diff --git a/devices/surface-hub/surface-hub-update-history.md b/devices/surface-hub/surface-hub-update-history.md
index 943400d44c..5d6989d80b 100644
--- a/devices/surface-hub/surface-hub-update-history.md
+++ b/devices/surface-hub/surface-hub-update-history.md
@@ -24,6 +24,17 @@ Please refer to the “[Surface Hub Important Information](https://support.micro
 
 ## Windows 10 Team Creators Update 1703
 
+<details>
+<summary>January 14, 2020—update for Team edition based on KB4534296* (OS Build 15063.2254)</summary>
+
+This update to the Surface Hub includes quality improvements and security fixes. Key updates to Surface Hub, not already outlined in [Windows 10 Update History](https://support.microsoft.com/help/4018124/windows-10-update-history), include:
+
+* Addresses an issue with log collection for Microsoft Surface Hub 2S.
+
+Please refer to the [Surface Hub Admin guide](https://docs.microsoft.com/surface-hub/) for enabling/disabling device features and services.
+*[KB4534296](https://support.microsoft.com/help/4534296)
+</details>
+
 <details>
 <summary>September 24, 2019—update for Team edition based on KB4516059*  (OS Build 15063.2078)</summary>
 
@@ -57,7 +68,6 @@ Please refer to the [Surface Hub Admin guide](https://docs.microsoft.com/surface
 
 This update to the Surface Hub includes quality improvements and security fixes. Key updates to Surface Hub, not already outlined in [Windows 10 Update History](https://support.microsoft.com/help/4018124/windows-10-update-history), include:
 
-* Addresses an issue with log collection for Microsoft Surface Hub 2S.
 * Addresses an issue preventing a user from signing in to a Microsoft Surface Hub device with an Azure Active Directory account. This issue occurs because a previous session did not end successfully.
 * Adds support for TLS 1.2 connections to identity providers and Exchange in device account setup scenarios.
 * Fixes to improve reliability of Hardware Diagnostic App on Hub 2S. 
diff --git a/devices/surface-hub/use-surface-hub-diagnostic-test-device-account.md b/devices/surface-hub/use-surface-hub-diagnostic-test-device-account.md
index 0e5600c12c..e01737c52e 100644
--- a/devices/surface-hub/use-surface-hub-diagnostic-test-device-account.md
+++ b/devices/surface-hub/use-surface-hub-diagnostic-test-device-account.md
@@ -89,11 +89,11 @@ The Surface Hub Hardware Diagnostic tool is an easy-to-navigate tool that lets t
 
 Field |Success |Failure |Comment |Reference
 |------|------|------|------|------|
-Internet Connectivity |Device does have Internet connectivity |Device does not have Internet connectivity |Verifies internet connectivity, including proxy connection |[Configuring a proxy for your Surface Hub](https://blogs.technet.microsoft.com/y0av/2017/12/03/7/)
+Internet Connectivity |Device does have Internet connectivity |Device does not have Internet connectivity |Verifies internet connectivity, including proxy connection |
 HTTP Version |1.1 |1.0 |If HTTP 1.0 found, it will cause issue with WU and Store |
 Direct Internet Connectivity |Device has a Proxy configured Device has no Proxy configured |N/A |Informational. Is your device behind a proxy? |
 Proxy Address | | |If configured, returns proxy address. |
-Proxy Authentication |Proxy does not require Authentication |Proxy requires Proxy Auth |Result may be a false positive if a user already has an open session in Edge and has authenticated through the proxy. |[Configuring a proxy for your Surface Hub](https://blogs.technet.microsoft.com/y0av/2017/12/03/7/)
+Proxy Authentication |Proxy does not require Authentication |Proxy requires Proxy Auth |Result may be a false positive if a user already has an open session in Edge and has authenticated through the proxy. |
 Proxy Auth Types | | |If proxy authentication is used, return the Authentication methods advertised by the proxy.  |
 
 #### Environment
@@ -131,5 +131,5 @@ SIP Pool Cert Root CA | | |Information. Display the SIP Pool Cert Root CA, if av
 
 Field |Success |Failure |Comment |Reference
 |------|------|------|------|------|
-Trust Model Status |No Trust Model Issue Detected. |SIP Domain and server domain are different please add the following domains. |Check the LD FQDN/ LD Server Name/ Pool Server name for Trust model issue. |[Surface Hub and the Skype for Business Trusted Domain List](https://blogs.technet.microsoft.com/y0av/2017/10/25/95/)
+Trust Model Status |No Trust Model Issue Detected. |SIP Domain and server domain are different please add the following domains. |Check the LD FQDN/ LD Server Name/ Pool Server name for Trust model issue. 
 Domain Name(s) | | |Return the list of domains that should be added for SFB to connect. |
diff --git a/mdop/mbam-v25/upgrading-to-mbam-25-sp1-from-mbam-25.md b/mdop/mbam-v25/upgrading-to-mbam-25-sp1-from-mbam-25.md
index 4e0f5b098c..436bbbe48d 100644
--- a/mdop/mbam-v25/upgrading-to-mbam-25-sp1-from-mbam-25.md
+++ b/mdop/mbam-v25/upgrading-to-mbam-25-sp1-from-mbam-25.md
@@ -26,24 +26,21 @@ Verify you have a current documentation of your MBAM environment, including all
 ### Upgrade steps
 #### Steps to upgrade the MBAM Database (SQL Server)
 1. Using the MBAM Configurator; remove the Reports role from the SQL server, or wherever the SSRS database is hosted. Depending on your environment, this can be the same server or a separate one.
-   Note: You will not see an option to remove the Databases; this is expected.  
+  > [!NOTE]
+  > You will not see an option to remove the Databases; this is expected.  
 2. Install 2.5 SP1 (Located with MDOP - Microsoft Desktop Optimization Pack 2015 from the Volume Licensing Service Center site:  <https://www.microsoft.com/Licensing/servicecenter/default.aspx>
 3. Do not configure it at this time 
-4. Install the May 2019 Rollup: https://www.microsoft.com/download/details.aspx?id=58345
-5. Using the MBAM Configurator; re-add the Reports role
-6. This will configure the SSRS connection using the latest MBAM code from the rollup 
-7. Using the MBAM Configurator; re-add the SQL Database role on the SQL Server.
-8. At the end, you will be warned that the DBs already exist and  weren’t created, but this is expected.
-9. This process updates the existing databases to the current version  being installed                  
+4. Using the MBAM Configurator; re-add the Reports role
+5. Using the MBAM Configurator; re-add the SQL Database role on the SQL Server
+6. At the end, you will be warned that the DBs already exist and  weren’t created, but this is expected
+7. This process updates the existing databases to the current version being installed.              
 
 #### Steps to upgrade the MBAM Server (Running MBAM and IIS)
 1. Using the MBAM Configurator; remove the Admin and Self Service Portals from  the IIS server
 2. Install MBAM 2.5 SP1
 3. Do not configure it at this time  
-4. Install the May 2019 Rollup on the IIS server(https://www.microsoft.com/download/details.aspx?id=58345)
-5. Using the MBAM Configurator; re-add the Admin and Self Service Portals to the IIS server 
-6. This will configure the sites using the latest MBAM code from the May 2019 Rollup
-7. Open an elevated command prompt, Type: **IISRESET** and Hit Enter.
+4. Using the MBAM Configurator; re-add the Admin and Self Service Portals to the IIS server 
+5. Open an elevated command prompt, type **IISRESET**, and hit Enter.
  
 #### Steps to upgrade the MBAM Clients/Endpoints
 1. Uninstall the 2.5 Agent from client endpoints
diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md
index 205e2c3711..da98a12e3b 100644
--- a/windows/application-management/manage-windows-mixed-reality.md
+++ b/windows/application-management/manage-windows-mixed-reality.md
@@ -33,14 +33,14 @@ Organizations that use Windows Server Update Services (WSUS) must take action to
 
 2. Windows Mixed Reality Feature on Demand (FOD) is downloaded from Windows Update. If access to Windows Update is blocked, you must manually install the Windows Mixed Reality FOD.
 
-   a. Download the FOD .cab file for [Windows 10, version 1903](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package-31bf3856ad364e35-amd64.cab), [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab), [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), or [Windows 10, version 1709](https://download.microsoft.com/download/6/F/8/6F816172-AC7D-4F45-B967-D573FB450CB7/Microsoft-Windows-Holographic-Desktop-FOD-Package.cab).
+   a. Download the FOD .cab file for [Windows 10, version 1903 and 1909](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package-31bf3856ad364e35-amd64.cab), [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab), [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), or [Windows 10, version 1709](https://download.microsoft.com/download/6/F/8/6F816172-AC7D-4F45-B967-D573FB450CB7/Microsoft-Windows-Holographic-Desktop-FOD-Package.cab).
 
    >[!NOTE]
    >You must download the FOD .cab file that matches your operating system version.
 
    b. Use `Add-Package` to add Windows Mixed Reality FOD to the image.
 
-    ```
+    ```powershell
     Add-Package
     Dism /Online /add-package /packagepath:(path)
     ```
diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
index 7dffe7b0a9..17f9e5e49f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
@@ -65,7 +65,7 @@ The hybrid deployment model is for organizations that:
 * Use applications hosted in Azure Active Directory, and want a single sign-in user experience for both on-premises and Azure Active Directory resources
 
 > [!Important]
-> Hybrid deployments support non-destructive PIN reset that only works with the certificate trust model.</br>
+> Hybrid deployments support non-destructive PIN reset that works with both the certificate trust and key trust models.</br>
 > **Requirements:**</br>
 > Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903</br>
 > Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903
diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
index 7cdd7f45b1..56c13ecbbe 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
@@ -55,7 +55,8 @@ Network Unlock must meet mandatory hardware and software requirements before the
 
 The network stack must be enabled to use the Network Unlock feature. Equipment manufacturers deliver their products in various states and with different BIOS menus, so you need to confirm that the network stack has been enabled in the BIOS before starting the computer.
 
->**Note:**  To properly support DHCP within UEFI, the UEFI-based system should be in native mode without a compatibility support module (CSM) enabled.
+> [!NOTE]
+> To properly support DHCP within UEFI, the UEFI-based system should be in native mode without a compatibility support module (CSM) enabled.
 
 For Network Unlock to work reliably on computers running Windows 8 and later, the first network adapter on the computer, usually the onboard adapter, must be configured to support DHCP and used for Network Unlock. This is especially worth noting when you have multiple adapters, and you wish to configure one without DHCP, such as for a lights-out management protocol. This configuration is necessary because Network Unlock will stop enumerating adapters when it reaches one with a DHCP port failure for any reason. Thus, if the first enumerated adapter does not support DHCP, is not plugged into the network, or fails to report availability of the DHCP port for any reason, then Network Unlock will fail.
  
@@ -243,7 +244,8 @@ The following steps describe how to enable the Group Policy setting that is a re
 
 The following steps describe how to deploy the required Group Policy setting:
 
->**Note:**  The Group Policy settings **Allow network unlock at startup** and **Add Network Unlock Certificate** were introduced in Windows Server 2012.
+> [!NOTE]
+> The Group Policy settings **Allow network unlock at startup** and **Add Network Unlock Certificate** were introduced in Windows Server 2012.
  
 1.  Copy the .cer file created for Network Unlock to the domain controller.
 2.  On the domain controller, launch Group Policy Management Console (gpmc.msc).
@@ -254,10 +256,12 @@ The following steps describe how to deploy the required Group Policy setting:
     2.  Right-click the folder and choose **Add Network Unlock Certificate**.
     3.  Follow the wizard steps and import the .cer file that was copied earlier.
 
->**Note:**  Only one network unlock certificate can be available at a time. If a new certificate is required, delete the current certificate before deploying a new one. The Network Unlock certificate is located in the **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP** key on the client computer.
+> [!NOTE]
+> Only one network unlock certificate can be available at a time. If a new certificate is required, delete the current certificate before deploying a new one. The Network Unlock certificate is located in the **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP** key on the client computer.
 
 5. Reboot the clients after deploying the group policy.
-   >**Note:** The **Network (Certificate Based)** protector will be added only after a reboot with the policy enabled and a valid certificate present in the FVE_NKP store.
+   > [!NOTE]
+   > The **Network (Certificate Based)** protector will be added only after a reboot with the policy enabled and a valid certificate present in the FVE_NKP store.
  
 ### Subnet policy configuration files on WDS Server (Optional)
 
@@ -276,7 +280,8 @@ SUBNET4=2001:4898:a:3::/64; in production, the admin would likely give more usef
 ```
 Following the \[SUBNETS\] section, there can be sections for each Network Unlock certificate, identified by the certificate thumbprint formatted without any spaces, which define subnets clients can be unlocked from with that certificate.
 
->**Note:**  When specifying the certificate thumbprint, do not include any spaces. If spaces are included in the thumbprint the subnet configuration will fail because the thumbprint will not be recognized as valid.
+> [!NOTE]
+> When specifying the certificate thumbprint, do not include any spaces. If spaces are included in the thumbprint the subnet configuration will fail because the thumbprint will not be recognized as valid.
 
 Subnet restrictions are defined within each certificate section by denoting the allowed list of permitted subnets. If any subnet is listed in a certificate section, then only those subnets listed are permitted for that certificate. If no subnet is listed in a certificate section, then all subnets are permitted for that certificate. If a certificate does not have a section in the subnet policy configuration file, then no subnet restrictions are applied for unlocking with that certificate. This means for restrictions to apply to every certificate, there must be a certificate section for every Network Unlock certificate on the server, and an explicit allowed list set for each certificate section.
 Subnet lists are created by putting the name of a subnet from the \[SUBNETS\] section on its own line below the certificate section header. Then, the server will only unlock clients with this certificate on the subnet(s) specified as in the list. For troubleshooting, a subnet can be quickly excluded without deleting it from the section by simply commenting it out with a prepended semi-colon.
@@ -295,7 +300,8 @@ To disallow the use of a certificate altogether, its subnet list may contain the
 
 To turn off the unlock server, the PXE provider can be unregistered from the WDS server or uninstalled altogether. However, to stop clients from creating Network Unlock protectors the **Allow Network Unlock at startup** Group Policy setting should be disabled. When this policy setting is updated to disabled on client computers any Network Unlock key protectors on the computer will be deleted. Alternatively, the BitLocker Network Unlock certificate policy can be deleted on the domain controller to accomplish the same task for an entire domain.
 
->**Note:**  Removing the FVE_NKP certificate store that contains the Network Unlock certificate and key on the WDS server will also effectively disable the server’s ability to respond to unlock requests for that certificate. However, this is seen as an error condition and is not a supported or recommended method for turning off the Network Unlock server.
+> [!NOTE]
+> Removing the FVE_NKP certificate store that contains the Network Unlock certificate and key on the WDS server will also effectively disable the server’s ability to respond to unlock requests for that certificate. However, this is seen as an error condition and is not a supported or recommended method for turning off the Network Unlock server.
  
 ## <a href="" id="bkmk-updatecerts"/>Update Network Unlock certificates
 
@@ -311,12 +317,13 @@ Troubleshooting Network Unlock issues begins by verifying the environment. Many
 - Group policy for Network Unlock is enabled and linked to the appropriate domains.
 - Verify group policy is reaching the clients properly. This can be done using the GPRESULT.exe or RSOP.msc utilities.
 - Verify the clients were rebooted after applying the policy.
-- Verify the **Network (Certificate Based)** protector is listed on the client. This can be done using either manage-bde or Windows PowerShell cmdlets. For example the following command will list the key protectors currently configured on the C: drive of the lcoal computer:
+- Verify the **Network (Certificate Based)** protector is listed on the client. This can be done using either manage-bde or Windows PowerShell cmdlets. For example the following command will list the key protectors currently configured on the C: drive of the local computer:
 
   ```powershell
   manage-bde -protectors -get C:
   ```
-  >**Note:**  Use the output of manage-bde along with the WDS debug log to determine if the proper certificate thumbprint is being used for Network Unlock
+  > [!NOTE]
+  > Use the output of manage-bde along with the WDS debug log to determine if the proper certificate thumbprint is being used for Network Unlock
  
 Files to gather when troubleshooting BitLocker Network Unlock include:
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md
index 6641950721..cc0b92af10 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md
@@ -39,9 +39,7 @@ If your client secret expires or if you've misplaced the copy provided when you
 
 3. Select your tenant.
 
-4. Click **App registrations**. Then in the applications list, select the application:
-    - For SIEM: `https://WindowsDefenderATPSiemConnector`
-    - For Threat intelligence API: `https://WindowsDefenderATPCustomerTiConnector`
+4. Click **App registrations**. Then in the applications list, select the application.
 
 5. Select **Keys** section, then provide a key description and specify the key validity duration.
 
@@ -59,9 +57,7 @@ If you encounter an error when trying to get a refresh token when using the thre
 
 3. Select your tenant.
 
-4. Click **App Registrations**. Then in the applications list, select the application:
-    - For SIEM: `https://WindowsDefenderATPSiemConnector`
-    - For Threat intelligence API: `https://WindowsDefenderATPCustomerTiConnector`
+4. Click **App Registrations**. Then in the applications list, select the application.
 
 5. Add the following URL:
    - For the European Union: `https://winatpmanagement-eu.securitycenter.windows.com/UserAuthenticationCallback`