.topic: article
+---
+
+
+# Windows Autopilot - Policy Conflicts
+
+**Applies to**
+
+- Windows 10
+
+There are a sigificant number of policy settings available for Windows 10, both as native MDM policies and group policy (ADMX-backed) settings. Some of these can cause issues in certain Windows Autopilot scenarios as a result of how they change the behavior of Windows 10. If you encounter any of these issues, remove the policy in question to resolve the issue.
+
+<table>
+<th>Policy<th>More information
+
+<tr><td width="50%">Device restriction / <a href="https://docs.microsoft.com/partner-center/regional-authorization-overview">Password policy</a>
+<td>When certain <a href="https://docs.microsoft.com/windows/client-management/mdm/policy-csp-devicelock">DeviceLock policies</a>, such as minimum password length and password complexity, or any similar group policy settings, including any that disable auto-logon, are applied to a device, and that device reboots during the device Enrollment Status Page (ESP), the out-of-box experience or user desktop auto-logon could fail unexpectantly.
+</table>
+
+## Related topics
+
+[Troubleshooting Windows Autopilot](troubleshooting.md)
diff --git a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
index 85d9523c9b..8c01645295 100644
--- a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
+++ b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
@@ -74,7 +74,7 @@ Microsoft has made a concerted effort to enlighten several of our more popular a
 - Microsoft Remote Desktop 
 
 > [!NOTE]
-> Microsoft Visio, Microsoft Office Access and Microsoft Project are not enlightended apps and need to be exempted from WIP policy. If they are allowed, there is a risk of data loss. For example, if a device is workplace-joined and managed and the user leaves the company, metadata files that the apps rely on remain encrypted and the apps stop functioining.
+> Microsoft Visio, Microsoft Office Access, Microsoft Project, and Microsoft Publisher are not enlightened apps and need to be exempted from WIP policy. If they are allowed, there is a risk of data loss. For example, if a device is workplace-joined and managed and the user leaves the company, metadata files that the apps rely on remain encrypted and the apps stop functioning.
 
 ## List of WIP-work only apps from Microsoft
 Microsoft still has apps that are unenlightened, but which have been tested and deemed safe for use in an enterprise with WIP and MAM solutions.
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index c294c170b7..50032d076f 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -327,6 +327,8 @@
 
 ### [Behavioral blocking and containment]()
 #### [Behavioral blocking and containment](microsoft-defender-atp/behavioral-blocking-containment.md)
+#### [Client behavioral blocking](microsoft-defender-atp/client-behavioral-blocking.md)
+#### [Feedback-loop blocking](microsoft-defender-atp/feedback-loop-blocking.md)
 #### [EDR in block mode](microsoft-defender-atp/edr-in-block-mode.md)
 
 ### [Automated investigation and response (AIR)]()
@@ -417,8 +419,6 @@
 ###### [Create and manage machine groups](microsoft-defender-atp/machine-groups.md)
 ###### [Create and manage machine tags](microsoft-defender-atp/machine-tags.md)
 
-#### [APIs]()
-##### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md)
 
 #### [Rules]()
 ##### [Manage suppression rules](microsoft-defender-atp/manage-suppression-rules.md)
@@ -441,7 +441,6 @@
 ## Reference
 ### [Management and APIs]()
 #### [Overview of management and APIs](microsoft-defender-atp/management-apis.md)
-
 #### [Microsoft Defender ATP API]()
 ##### [Get started]()
 ###### [Microsoft Defender ATP API license and terms](microsoft-defender-atp/api-terms-of-use.md)
@@ -574,7 +573,6 @@
 ##### [Understand threat intelligence concepts](microsoft-defender-atp/threat-indicator-concepts.md)
 ##### [Learn about different ways to pull detections](microsoft-defender-atp/configure-siem.md)
 ##### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md)
-##### [Configure Splunk to pull detections](microsoft-defender-atp/configure-splunk.md)
 ##### [Configure Micro Focus ArcSight to pull detections](microsoft-defender-atp/configure-arcsight.md)
 ##### [Microsoft Defender ATP detection fields](microsoft-defender-atp/api-portal-mapping.md)
 ##### [Pull detections using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
index 3b57273926..95aaddc7ab 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
@@ -28,8 +28,9 @@ ms.topic: article
 Understand what data fields are exposed as part of the detections API and how they map to Microsoft Defender Security Center.
 
 >[!Note]
->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections
+>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections.
 >- **Microsoft Defender ATP Detection** is composed from the suspicious event occurred on the Machine and its related **Alert** details.
+>-The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md).
 
 ## Detections API fields and portal mapping
 The following table lists the available fields exposed in the detections API payload. It shows examples for the populated values and a reference on how data is reflected on the portal.
@@ -91,7 +92,6 @@ Field numbers match the numbers in the images below.
 
 ## Related topics
 - [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
-- [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md)
 - [Configure ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)
 - [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md)
 - [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md
index c7c5359ec2..9ab72ae669 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md
@@ -50,9 +50,9 @@ The following image shows an example of an alert that was triggered by behaviora
 
 - **On-client, policy-driven [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)** Predefined common attack behaviors are prevented from executing, according to your attack surface reduction rules. When such behaviors attempt to execute, they can be seen in the Microsoft Defender Security Center [https://securitycenter.windows.com](https://securitycenter.windows.com) as informational alerts. (Attack surface reduction rules are not enabled by default; you configure your policies in the Microsoft Defender Security Center.)
 
-- **Client behavioral blocking** Threats on endpoints are detected through machine learning, and then are blocked and remediated automatically. (Client behavioral blocking is enabled by default.) 
+- **[Client behavioral blocking](client-behavioral-blocking.md)** Threats on endpoints are detected through machine learning, and then are blocked and remediated automatically. (Client behavioral blocking is enabled by default.) 
 
-- **Feedback-loop blocking** (also referred to as rapid protection) Threat detections that are assumed to be false negatives are observed through behavioral intelligence. Threats are stopped and prevented from running on other endpoints. (Feedback-loop blocking is enabled by default.) 
+- **[Feedback-loop blocking](feedback-loop-blocking.md)** (also referred to as rapid protection) Threat detections are observed through behavioral intelligence. Threats are stopped and prevented from running on other endpoints. (Feedback-loop blocking is enabled by default.) 
 
 - **[Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md)** Malicious artifacts or behaviors that are observed through post-breach protection are blocked and contained. EDR in block mode works even if Windows Defender Antivirus is not the primary antivirus solution. (EDR in block mode, currently in preview, is not enabled by default; you turn it on in the Microsoft Defender Security Center.) 
 
@@ -60,6 +60,22 @@ Expect more to come in the area of behavioral blocking and containment, as Micro
 
 ## Examples of behavioral blocking and containment in action
 
+Behavioral blocking and containment capabilities have blocked attacker techniques such as the following:
+
+- Credential dumping from LSASS
+- Cross-process injection
+- Process hollowing
+- User Account Control bypass
+- Tampering with antivirus (such as disabling it or adding the malware as exclusion)
+- Contacting Command and Control (C&C) to download payloads
+- Coin mining
+- Boot record modification
+- Pass-the-hash attacks
+- Installation of root certificate
+- Exploitation attempt for various vulnerabilities
+
+Below are two real-life examples of behavioral blocking and containment in action.
+
 ### Example 1: Credential theft attack against 100 organizations
 
 As described in [In hot pursuit of elusive threats: AI-driven behavior-based blocking stops attacks in their tracks](https://www.microsoft.com/security/blog/2019/10/08/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks), a credential theft attack against 100 organizations around the world was stopped by behavioral blocking and containment capabilities. Spear-phishing email messages that contained a lure document were sent to the targeted organizations. If a recipient opened the attachment, a related remote document was able to execute code on the user’s device and load Lokibot malware, which stole credentials, exfiltrated stolen data, and waited for further instructions from a command-and-control server. 
@@ -92,12 +108,12 @@ This example shows that with behavioral blocking and containment capabilities, t
 
 ## Next steps
 
-- [Learn more about recent global threat activity](https://www.microsoft.com/wdsi/threats)
-
 - [Learn more about Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response)
 
 - [Configure your attack surface reduction rules](attack-surface-reduction.md)
 
 - [Enable EDR in block mode](edr-in-block-mode.md)
 
-- [Get an overview of Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)
\ No newline at end of file
+- [See recent global threat activity](https://www.microsoft.com/wdsi/threats)
+
+- [Get an overview of Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md b/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md
new file mode 100644
index 0000000000..317b858f36
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md
@@ -0,0 +1,90 @@
+---
+title: Client behavioral blocking
+description: Client behavioral blocking is part of behavioral blocking and containment capabilities in Microsoft Defender ATP
+keywords: behavioral blocking, rapid protection, client behavior, Microsoft Defender ATP
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+author: denisebmsft
+ms.author: deniseb
+manager: dansimp
+ms.reviewer: shwetaj
+audience: ITPro 
+ms.topic: article 
+ms.prod: w10 
+ms.localizationpriority: medium
+ms.custom: 
+- next-gen
+- edr
+ms.collection: 
+---
+
+# Client behavioral blocking
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+## Overview
+
+Client behavioral blocking is a component of [behavioral blocking and containment capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment) in Microsoft Defender ATP. As suspicious behaviors are detected on devices (also referred to as clients or endpoints), artifacts (such as files or applications) are blocked, checked, and remediated automatically. 
+
+:::image type="content" source="images/pre-execution-and-post-execution-detection-engines.png" alt-text="Cloud and client protection":::
+
+Antivirus protection works best when paired with cloud protection.
+
+## How client behavioral blocking works
+
+[Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) can detect suspicious behavior, malicious code, fileless and in-memory attacks, and more on a device. When suspicious behaviors are detected, Microsoft Defender Antivirus monitors and sends those suspicious behaviors and their process trees to the cloud protection service. Machine learning differentiates between malicious applications and good behaviors within milliseconds, and classifies each artifact. In almost real time, as soon as an artifact is found to be malicious, it's blocked on the device. 
+
+Whenever a suspicious behavior is detected, an [alert](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/alerts-queue) is generated, and is visible in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)).
+
+Client behavioral blocking is effective because it not only helps prevent an attack from starting, it can help stop an attack that has begun executing. And, with [feedback-loop blocking](feedback-loop-blocking.md) (another capability of behavioral blocking and containment), attacks are prevented on other devices in your organization.
+
+## Behavior-based detections
+
+Behavior-based detections are named according to the [MITRE ATT&CK Matrix for Enterprise](https://attack.mitre.org/matrices/enterprise). The naming convention helps identify the attack stage where the malicious behavior was observed:
+
+
+|Tactic |	Detection threat name |
+|----|----|
+|Initial Access	| Behavior:Win32/InitialAccess.*!ml |
+|Execution	| Behavior:Win32/Execution.*!ml |
+|Persistence	| Behavior:Win32/Persistence.*!ml |
+|Privilege Escalation	| Behavior:Win32/PrivilegeEscalation.*!ml |
+|Defense Evasion	| Behavior:Win32/DefenseEvasion.*!ml |
+|Credential Access	| Behavior:Win32/CredentialAccess.*!ml |
+|Discovery	| Behavior:Win32/Discovery.*!ml |
+|Lateral Movement |	Behavior:Win32/LateralMovement.*!ml |
+|Collection |	Behavior:Win32/Collection.*!ml |
+|Command and Control | Behavior:Win32/CommandAndControl.*!ml |
+|Exfiltration	| Behavior:Win32/Exfiltration.*!ml |
+|Impact	| Behavior:Win32/Impact.*!ml |
+|Uncategorized	| Behavior:Win32/Generic.*!ml |
+
+> [!TIP]
+> To learn more about specific threats, see **[recent global threat activity](https://www.microsoft.com/wdsi/threats)**.
+
+
+## Configuring client behavioral blocking
+
+If your organization is using Microsoft Defender ATP, client behavioral blocking is enabled by default. However, to benefit from all Microsoft Defender ATP capabilities, including [behavioral blocking and containment](behavioral-blocking-containment.md), make sure the following features and capabilities of Microsoft Defender ATP are enabled and configured:
+
+- [Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline)
+
+- [Devices onboarded to Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-configure)
+
+- [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode)
+
+- [Attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)
+
+- [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features) (antivirus)
+
+## Related articles
+
+- [Behavioral blocking and containment](behavioral-blocking-containment.md)
+
+- [Feedback-loop blocking](feedback-loop-blocking.md)
+
+- [(Blog) Behavioral blocking and containment: Transforming optics into protection](https://www.microsoft.com/security/blog/2020/03/09/behavioral-blocking-and-containment-transforming-optics-into-protection/)
+
+- [Helpful Microsoft Defender ATP resources](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/helpful-resources)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md
index ad965c75e5..d5f2d69d6c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md
@@ -27,31 +27,29 @@ ms.topic: article
 
 ## Pull detections using security information and events management (SIEM) tools
 
->[!Note]
->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections
+>[!NOTE]
+>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections.
 >- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details.
+>- The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md).
 
 Microsoft Defender ATP supports security information and event management (SIEM) tools to pull detections. Microsoft Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull detections from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment.
 
 
-Microsoft Defender ATP currently supports the following SIEM tools:
+Microsoft Defender ATP currently supports the following specific SIEM solution tools through a dedicated SIEM integration model:
 
-- Splunk
-- HP ArcSight
+- IBM QRadar
+- Micro Focus ArcSight
+
+Other SIEM solutions (such as Splunk, RSA NetWitness) are supported through a different integration model based on the new Alert API. For more information, view the [Partner application](https://df.securitycenter.microsoft.com/interoperability/partners) page and select the Security Information and Analytics section for full details.
 
 To use either of these supported SIEM tools you'll need to:
 
 - [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
 - Configure the supported SIEM tool:
-    - [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md)
-    - [Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)
+     - [Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)
+     - Configure IBM QRadar to pull Microsoft Defender ATP detections For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1).
 
 For more information on the list of fields exposed in the Detection API see, [Microsoft Defender ATP Detection fields](api-portal-mapping.md).
 
 
-## Pull Microsoft Defender ATP detections using REST API
-Microsoft Defender ATP supports the OAuth 2.0 protocol to pull detections using REST API.
-
-For more information, see [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md).
-
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md b/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md
deleted file mode 100644
index c27fdb45cc..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md
+++ /dev/null
@@ -1,133 +0,0 @@
----
-title: Configure Splunk to pull Microsoft Defender ATP detections
-description: Configure Splunk to receive and pull detections from Microsoft Defender Security Center.
-keywords: configure splunk, security information and events management tools, splunk
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance 
-ms.topic: article
----
-
-# Configure Splunk to pull Microsoft Defender ATP detections
-
-**Applies to:**
-
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configuresplunk-abovefoldlink) 
-
-You'll need to configure Splunk so that it can pull Microsoft Defender ATP detections.
-
->[!Note]
->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections
->- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details.
-
-## Before you begin
-
-- Install the open source [Windows Defender ATP Modular Inputs TA](https://splunkbase.splunk.com/app/4128/) in Splunk.
-- Make sure you have enabled the **SIEM integration** feature from the **Settings** menu. For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
-
-- Have the details file you saved from enabling the **SIEM integration** feature ready. You'll need to get the following values:
-   - Tenant ID
-   - Client ID
-   - Client Secret
-   - Resource URL
-
-
-## Configure Splunk
-
-1. Login in to Splunk.
-
-2. Go to **Settings** > **Data inputs**.
-
-3. Select **Windows Defender ATP alerts** under **Local inputs**.
-
-   >[!NOTE]
-   > - This input will only appear after you install the [Windows Defender ATP Modular Inputs TA](https://splunkbase.splunk.com/app/4128/).
-   > - For Splunk Cloud, use [Microsoft Defender ATP Add-on for Splunk](https://splunkbase.splunk.com/app/4959/).
-
-
-4. Click **New**.
-
-5. Type the following values in the required fields, then click **Save**:
-
-   NOTE:
-   All other values in the form are optional and can be left blank.
-
-   <table>
-   <tbody style="vertical-align:top;">
-   <tr>
-   <th>Field</th>
-   <th>Value</th>
-   </tr>
-   <tr>
-   <td>Name</td>
-   <td>Name for the Data Input</td>
-   </tr>
-    <td>Login URL</td>
-   <td>URL to authenticate the azure app (Default : https://login.microsoftonline.com)</td>
-   </tr>
-   <td>Endpoint</td>
-   <td>Depending on the location of your datacenter, select any of the following URL: </br></br> <strong>For EU</strong>:  <code>https://wdatp-alertexporter-eu.securitycenter.windows.com</code><br></br><strong>For US:</strong><code>https://wdatp-alertexporter-us.securitycenter.windows.com</code> <br><br> <strong>For UK:</strong><code>https://wdatp-alertexporter-uk.securitycenter.windows.com</code>
-   </tr>
-   <tr>
-   <td>Tenant ID</td>
-   <td>Azure Tenant ID</td>
-   </tr>
-   <td>Resource</td>
-   <td>Value from the SIEM integration feature page</td>
-   <tr>
-   <td>Client ID</td>
-   <td>Value from the SIEM integration feature page</td>
-   </tr>
-   <tr>
-   <td>Client Secret</td>
-   <td>Value from the SIEM integration feature page</td>
-   </tr>
-   
-   </tr>
-   </table>
-
-After completing these configuration steps, you can go to the Splunk dashboard and run queries.
-
-## View detections using Splunk solution explorer
-Use the solution explorer to view detections in Splunk.
-
-1. In Splunk, go to **Settings** > **Searchers, reports, and alerts**.
-
-2. Select **New**.
-
-3. Enter the following details:
-   - Search: Enter a query, for example:</br>
-     `sourcetype="wdatp:alerts" |spath|table*`
-   - App: Add-on for Windows Defender (TA_Windows-defender)
-
-     Other values are optional and can be left with the default values.
-
-4. Click **Save**. The query is saved in the list of searches.
-
-5. Find the query you saved in the list and click **Run**. The results are displayed based on your query.
-
-
->[!TIP]
-> To minimize Detection duplications, you can use the following query:
->```source="rest://wdatp:alerts" | spath | dedup _raw | table *``` 
-
-## Related topics
-- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
-- [Configure ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)
-- [Microsoft Defender ATP Detection fields](api-portal-mapping.md)
-- [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md)
-- [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md
index f408e29140..382f789aa7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md
@@ -27,9 +27,10 @@ ms.topic: article
 
 Enable security information and event management (SIEM) integration so you can pull detections from Microsoft Defender Security Center using your SIEM solution or by connecting directly to the detections REST API.
 
->[!Note]
->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections
+>[!NOTE]
+>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections.
 >- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details.
+>- The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md).
 
 ## Prerequisites
 - The user who activates the setting must have permissions to create an app in Azure Active Directory (AAD). This is typically someone with a **Global administrator** role.
@@ -75,7 +76,6 @@ You can now proceed with configuring your SIEM solution or connecting to the det
 You can configure IBM QRadar to collect detections from Microsoft Defender ATP. For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1).
 
 ## Related topics
-- [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md)
 - [Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)
 - [Microsoft Defender ATP Detection fields](api-portal-mapping.md)
 - [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking.md b/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking.md
new file mode 100644
index 0000000000..d4be39d220
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking.md
@@ -0,0 +1,58 @@
+---
+title: Feedback-loop blocking
+description: Feedback-loop blocking, also called rapid protection, is part of behavioral blocking and containment capabilities in Microsoft Defender ATP
+keywords: behavioral blocking, rapid protection, feedback blocking, Microsoft Defender ATP
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+author: denisebmsft
+ms.author: deniseb
+manager: dansimp
+ms.reviewer: shwetaj
+audience: ITPro 
+ms.topic: article 
+ms.prod: w10 
+ms.localizationpriority: medium
+ms.custom: 
+- next-gen
+- edr
+ms.collection: 
+---
+
+# Feedback-loop blocking
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+## Overview
+
+Feedback-loop blocking, also referred to as rapid protection, is a component of [behavioral blocking and containment capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment) in [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/). With feedback-loop blocking, devices across your organization are better protected from attacks. 
+
+## How feedback-loop blocking works
+
+When a suspicious behavior or file is detected, such as by [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10), information about that artifact is sent to multiple classifiers. The rapid protection loop engine inspects and correlates the information with other signals to arrive at a decision as to whether to block a file. Checking and classifying artifacts happens quickly. It results in rapid blocking of confirmed malware, and drives protection across the entire ecosystem. 
+
+With rapid protection in place, an attack can be stopped on a device, other devices in the organization, and devices in other organizations, as an attack attempts to broaden its foothold.
+
+
+## Configuring feedback-loop blocking
+
+If your organization is using Microsoft Defender ATP, feedback-loop blocking is enabled by default. However, rapid protection occurs through a combination of Microsoft Defender ATP capabilities, machine learning protection features, and signal-sharing across Microsoft security services. Make sure the following features and capabilities of Microsoft Defender ATP are enabled and configured:
+
+- [Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline)
+
+- [Devices onboarded to Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-configure)
+
+- [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode)
+
+- [Attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)
+
+- [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features) (antivirus)
+
+## Related articles
+
+- [Behavioral blocking and containment](behavioral-blocking-containment.md)
+
+- [(Blog) Behavioral blocking and containment: Transforming optics into protection](https://www.microsoft.com/security/blog/2020/03/09/behavioral-blocking-and-containment-transforming-optics-into-protection/)
+
+- [Helpful Microsoft Defender ATP resources](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/helpful-resources)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/945c9c5d66797037c3caeaa5c19f135c.png b/windows/security/threat-protection/microsoft-defender-atp/images/945c9c5d66797037c3caeaa5c19f135c.png
index 7635b49f3e..50aaff6186 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/945c9c5d66797037c3caeaa5c19f135c.png and b/windows/security/threat-protection/microsoft-defender-atp/images/945c9c5d66797037c3caeaa5c19f135c.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-onboarding-page.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-onboarding-page.png
new file mode 100644
index 0000000000..eb5819123e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-onboarding-page.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/pre-execution-and-post-execution-detection-engines.png b/windows/security/threat-protection/microsoft-defender-atp/images/pre-execution-and-post-execution-detection-engines.png
new file mode 100644
index 0000000000..cea5e255f5
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/pre-execution-and-post-execution-detection-engines.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/siem_details.png b/windows/security/threat-protection/microsoft-defender-atp/images/siem_details.png
index 94c724f0c8..ef062f0c8e 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/siem_details.png and b/windows/security/threat-protection/microsoft-defender-atp/images/siem_details.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
index 412d0351fa..31656eeae6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
@@ -179,18 +179,59 @@ In order to preview new features and provide early feedback, it is recommended t
     sudo yum install mdatp
     ```
 
+    If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the `production` channel if you also have the `insiders-fast` repository channel configured on this device. This situation can happen if you are using multiple Microsoft products on your device.
+
+    ```bash
+    # list all repositories
+    $ yum repolist
+    ...
+    packages-microsoft-com-prod               packages-microsoft-com-prod        316
+    packages-microsoft-com-prod-insiders-fast packages-microsoft-com-prod-ins      2
+    ...
+
+    # install the package from the production repository
+    $ sudo yum --enablerepo=packages-microsoft-com-prod install mdatp
+    ```
+
 - SLES and variants:
 
     ```bash
     sudo zypper install mdatp
     ```
 
+    If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the `production` channel if you also have the `insiders-fast` repository channel configured on this device. This situation can happen if you are using multiple Microsoft products on your device.
+
+    ```bash
+    # list all repositories
+    $ zypper repos
+    ...
+    #  | Alias | Name | ...
+    XX | packages-microsoft-com-insiders-fast | microsoft-insiders-fast | ...
+    XX | packages-microsoft-com-prod | microsoft-prod | ...
+    ...
+
+    # install the package from the production repository
+    $ sudo zypper install packages-microsoft-com-prod:mdatp
+    ```
+
 - Ubuntu and Debian system:
 
     ```bash
     sudo apt-get install mdatp
     ```
 
+    If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the `production` channel if you also have the `insiders-fast` repository channel configured on this device. This situation can happen if you are using multiple Microsoft products on your device.
+
+    ```bash
+    # list all repositories
+    $ cat /etc/apt/sources.list.d/*
+    deb [arch=arm64,armhf,amd64] https://packages.microsoft.com/ubuntu/18.04/prod insiders-fast main
+    deb [arch=amd64] https://packages.microsoft.com/ubuntu/18.04/prod bionic main
+
+    # install the package from the production repository
+    $ sudo apt -t bionic install mdatp
+    ```
+
 ## Download the onboarding package
 
 Download the onboarding package from Microsoft Defender Security Center:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md
index e633d8184f..f1928bc4d1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md
@@ -1,6 +1,6 @@
 ---
-title: Manual deployment for Microsoft Defender ATP for Mac
-description: Install Microsoft Defender ATP for Mac manually, from the command line.
+title: Manual deployment for Microsoft Defender ATP for macOS
+description: Install Microsoft Defender ATP for macOS manually, from the command line.
 keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
@@ -17,45 +17,34 @@ ms.collection: M365-security-compliance
 ms.topic: conceptual
 ---
 
-# Manual deployment for Microsoft Defender ATP for Mac
+# Manual deployment for Microsoft Defender ATP for macOS
 
 **Applies to:**
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for macOS](microsoft-defender-atp-mac.md)
 
-This topic describes how to deploy Microsoft Defender ATP for Mac manually. A successful deployment requires the completion of all of the following steps:
+This topic describes how to deploy Microsoft Defender ATP for macOS manually. A successful deployment requires the completion of all of the following steps:
 - [Download installation and onboarding packages](#download-installation-and-onboarding-packages)
 - [Application installation](#application-installation)
 - [Client configuration](#client-configuration)
 
 ## Prerequisites and system requirements
 
-Before you get started, see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version.
+Before you get started, see [the main Microsoft Defender ATP for macOS page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version.
 
 ## Download installation and onboarding packages
 
 Download the installation and onboarding packages from Microsoft Defender Security Center:
 
 1. In Microsoft Defender Security Center, go to **Settings > Machine Management > Onboarding**.
-2. In Section 1 of the page, set operating system to **Linux, macOS, iOS, and Android** and Deployment method to **Local script**.
+2. In Section 1 of the page, set operating system to **macOS** and Deployment method to **Local script**.
 3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory.
 4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory.
 
-    ![Microsoft Defender Security Center screenshot](../windows-defender-antivirus/images/ATP-Portal-Onboarding-page.png)
+    ![Microsoft Defender Security Center screenshot](images/atp-portal-onboarding-page.png)
 
 5. From a command prompt, verify that you have the two files.
-    Extract the contents of the .zip files:
-  
-    ```bash
-    $ ls -l
-    total 721152
-    -rw-r--r--  1 test  staff       6185 Mar 15 10:45 WindowsDefenderATPOnboardingPackage.zip
-    -rw-r--r--  1 test  staff  354531845 Mar 13 08:57 wdav.pkg
-    $ unzip WindowsDefenderATPOnboardingPackage.zip
-    Archive:  WindowsDefenderATPOnboardingPackage.zip
-    inflating: MicrosoftDefenderATPOnboardingMacOs.py
-    ```
-
+    
 ## Application installation
 
 To complete this process, you must have admin privileges on the machine.
@@ -87,7 +76,7 @@ The installation proceeds.
 
 ## Client configuration
 
-1. Copy wdav.pkg and MicrosoftDefenderATPOnboardingMacOs.py to the machine where you deploy Microsoft Defender ATP for Mac.
+1. Copy wdav.pkg and MicrosoftDefenderATPOnboardingMacOs.py to the machine where you deploy Microsoft Defender ATP for macOS.
 
     The client machine is not associated with orgId. Note that the *orgId* attribute is blank.
 
@@ -127,4 +116,4 @@ See [Logging installation issues](mac-resources.md#logging-installation-issues)
 
 ## Uninstallation
 
-See [Uninstalling](mac-resources.md#uninstalling) for details on how to remove Microsoft Defender ATP for Mac from client devices.
+See [Uninstalling](mac-resources.md#uninstalling) for details on how to remove Microsoft Defender ATP for macOS from client devices.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md
index d5613256d1..5d98e6652f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md
@@ -179,108 +179,45 @@ Follow the steps below to identify the Microsoft Defender ATP Workspace ID and W
 
 3. Copy the **Workspace ID** and **Workspace Key** and save them. They will be used later in the process.
 
-Before the systems can be onboarded into the workspace, the deployment scripts need to be updated to contain the correct information. Failure to do so will result in the systems not being properly onboarded. Depending on the deployment method, this step may have already been completed.
+4. Install the Microsoft Monitoring Agent (MMA). <br>
+    MMA is currently (as of January 2019) supported on the following Windows Operating
+    Systems:
 
-Edit the InstallMMA.cmd with a text editor, such as notepad and update the
-following lines and save the file:
+    -   Server SKUs: Windows Server 2008 SP1 or Newer
 
-   ![Image of onboarding](images/a22081b675da83e8f62a046ae6922b0d.png)
+    -   Client SKUs: Windows 7 SP1 and later
 
-Edit the ConfiguerOMSAgent.vbs with a text editor, such as notepad, and update the following lines and save the file:
+    The MMA agent will need to be installed on Windows devices. To install the
+    agent, some systems will need to download the [Update for customer experience
+    and diagnostic
+    telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
+    in order to collect the data with MMA. These system versions include but may not
+    be limited to:
 
-   ![Image of onboarding](images/09833d16df7f37eda97ea1d5009b651a.png)
+    -   Windows 8.1
 
-Microsoft Monitoring Agent (MMA) is currently (as of January 2019) supported on the following Windows Operating
-Systems:
+    -   Windows 7
 
--   Server SKUs: Windows Server 2008 SP1 or Newer
+    -   Windows Server 2016
 
--   Client SKUs: Windows 7 SP1 and later
+    -   Windows Server 2012 R2
 
-The MMA agent will need to be installed on Windows devices. To install the
-agent, some systems will need to download the [Update for customer experience
-and diagnostic
-telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
-in order to collect the data with MMA. These system versions include but may not
-be limited to:
+    -   Windows Server 2008 R2
 
--   Windows 8.1
+    Specifically, for Windows 7 SP1, the following patches must be installed:
 
--   Windows 7
+    -   Install
+        [KB4074598](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598)
 
--   Windows Server 2016
+    -   Install either [.NET Framework
+        4.5](https://www.microsoft.com/en-us/download/details.aspx?id=30653) (or
+        later) **or**
+        [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework).
+        Do not install both on the same system.
 
--   Windows Server 2012 R2
+5. If you're using a proxy to connect to the Internet see the Configure proxy settings section.
 
--   Windows Server 2008 R2
-
-Specifically, for Windows 7 SP1, the following patches must be installed:
-
--   Install
-    [KB4074598](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598)
-
--   Install either [.NET Framework
-    4.5](https://www.microsoft.com/en-us/download/details.aspx?id=30653) (or
-    later) **or**
-    [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework).
-    Do not install both on the same system.
-
-To deploy the MMA with Microsoft Endpoint Configuration Manager, follow the steps
-below to utilize the provided batch files to onboard the systems. The CMD file
-when executed, will require the system to copy files from a network share by the
-System, the System will install MMA, Install the DependencyAgent, and configure
-MMA for enrollment into the workspace.
-
-
-1. In  Microsoft Endpoint Configuration Manager console, navigate to **Software
-    Library**.
-
-2.  Expand **Application Management**.
-
-3.  Right-click **Packages**  then select **Create Package**.
-
-4. Provide a Name for the package, then click **Next**
-
-    ![Image of Microsoft Endpoint Configuration Manager console](images/e156a7ef87ea6472d57a3dc594bf08c2.png)
-
-5. Verify **Standard Program** is selected.
-
-   ![Image of Microsoft Endpoint Configuration Manager console](images/227f249bcb6e7f29c4d43aa1ffaccd20.png)
-
-6.  Click **Next**.
-
-    ![Image of Microsoft Endpoint Configuration Manager console](images/2c7f9d05a2ebd19607cc76b6933b945b.png)
-
-7. Enter a program name.
-
-8.  Browse to the location of the InstallMMA.cmd.
-
-9.  Set Run to **Hidden**.
-
-10. Set **Program can run** to **Whether or not a user is logged on**.
-
-11. Click **Next**.
-
-12. Set the **Maximum allowed run time** to 720.
-
-13. Click **Next**.
-
-    ![Image of Microsoft Endpoint Configuration Manager console](images/262a41839704d6da2bbd72ed6b4a826a.png)
-
-14. Verify the configuration, then click **Next**.
-
-    ![Image of Microsoft Endpoint Configuration Manager console](images/a9d3cd78aa5ca90d3c2fbd2e57618faf.png)
-
-15. Click **Next**.
-
-16. Click **Close**.
-
-17. In the Microsoft Endpoint Configuration Manager console, right-click the Microsoft Defender ATP
-    Onboarding Package just created and select **Deploy**.
-
-18. On the right panel select the appropriate collection.
-
-19. Click **OK**.
+Once completed, you should see onboarded endpoints in the portal within an hour.
 
 ## Next generation protection 
 Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
index f2c30ec2e4..c55c6e231f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
@@ -27,8 +27,9 @@ ms.topic: article
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-pullalerts-abovefoldlink) 
 
 >[!Note]
->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections
+>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections.
 >- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details.
+>-The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md).
 
 Microsoft Defender ATP supports the OAuth 2.0 protocol to pull detections from the API.
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md b/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md
index 2251ec4e49..b3955f8794 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md
@@ -30,20 +30,20 @@ ms.topic: article
 
 Run the following PowerShell script on a newly onboarded machine to verify that it is properly reporting to the Microsoft Defender ATP service.
 
-1. Create a folder:  'C:\test-WDATP-test'.
+1. Create a folder:  'C:\test-MDATP-test'.
 2. Open an elevated command-line prompt on the machine and run the script:
 
-    a.  Go to **Start** and type **cmd**.
+   1. Go to **Start** and type **cmd**.
 
-    b.  Right-click **Command Prompt** and select **Run as administrator**.
+   1. Right-click **Command Prompt** and select **Run as administrator**.
 
-    ![Window Start menu pointing to Run as administrator](images/run-as-admin.png)
+      ![Window Start menu pointing to Run as administrator](images/run-as-admin.png)
 
 3. At the prompt, copy and run the following command:
 
-    ```
-    powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-WDATP-test\\invoice.exe');Start-Process 'C:\\test-WDATP-test\\invoice.exe'
-    ```
+   ```powershell
+   powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-MDATP-test\\invoice.exe');Start-Process 'C:\\test-MDATP-test\\invoice.exe'
+   ```
 
 The Command Prompt window will close automatically. If successful, the detection test will be marked as completed and a new alert will appear in the portal for the onboarded machine in approximately 10 minutes.
 
diff --git a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md
index f99aa7584f..625c85ac9a 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
 ms.custom: nextgen
-ms.date: 11/16/2018
+ms.date: 05/20/2020
 ms.reviewer: 
 manager: dansimp
 ---
@@ -23,15 +23,15 @@ manager: dansimp
 
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-If Windows Defender Antivirus is configured to detect and remediate threats on your device, Windows Defender Antivirus quarantines suspicious files. If you are certain these files do not present a threat, you can restore them.
+If Microsoft Defender Antivirus is configured to detect and remediate threats on your device, Microsoft Defender Antivirus quarantines suspicious files. If you are certain a quarantined file is not a threat, you can restore it.
 
 1. Open **Windows Security**.
-2. Click **Virus & threat protection** and then click **Threat History**.
-3. Under **Quarantined threats**, click **See full history**.
-4. Click an item you want to keep, then click **Restore**. (If you prefer to remove the item, you can click **Remove**.)
+2. Select **Virus & threat protection** and then click **Protection history**.
+3. In the list of all recent items, filter on **Quarantined Items**.
+4. Select an item you want to keep, and take an action, such as restore.
 
-> [!NOTE]
-> You can also use the dedicated command-line tool [mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus) to restore quarantined files in Windows Defender AV.
+> [!TIP]
+> Restoring a file from quarantine can also be done using Command Prompt. See [Restore a file from quarantine](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts#restore-file-from-quarantine). 
 
 ## Related articles