diff --git a/.acrolinx-config.edn b/.acrolinx-config.edn
index db312c63cd..4a22e37c62 100644
--- a/.acrolinx-config.edn
+++ b/.acrolinx-config.edn
@@ -3,7 +3,7 @@
  :acrolinx-check-settings
  {
   "languageId" "en"
-  "ruleSetName" "Standard Commercial"
+  "ruleSetName" "Standard"
   "requestedFlagTypes" ["SPELLING" "GRAMMAR" "STYLE"
                         "TERMINOLOGY_DEPRECATED"
                         "TERMINOLOGY_VALID"
diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index a4dfbd0f88..3b8c2ce3db 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -1,6 +1,11 @@
 {
 "redirections": [
 {
+"source_path": "security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md",
+"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering",
+"redirect_document_id": true
+},
+{
 "source_path": "devices/hololens/hololens-whats-new.md",
 "redirect_url": "https://docs.microsoft.com/hololens/hololens-release-notes",
 "redirect_document_id": true
@@ -111,6 +116,11 @@
 "redirect_document_id": true
 },
 {
+"source_path": "windows/deployment/update/update-compliance-perspectives.md",
+"redirect_url": "https://docs.microsoft.com/windows/deployment/update/update-compliance-using",
+"redirect_document_id": true
+},
+{
 "source_path": "browsers/edge/hardware-and-software-requirements.md",
 "redirect_url": "https://docs.microsoft.com/microsoft-edge/deploy/about-microsoft-edge",
 "redirect_document_id": true
@@ -1492,6 +1502,11 @@
 "redirect_document_id": true
 },
 {
+"source_path": "windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-config.md",
+"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection",
+"redirect_document_id": false
+},
+{
 "source_path": "windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview.md",
 "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview",
 "redirect_document_id": true
@@ -6222,6 +6237,11 @@
 "redirect_document_id": true
 },
 {
+"source_path": "windows/deployment/update/update-compliance-wdav-status.md",
+"redirect_url": "https://docs.microsoft.com/windows/deployment/update/update-compliance-get-started",
+"redirect_document_id": true
+},
+{
 "source_path": "windows/manage/update-compliance-using.md",
 "redirect_url": "https://docs.microsoft.com/windows/deployment/update/update-compliance-using",
 "redirect_document_id": true
@@ -7952,11 +7972,6 @@
 "redirect_document_id": true
 },
 {
-"source_path": "windows/deploy/monitor-windows-10-deployment-with-configuration-manager.md",
-"redirect_url": "https://docs.microsoft.com/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager",
-"redirect_document_id": true
-},
-{
 "source_path": "windows/deploy/offline-migration-reference.md",
 "redirect_url": "https://docs.microsoft.com/windows/deployment/usmt/offline-migration-reference",
 "redirect_document_id": true
@@ -15577,6 +15592,11 @@
 "redirect_document_id": false
 },
 {
+"source_path": "windows/security/threat-protection/microsoft-defender-atp/licensing.md",
+"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment",
+"redirect_document_id": true
+},
+{
 "source_path": "windows/release-information/status-windows-10-1703.yml",
 "redirect_url": "https://docs.microsoft.com/windows/release-information/windows-message-center",
 "redirect_document_id": true
@@ -15750,6 +15770,106 @@
 "source_path": "windows/deployment/deploy-windows-mdt/key-features-in-mdt.md",
 "redirect_url": "https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit#key-features-in-mdt",
 "redirect_document_id": false
+},
+{
+"source_path": "windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md",
+"redirect_url": "https://docs.microsoft.com/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-configuration-manager",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md",
+"redirect_url": "https://docs.microsoft.com/windows/deployment/deploy-windows-sccm/upgrade-to-windows-10-with-configuraton-manager",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md",
+"redirect_url": "https://docs.microsoft.com/windows/deployment/deploy-windows-sccm/create-a-task-sequence-with-configuration-manager-and-mdt",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/deployment/deploy-windows-mdt/integrate-configuration-manager-with-mdt.md",
+"redirect_url": "https://docs.microsoft.com/windows/deployment/deploy-windows-sccm/integrate-configuration-manager-with-mdt",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/deployment/deploy-windows-mdt/deploy-windows-10-with-configuration-manager.md",
+"redirect_url": "https://docs.microsoft.com/windows/deployment/deploy-windows-sccm/get-started-with-configuration-manager",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/deployment/deploy-windows-sccm/integrate-configuration-manager-with-mdt.md",
+"redirect_url": "https://docs.microsoft.com/windows/deployment/deploy-windows-cm/integrate-configuration-manager-with-mdt",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md",
+"redirect_url": "https://docs.microsoft.com/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md",
+"redirect_url": "https://docs.microsoft.com/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/deployment/deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md",
+"redirect_url": "https://docs.microsoft.com/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md",
+"redirect_url": "https://docs.microsoft.com/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md",
+"redirect_url": "https://docs.microsoft.com/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/deployment/deploy-windows-sccm/create-a-task-sequence-with-configuration-manager-and-mdt.md",
+"redirect_url": "https://docs.microsoft.com/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md",
+"redirect_url": "https://docs.microsoft.com/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/deployment/deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md",
+"redirect_url": "https://docs.microsoft.com/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md",
+"redirect_url": "https://docs.microsoft.com/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager#procedures",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md",
+"redirect_url": "https://docs.microsoft.com/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md",
+"redirect_url": "https://docs.microsoft.com/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/deployment/deploy-windows-sccm/upgrade-to-windows-10-with-configuraton-manager.md",
+"redirect_url": "https://docs.microsoft.com/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/deployment/deploy-windows-sccm/get-started-with-configuraton-manager.md",
+"redirect_url": "https://docs.microsoft.com/windows/deployment/deploy-windows-cm/get-started-with-configuraton-manager",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/deployment/deploy-windows-sccm/deploy-windows-10-with-configuration-manager.md",
+"redirect_url": "https://docs.microsoft.com/windows/deployment/deploy-windows-cm/get-started-with-configuraton-manager",
+"redirect_document_id": false
 }
 ]
 }
diff --git a/browsers/edge/includes/configure-autofill-include.md b/browsers/edge/includes/configure-autofill-include.md
index 1ef991e263..c67f992071 100644
--- a/browsers/edge/includes/configure-autofill-include.md
+++ b/browsers/edge/includes/configure-autofill-include.md
@@ -3,7 +3,8 @@ author: eavena
 ms.author: eravena
 ms.date:  10/02/2018
 ms.reviewer: 
-audience: itpro
manager: dansimp
+audience: itpro
+manager: dansimp
 ms.prod: edge
 ms.topic: include
 ---
@@ -19,8 +20,8 @@ ms.topic: include
 |          Group Policy           |  MDM  | Registry |            Description            |                 Most restricted                  |
 |---------------------------------|:-----:|:--------:|-----------------------------------|:------------------------------------------------:|
 | Not configured<br>**(default)** | Blank |  Blank   | Users can choose to use Autofill. |                                                  |
-|            Disabled             |   0   |    no    |            Prevented.             | ![Most restricted value](../images/check-gn.png) |
-|             Enabled             |   1   |   yes    |             Allowed.              |                                                  |
+|            Disabled             |   0   |     0    |            Prevented.             | ![Most restricted value](../images/check-gn.png) |
+|             Enabled             |   1   |     1    |             Allowed.              |                                                  |
 
 ---
 
diff --git a/browsers/internet-explorer/TOC.md b/browsers/internet-explorer/TOC.md
index 28a0957588..ceb4d9b0f2 100644
--- a/browsers/internet-explorer/TOC.md
+++ b/browsers/internet-explorer/TOC.md
@@ -47,6 +47,7 @@
 #### [Import your Enterprise Mode site list to the Enterprise Mode Site List Manager](ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md)
 #### [Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md)
 #### [Remove all sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md)
+#### [Review neutral sites for Internet Explorer mode using the Enterprise Mode Site List Manager](ie11-deploy-guide/review-neutral-sites-with-site-list-manager.md)
 ### [Use the Enterprise Mode Site List Portal](ie11-deploy-guide/use-the-enterprise-mode-portal.md)
 #### [Set up the Enterprise Mode Site List Portal](ie11-deploy-guide/set-up-enterprise-mode-portal.md)
 ##### [Use the Settings page to finish setting up the Enterprise Mode Site List Portal](ie11-deploy-guide/configure-settings-enterprise-mode-portal.md)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md
index 46a8edef5e..0977b87b94 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md
@@ -7,7 +7,8 @@ author: dansimp
 ms.prod: ie11
 ms.assetid: 513e8f3b-fedf-4d57-8d81-1ea4fdf1ac0b
 ms.reviewer: 
-audience: itpro
manager: dansimp
+audience: itpro
+manager: dansimp
 ms.author: dansimp
 title: Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2) (Internet Explorer 11 for IT Pros)
 ms.sitesec: library
@@ -57,16 +58,20 @@ You can add individual sites to your compatibility list by using the Enterprise
 
 5. In conjunction with the compatibility mode, you'll need to use the **Open in** box to pick which browser opens the site.
 
-   -   **IE11**. Opens the site in IE11, regardless of which browser is opened by the employee.
+   -   **IE11**. Opens the site in IE11, regardless of which browser is opened by the employee. If you have enabled [Internet Explorer mode integration on Microsoft Edge](https://docs.microsoft.com/deployedge/edge-ie-mode), this option will open sites in Internet Explorer mode.
 
    -   **MSEdge**. Opens the site in Microsoft Edge, regardless of which browser is opened by the employee.
 
    -   **None**. Opens in whatever browser the employee chooses.
 
-6. Click **Save** to validate your website and to add it to the site list for your enterprise.<p>
+6. If you have enabled [Internet Explorer mode integration on Microsoft Edge](https://docs.microsoft.com/deployedge/edge-ie-mode), and you have sites that still need to opened in the standalone Internet Explorer 11 application, you can check the box for **Standalone IE**. This checkbox is only relevant when associated to 'Open in' IE11. Checking the box when 'Open In' is set to MSEdge or None will not change browser behavior.
+
+7. The checkbox **Allow Redirect** applies to the treatment of server side redirects. If you check this box, server side redirects will open in the browser specified by the open-in tag. For more information, see [here](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance#updated-schema-attributes).
+
+8. Click **Save** to validate your website and to add it to the site list for your enterprise.<p>
    If your site passes validation, it’s added to the global compatibility list. If the site doesn’t pass validation, you’ll get an error message explaining the problem. You’ll then be able to either cancel the site or ignore the validation problem and add it to your list anyway.
 
-7. On the **File** menu, go to where you want to save the file, and then click **Save to XML**.<p>
+9. On the **File** menu, go to where you want to save the file, and then click **Save to XML**.<p>
    You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).
 
 ## Next steps
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md
index 008e2624c0..d94601a9d5 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md
@@ -20,7 +20,7 @@ ms.date: 07/27/2017
 If you're having problems with Group Policy and Internet Explorer 11, or if you're looking for high-level information about the concepts and techniques used to troubleshoot Group Policy, as well as links to detailed reference topics, procedures, and troubleshooting scenario guides, see [Group Policy Analysis and Troubleshooting Overview](https://go.microsoft.com/fwlink/p/?LinkId=279872).
 
 ## Group Policy Object-related Log Files
-You can use the Event Viewer to review Group Policy-related messages in the **Windows Logs**, **System** file. All of the Group Policy-related events are shown with a source of **GroupPolicy**. For more information about the Event Viewer, see [What information appears in event logs? (Event Viewer)](https://go.microsoft.com/fwlink/p/?LinkId=294917).
+You can use the Event Viewer to review Group Policy-related messages in the **Windows Logs**, **System** file. All of the Group Policy-related events are shown with a source of **GroupPolicy**
 
  
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/review-neutral-sites-with-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/review-neutral-sites-with-site-list-manager.md
new file mode 100644
index 0000000000..bb22b43b3f
--- /dev/null
+++ b/browsers/internet-explorer/ie11-deploy-guide/review-neutral-sites-with-site-list-manager.md
@@ -0,0 +1,47 @@
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: How to use Site List Manager to review neutral sites for IE mode
+author: dansimp
+ms.prod: ie11
+ms.assetid: f4dbed4c-08ff-40b1-ab3f-60d3b6e8ec9b
+ms.reviewer: 
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Review neutral sites for Internet Explorer mode using the Enterprise Mode Site List Manager
+ms.sitesec: library
+ms.date: 04/02/2020
+---
+
+# Review neutral sites for Internet Explorer mode using the Enterprise Mode Site List Manager
+
+**Applies to:**
+
+- Windows 10
+- Windows 8
+- Windows Server 2012 R2
+- Microsoft Edge version 77 or later
+
+> [!NOTE]
+> This feature is available on the Enterprise Mode Site List Manager version 11.0.
+
+## Overview
+
+While converting your site from v.1 schema to v.2 schema using the latest version of the Enterprise Mode Site List Manager, sites with the *doNotTransition=true* in v.1 convert to *open-in=None* in the v.2 schema, which is characterized as a "neutral site". This is the expected behavior for conversion unless you are using Internet Explorer mode (IE mode). When IE mode is enabled, only authentication servers that are used for modern and legacy sites should be set as neutral sites. For more information, see [Configure neutral sites](https://docs.microsoft.com/deployedge/edge-ie-mode-sitelist#configure-neutral-sites). Otherwise, a site meant to open in Edge might potentially be tagged as neutral, which results in inconsistent experiences for users.
+
+The Enterprise Mode Site List Manager provides the ability to flag sites that are listed as neutral sites, but might have been added in error. This check is automatically performed when you are converting from v.1 to v.2 through the tool. This check might flag sites even if there was no prior schema conversion.
+
+## Flag neutral sites
+
+To identify neutral sites to review:
+
+1. In the Enterprise Mode Site List Manager (schema v.2), click **File > Flag neutral sites**.
+2. If selecting this option has no effect, there are no sites that needs to be reviewed. Otherwise, you will see a message **"Engine neutral sites flagged for review"**. When a site is flagged, you can assess if the site needs to be removed entirely, or if it needs the open-in attribute changed from None to MSEdge.
+3. If you believe that a flagged site is correctly configured, you can edit the site entry and click on **"Clear Flag"**. Once you select that option for a site, it will not be flagged again.
+
+## Related topics
+
+- [About IE Mode](https://docs.microsoft.com/deployedge/edge-ie-mode)
+- [Configure neutral sites](https://docs.microsoft.com/deployedge/edge-ie-mode-sitelist#configure-neutral-sites)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
index bc468576ed..0f35b04d1c 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
@@ -31,7 +31,7 @@ You can search to see if a specific site already appears in your global Enterpri
  **To search your compatibility list**
 
 - From the Enterprise Mode Site List Manager, type part of the URL into the **Search** box.<p>
-  The search query searches all of the text. For example, entering *“micro”* will return results like, www.microsoft.com, microsoft.com, and microsoft.com/images. Wildcard characters aren’t supported.
+  The search query searches all of the text. For example, entering *“micro”* will return results like, `www.microsoft.com`, `microsoft.com`, and `microsoft.com/images`. Wildcard characters aren’t supported.
 
 ## Related topics
 - [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md
index 58ffc300ce..3cbc140f4b 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md
@@ -26,7 +26,7 @@ ms.date: 12/04/2017
 -   Windows Server 2012 R2
 -   Windows Server 2008 R2 with Service Pack 1 (SP1)
 
-Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
+Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that's designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
 
 You can use IE11 and the Enterprise Mode Site List Manager to add individual website domains and domain paths and to specify whether the site renders using Enterprise Mode or the default mode.
 
@@ -49,12 +49,14 @@ The following topics give you more information about the things that you can do
 |[Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) |How to add several websites to your site list at the same time, using a text or XML file and the WEnterprise Mode Site List Manager (schema v.1). |
 |[Edit the Enterprise Mode site list using the Enterprise Mode Site List Manager](edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md) |How to edit the compatibility mode for specific websites.<p>This topic applies to both versions of the Enterprise Mode Site List Manager. |
 |[Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md) |How to fix common site list validation errors.<p>This topic applies to both versions of the Enterprise Mode Site List Manager. |
+|[Review neutral sites for Internet Explorer mode using the Enterprise Mode Site List Manager](review-neutral-sites-with-site-list-manager.md) |How to flag sites listed as neutral, to ensure that they are intentional and not a result of schema conversion. This topic applies to the Enterprise Mode Site List Manager version 11.0 or later. |
 |[Search your Enterprise Mode site list in the Enterprise Mode Site List Manager](search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) |How to look to see if a site is already in your global Enterprise Mode site list.<p>This topic applies to both versions of the Enterprise Mode Site List Manager. |
 |[Save your site list to XML in the Enterprise Mode Site List Manager](save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md) |How to save a site list as XML, so you can deploy and use it with your managed systems.<p>This topic applies to both versions of the Enterprise Mode Site List Manager. |
 |[Export your Enterprise Mode site list from the Enterprise Mode Site List Manager](export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md) |How to export your site list so you can transfer your data and contents to someone else.<p>This topic applies to both versions of the Enterprise Mode Site List Manager. |
 |[Import your Enterprise Mode site list to the Enterprise Mode Site List Manager](import-into-the-enterprise-mode-site-list-manager.md) |How to import your site list to replace a corrupted or out-of-date list.<p>This topic applies to both versions of the Enterprise Mode Site List Manager. |
 |[Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) |How to delete a website from your site list.<p>This topic applies to both versions of the Enterprise Mode Site List Manager. |
 |[Remove all sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) |How to delete all of the websites in a site list.<p>This topic applies to both versions of the Enterprise Mode Site List Manager. |
+| [Review neutral sites for Internet Explorer mode using the Enterprise Mode Site List Manager](review-neutral-sites-with-site-list-manager.md)|How to flag sites listed as neutral, to ensure that they are intentional and not a result of schema conversion.<p> This topic applies to the latest version of the Enterprise Mode Site List Manager.
 
 ## Related topics
 
diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md
index 8547f7cf59..4decd51404 100644
--- a/devices/hololens/TOC.md
+++ b/devices/hololens/TOC.md
@@ -5,6 +5,7 @@
 ## [Get your HoloLens 2 ready to use](hololens2-setup.md)
 ## [Set up your HoloLens 2](hololens2-start.md)
 ## [HoloLens 2 fit and comfort FAQ](hololens2-fit-comfort-faq.md)
+## [Frequently asked questions about cleaning HoloLens 2 devices](hololens2-maintenance.md)
 ## [Supported languages for HoloLens 2](hololens2-language-support.md)
 ## [Getting around HoloLens 2](hololens2-basic-usage.md)
 
@@ -58,6 +59,7 @@
 ## [Update HoloLens](hololens-update-hololens.md)
 ## [Restart, reset, or recover HoloLens](hololens-recovery.md)
 ## [Troubleshoot HoloLens issues](hololens-troubleshooting.md)
+## [Collect diagnostic information from HoloLens devices](hololens-diagnostic-logs.md)
 ## [Known issues for HoloLens](hololens-known-issues.md)
 ## [Frequently asked questions](hololens-faq.md)
 ## [Frequently asked security questions](hololens-faq-security.md)
diff --git a/devices/hololens/holographic-3d-viewer-beta.md b/devices/hololens/holographic-3d-viewer-beta.md
index 0973813221..90c5b236fd 100644
--- a/devices/hololens/holographic-3d-viewer-beta.md
+++ b/devices/hololens/holographic-3d-viewer-beta.md
@@ -1,6 +1,6 @@
 ---
-title: Using 3D Viewer on HoloLens
-description: Describes the types of files and features that 3D Viewer Beta on HoloLens supports, and how to use and troubleshoot the app.
+title: Using 3D Viewer Beta on HoloLens
+description: Describes the types of files and features that 3D Viewer Beta on HoloLens (1st gen) supports, and how to use and troubleshoot the app.
 ms.prod: hololens
 ms.sitesec: library
 author: Teresa-Motiv
@@ -15,15 +15,18 @@ appliesto:
 - HoloLens (1st gen)
 ---
 
-# Using 3D Viewer on HoloLens
+# Using 3D Viewer Beta on HoloLens
 
-3D Viewer lets you view 3D models on HoloLens. You can open and view *supported* .fbx files from Microsoft Edge, OneDrive, and other apps.
+3D Viewer Beta lets you view 3D models on HoloLens (1st gen). You can open and view *supported* .fbx files from Microsoft Edge, OneDrive, and other apps.
 
-If you're having trouble opening a 3D model in 3D Viewer, or certain features of your 3D model are unsupported, see [Supported content specifications](#supported-content-specifications).
+>[!NOTE]
+>This article applies to the immersive Unity **3D Viewer Beta** app, which supports .fbx files and is only available on HoloLens (1st gen). The pre-installed **3D Viewer** app on HoloLens 2 supports opening custom .glb 3D models in the mixed reality home (see [Asset requirements overview](https://docs.microsoft.com/windows/mixed-reality/creating-3d-models-for-use-in-the-windows-mixed-reality-home#asset-requirements-overview) for more details. 
 
-To build or optimize 3D models for use with 3D Viewer, see [Optimizing 3D models for 3D Viewer](#optimizing-3d-models-for-3d-viewer-beta).
+If you're having trouble opening a 3D model in 3D Viewer Beta, or certain features of your 3D model are unsupported, see [Supported content specifications](#supported-content-specifications).
 
-There are two ways to open a 3D model on HoloLens. See [Viewing 3D models on HoloLens](#viewing-3d-models-on-hololens) to learn more.
+To build or optimize 3D models for use with 3D Viewer Beta, see [Optimizing 3D models for 3D Viewer Beta](#optimizing-3d-models-for-3d-viewer-beta).
+
+There are two ways to open a 3D model on HoloLens. See [Viewing FBX files on HoloLens](#viewing-fbx-files-on-hololens) to learn more.
 
 If you're having trouble after reading these topics, see [Troubleshooting](#troubleshooting).
 
@@ -122,7 +125,7 @@ By default, 3D Viewer Beta displays 3D models at a comfortable size and position
 
 To prevent scaling of the model, add a Boolean custom attribute to any object in the scene named Microsoft_DisableScale and set it to true. 3D Viewer Beta will then respect the FbxSystemUnit information baked into the FBX file. Scale in 3D Viewer Beta is 1 meter per FBX unit.
 
-## Viewing 3D models on HoloLens
+## Viewing FBX files on HoloLens
 
 ### Open an FBX file from Microsoft Edge
 
diff --git a/devices/hololens/hololens-FAQ.md b/devices/hololens/hololens-FAQ.md
index 8cc17b758c..38964c7a7d 100644
--- a/devices/hololens/hololens-FAQ.md
+++ b/devices/hololens/hololens-FAQ.md
@@ -207,7 +207,7 @@ You can pair other Bluetooth HID and GATT devices together with your HoloLens. H
 
 Use the [clicker](hololens1-clicker.md) to select, scroll, move, and resize holograms. Individial apps may support additional clicker gestures.
 
-If you're having trouble using the clicker, make sure that it's charged and paired with your HoloLens. If the battery is low, the indicator light blinks amber. To verify that the clicker is paired, go to **Settings** > **Devices** and see if it shows up there. For more information, see [Pair the clicker](hololens-connect-devices.md#pair-the-clicker).
+If you're having trouble using the clicker, make sure that it's charged and paired with your HoloLens. If the battery is low, the indicator light blinks amber. To verify that the clicker is paired, go to **Settings** > **Devices** and see if it shows up there. For more information, see [Pair the clicker](hololens-connect-devices.md#hololens-1st-gen-pair-the-clicker).
 
 If the clicker is charged and paired and you're still having problems, reset it by holding down the main button and the pairing button for 15 seconds. Then pair the clicker with your HoloLens again.
 
diff --git a/devices/hololens/hololens-calibration.md b/devices/hololens/hololens-calibration.md
index cfc55d1070..b03fb4479f 100644
--- a/devices/hololens/hololens-calibration.md
+++ b/devices/hololens/hololens-calibration.md
@@ -33,7 +33,8 @@ HoloLens 2 prompts a user to calibrate the device under the following circumstan
 - The user previously opted out of the calibration process
 - The calibration process did not succeed the last time the user used the device
 - The user has deleted their calibration profiles
-- The visor is raised and the lowered and any of the above circumstances apply (this may be disabled in **Settings > System > Calibration**.)
+- The device is taken off and put back on and any of the above circumstances apply 
+
 
 ![Calibration prompt](./images/07-et-adjust-for-your-eyes.png)
 
@@ -85,6 +86,8 @@ If calibration is unsuccessful try:
 
 If you followed all guidelines and calibration is still failing, please let us know by filing feedback in [Feedback Hub](hololens-feedback.md).
 
+Note that setting IPD is not applicable for Hololens 2, since eye positions are computed by the system. 
+
 ### Calibration data and security
 
 Calibration information is stored locally on the device and is not associated with any account information. There is no record of who has used the device without calibration. This mean new users will get prompted to calibrate visuals when they use the device for the first time, as well as users who opted out of calibration previously or if calibration was unsuccessful.
@@ -104,6 +107,8 @@ You can also disable the calibration prompt by following these steps:
 ### HoloLens 2 eye-tracking technology
 
 The device uses its eye-tracking technology to improve display quality, and to ensure that all holograms are positioned accurately and comfortable to view in 3D. Because it uses the eyes as landmarks, the device can adjust itself for every user and tune its visuals as the headset shifts slightly throughout use.  All adjustments happen on the fly without a need for manual tuning.
+> [!NOTE]
+> Setting the IPD is not applicable for Hololens 2, since eye positions are computed by the system.
 
 HoloLens applications use eye tracking to track where you are looking in real time. This is the main capability developers can leverage to enable a whole new level of context, human understanding and interactions within the Holographic experience. Developers don’t need to do anything to leverage this capability.
 
diff --git a/devices/hololens/hololens-connect-devices.md b/devices/hololens/hololens-connect-devices.md
index bbe2dad4d3..7926dab884 100644
--- a/devices/hololens/hololens-connect-devices.md
+++ b/devices/hololens/hololens-connect-devices.md
@@ -8,7 +8,7 @@ author: Teresa-Motiv
 ms.author: v-tea
 ms.topic: article
 ms.localizationpriority: high
-ms.date: 09/13/2019
+ms.date: 03/11/2020
 manager: jarrettr
 appliesto:
 - HoloLens (1st gen)
@@ -19,56 +19,58 @@ appliesto:
 
 ## Pair Bluetooth devices
 
-Pair a Bluetooth mouse and keyboard with HoloLens, then use them to interact with holograms and to type anywhere you'd use the holographic keyboard.
-
-Classes of Bluetooth devices supported by HoloLens 2:
+HoloLens 2 supports the following classes of Bluetooth devices:
 
 - Mouse
 - Keyboard
 - Bluetooth audio output (A2DP) devices
 
-Classes of Bluetooth devices supported by HoloLens (1st gen):
+HoloLens (1st gen) supports the following classes of Bluetooth devices:
 
 - Mouse
 - Keyboard
 - HoloLens (1st gen) clicker
 
 > [!NOTE]
-> Other types of Bluetooth devices, such as speakers, headsets, smartphones, and game pads, may appear as available in HoloLens settings, but aren't supported on HoloLens (1st gen). [Learn more](https://go.microsoft.com/fwlink/p/?LinkId=746660).
+> Other types of Bluetooth devices, such as speakers, headsets, smartphones, and game pads, may be listed as available in HoloLens settings. However, these devices aren't supported on HoloLens (1st gen). For more information, see [HoloLens Settings lists devices as available, but the devices don't work](hololens-FAQ.md#hololens-settings-lists-devices-as-available-but-the-devices-dont-work).
 
 ### Pair a Bluetooth keyboard or mouse
 
-1. Turn on your keyboard or mouse and make it discoverable. The way you make it discoverable depends on the device. To learn how to do this, check the device or visit the manufacturer's website.
+1. Turn on your keyboard or mouse, and make it discoverable. To learn how to make the device discoverable, look for information on the device (or its documentation) or visit the manufacturer's website.
 
-1. Use the bloom gesture (HoloLens (1st gen) or the start gesture (HoloLens 2) to go to **Start**, then select **Settings**.
-1. Select **Devices** and make sure that Bluetooth is on. When you see the device name, select **Pair** and follow the instructions.
+1. Use the bloom gesture (HoloLens (1st gen)) or the start gesture (HoloLens 2) to go to **Start**, and then select **Settings**.
+1. Select **Devices**, and make sure that Bluetooth is on.  
+1. When you see the device name, select **Pair**, and then follow the instructions.
 
-### Pair the clicker
+### HoloLens (1st gen): Pair the clicker
 
-> Applies to HoloLens (1st gen) only.
-
-1. Use the bloom gesture to go to **Start**, then select **Settings**.
-
-1. Select **Devices** and make sure that Bluetooth is on.
-1. Use the tip of a pen to press and hold the clicker's pairing button until the status light blinks white. Make sure to hold the button down until the light starts blinking. [Where's the pairing button?](hololens1-clicker.md)
+1. Use the bloom gesture to go to **Start**, and then select **Settings**.
+1. Select **Devices**, and make sure that Bluetooth is on.
+1. Use the tip of a pen to press and hold the clicker pairing button until the clicker status light blinks white. Make sure to hold down the button until the light starts blinking.  
+   The pairing button is on the underside of the clicker, next to the finger loop.
+   ![The pairing button is beside the finger loop](images/use-hololens-clicker-1.png)
 1. On the pairing screen, select **Clicker** > **Pair**.
 
-## Connect USB-C devices
+## HoloLens 2: Connect USB-C devices
 
-> Applies to HoloLens 2 only.
-
-HoloLens 2 lets you connect a wide range of USB-C devices.
-
-HoloLens 2 supports the following devices classes:
+HoloLens 2 supports the following classes of USB-C devices:
 
 - Mass storage devices (such as thumb drives)
-- Ethernet adapters (including ethernet with charging)
-- USB-C to 3.5mm digital audio adapters
-- USB-C digital audio headsets (including headset adapters with charging)
+- Ethernet adapters (including ethernet plus charging)
+- USB-C-to-3.5mm digital audio adapters
+- USB-C digital audio headsets (including headset adapters plus charging)
 - Wired mouse
 - Wired keyboard
-- Combination PD hubs (USB A + PD charging)
+- Combination PD hubs (USB A plus PD charging)
 
 ## Connect to Miracast
 
-Use Miracast by opening the **Start** menu and selecting the display icon or saying "Connect" while gazing at the **Start** menu. Choose an available device from the list that appears and complete pairing to begin projection.
+To use Miracast, follow these steps:
+
+1. Do one of the following:  
+
+   - Open the **Start** menu, and select the display icon.
+   - Say "Connect" while you gaze at the **Start** menu.  
+
+1. On the list of devices that appears, select an available device.
+1. Complete the pairing to begin projecting.
diff --git a/devices/hololens/hololens-cortana.md b/devices/hololens/hololens-cortana.md
index 05d9a46105..a19c9d48cf 100644
--- a/devices/hololens/hololens-cortana.md
+++ b/devices/hololens/hololens-cortana.md
@@ -2,13 +2,13 @@
 title: Use your voice with HoloLens
 description: Cortana can help you do all kinds of things on your HoloLens
 ms.assetid: fd96fb0e-6759-4dbe-be1f-58bedad66fed
-ms.date: 11/8/2019
+ms.date: 03/10/2020
 keywords: hololens
 ms.prod: hololens
 ms.sitesec: library
-author: v-miegge
+author: Teresa-Motiv
 audience: ITPro
-ms.author: v-miegge
+ms.author: v-tea
 ms.topic: article
 manager: jarrettr
 ms.localizationpriority: high
@@ -48,6 +48,19 @@ Use these commands throughout Windows Mixed Reality to get around faster. Some c
 |Hide and show hand ray | "Hide hand ray" / "Show hand ray" |
 |See available speech commands | "What can I say?" |
 
+Starting with version 19041.x of HoloLens 2, you can also use these commands:
+
+| Say this | To do this |
+| - | - |
+| "Restart device" | Bring up a dialogue to confirm you want to restart the device. You can say "yes" to restart. |
+| "Shutdown device" | Bring up a dialogue to confirm you want to turn off the device. You can say "yes" to confirm. |
+| "Brightness up/down" | Increase or decrease the display brightness by 10%. |
+| "Volume up/down" | Increase or decrease the volume by 10%. |
+| "What's my IP address" | Bring up a dialogue displaying your device's current IP address on the local network. |
+| "Take a picture" | Capture a mixed reality photo of what you are currently seeing. |
+| "Take a video" | Start recording a mixed reality video. | 
+| "Stop recording" | Stops the current mixed reality video recording if one is in progress. |
+
 ### Hologram commands
 
 To use these commands, gaze at a 3D object, hologram, or app window.
@@ -63,11 +76,11 @@ To use these commands, gaze at a 3D object, hologram, or app window.
 
 ### See it, say it
 
-Many buttons and other elements on HoloLens also respond to your voice—for example, **Follow me** and **Close** on the app bar, or the **Back** button in Edge. To find out if a button is voice-enabled, rest your **gaze cursor** on it for a moment to see a voice tip.
+Many buttons and other elements on HoloLens also respond to your voice—for example, **Follow me** and **Close** on the app bar, or the **Back** button in Edge. To find out if a button is voice-enabled, rest your **gaze cursor**,**touch cursor** or one **hand ray** on it for a moment. If the button is voice-enabled, you'll see a voice tip.
 
 ### Dictation mode
 
-Tired of typing? Switch to dictation mode any time that the holographic keyboard is active. To get started, select the microphone button or say "Start dictating." To stop dictating, select the button again or say "Stop dictating." To delete what you just dictated, say "Delete that."
+Tired of typing? Switch to dictation mode any time that the holographic keyboard is active. To get started, select the microphone button or say "Start dictating." To stop dictating, select the button again or say "Stop dictating." To delete what you just dictated, say "Delete that." 
 
 > [!NOTE]
 > To use dictation mode, you have to have an internet connection.
@@ -87,7 +100,7 @@ Sometimes it's helpful to spell out things like email addresses. For instance, t
 
 ## Do more with Cortana
 
-Cortana can help you do all kinds of things on your HoloLens, from searching the web to shutting down your device. She can give you suggestions, ideas, reminders, alerts, and more. To get her attention, select Cortana  on **Start** or say "Hey Cortana" anytime.
+Cortana can help you do all kinds of things on your HoloLens, but depending on which version of Windows Holographic you're using, the capablities may be different. You can learn more about the updated capabilites of the latest version of Cortana [here](https://blogs.windows.com/windowsexperience/2020/02/28/cortana-in-the-upcoming-windows-10-release-focused-on-your-productivity-with-enhanced-security-and-privacy/). 
 
 ![Hey Cortana!](images/cortana-on-hololens.png)
 
@@ -96,22 +109,27 @@ Here are some things you can try saying (remember to say "Hey Cortana" first).
 **Hey, Cortana**...
 
 - What can I say?
+- Launch <*app name*>.
+- What time is it?
+- Show me the latest NBA scores.
+- Tell me a joke.
+
+If you're using *version 18362.x or earlier*, you can also use these commands:
+
+**Hey, Cortana**...
+
 - Increase the volume.
 - Decrease the brightness.
 - Shut down.
 - Restart.
 - Go to sleep.
 - Mute.
-- Launch <*app name*>.
 - Move <*app name*> here (gaze at the spot that you want the app to move to).
 - Go to Start.
 - Take a picture.
 - Start recording. (Starts recording a video.)
 - Stop recording. (Stops recording a video.)
-- What time is it?
-- Show me the latest NBA scores.
 - How much battery do I have left?
-- Tell me a joke.
 
 Some Cortana features that you're used to from Windows on your PC or phone (for example, reminders and notifications) aren't supported in Microsoft HoloLens, and the Cortana experience may vary from one region to another.
 
diff --git a/devices/hololens/hololens-diagnostic-logs.md b/devices/hololens/hololens-diagnostic-logs.md
new file mode 100644
index 0000000000..212f936079
--- /dev/null
+++ b/devices/hololens/hololens-diagnostic-logs.md
@@ -0,0 +1,269 @@
+---
+title: Collect and use diagnostic information from HoloLens devices
+description: 
+author: Teresa-Motiv
+ms.author: v-tea
+ms.date: 03/23/2020
+ms.prod: hololens
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.topic: article
+ms.custom: 
+- CI 115131
+- CSSTroubleshooting
+audience: ITPro
+ms.localizationpriority: medium
+keywords: 
+manager: jarrettr
+appliesto:
+- HoloLens (1st gen)
+- HoloLens 2
+---
+
+# Collect and use diagnostic information from HoloLens devices
+
+HoloLens users and administrators can choose from among four different methods to collect diagnostic information from HoloLens:
+
+- Feedback Hub app
+- DiagnosticLog CSP
+- Settings app
+- Fallback diagnostics
+
+> [!IMPORTANT]  
+> Device diagnostic logs contain personally identifiable information (PII), such as about what processes or applications the user starts during typical operations. When multiple users share a HoloLens device (for example, users sign in to the same device by using different Microsoft Azure Active Directory (AAD) accounts) the diagnostic logs may contain PII information that applies to multiple users. For more information, see [Microsoft Privacy statement](https://privacy.microsoft.com/privacystatement).
+
+The following table compares the four collection methods. The method names link to more detailed information in the sections that follow the table.
+
+|Method |Prerequisites |Data locations |Data access and use |Data retention |
+| --- | --- | --- | --- | --- |
+|[Feedback Hub](#feedback-hub) |Network and internet connection<br /><br />Feedback Hub app<br /><br />Permission to upload files to the Microsoft cloud |Microsoft cloud<br /><br />HoloLens device (optional) |User requests assistance, agrees to the terms of use, and uploads the data<br /><br />Microsoft employees view the data, as consistent with the terms of use |Data in the cloud is retained for the period that is defined by Next Generation Privacy (NGP). Then the data is deleted automatically.<br /><br />Data on the device can be deleted at any time by a user who has **Device owner** or **Admin** permissions. |
+|[Settings Troubleshooter](#settings-troubleshooter) |Settings app |HoloLens device<br /><br />Connected computer (optional) |The user stores the data, and only the user accesses the data (unless the user specifically shares the data with another user). |The data is retained until the user deletes it. |
+|[DiagnosticLog CSP](#diagnosticlog-csp) |Network connection<br /><br />MDM environment that supports the DiagnosticLog CSP |Administrator configures storage locations |In the managed environment, the user implicitly consents to administrator access to the data.<br /><br />Administrator configures access roles and permissions. | Administrator configures retention policy. |
+|[Fallback diagnostics](#fallback-diagnostics) |Device configuration:<ul><li>Powered on and connected to computer</li><li>Power and Volume buttons functioning</li></ul> |HoloLens device<br /><br />Connected computer |The user stores the data, and only the user accesses the data (unless the user specifically shares the data with another user). |The data is retained until the user deletes it. |
+
+## Feedback Hub
+
+A HoloLens user can use the Microsoft Feedback Hub desktop app to send diagnostic information to Microsoft Support. For details and complete instructions, see [Give us feedback](hololens-feedback.md).  
+
+> [!NOTE]  
+> **Commercial or enterprise users:** If you use the Feedback Hub app to report a problem that relates to MDM, provisioning, or any other device management aspect, change the app category to **Enterprise Management** > **Device category**.
+
+### Prerequisites
+
+- The device is connected to a network.
+- The Feedback Hub app is available on the user's desktop computer, and the user can upload files to the Microsoft cloud.
+
+### Data locations, access, and retention
+
+By agreeing to the terms-of-use of the Feedback Hub, the user explicitly consents to the storage and usage of the data (as defined by that agreement).
+
+The Feedback Hub provides two places for the user to store diagnostic information:
+
+- **The Microsoft cloud**. Data that the user uploads by using the Feedback Hub app is stored for the number of days that is consistent with Next Generation Privacy (NGP) requirements. Microsoft employees can use an NGP-compliant viewer to access the information during this period.
+   > [!NOTE]  
+   > These requirements apply to data in all Feedback Hub categories.
+
+- **The HoloLens device**. While filing a report in Feedback Hub, the user can select **Save a local copy of diagnostics and attachments created when giving feedback**. If the user selects this option, the Feedback Hub stores a copy of the diagnostic information on the HoloLens device. This information remains accessible to the user (or anyone that uses that account to sign in to HoloLens). To delete this information, a user must have **Device owner** or **Admin** permissions on the device. A user who has the appropriate permissions can sign in to the Feedback Hub, select **Settings** > **View diagnostics logs**, and delete the information.
+
+## Settings Troubleshooter
+
+A HoloLens user can use the Settings app on the device to troubleshoot problems and collect diagnostic information. To do this, follow these steps:
+
+1. Open the Settings app and select **Update & Security** > **Troubleshoot** page.
+1. Select the appropriate area, and select **Start**.
+1. Reproduce the issue.
+1. After you reproduce the issue, return to Settings and then select **Stop**.
+
+### Prerequisites
+
+- The Settings app is installed on the device and is available to the user.
+
+### Data locations, access, and retention
+
+Because the user starts the data collection, the user implicitly consents to the storage of the diagnostic information. Only the user, or anyone with whom that the user shares the data, can access the data.
+
+The diagnostic information is stored on the device. If the device is connected to the user's computer, the information also resides on the computer in the following file:
+
+> This PC\\\<*HoloLens device name*>\\Internal Storage\\Documents\\Trace\<*ddmmyyhhmmss*>.etl
+
+> [!NOTE]  
+> In this file path and name, \<*HoloLens device name*> represents the name of the HoloLens device, and \<*ddmmyyhhmmss*> represents the date and time that the file was created.
+
+The diagnostic information remains in these locations until the user deletes it.
+
+## DiagnosticLog CSP
+
+In a Mobile Device Management (MDM) environment, the IT administrator can use the the [DiagnosticLog configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/diagnosticlog-csp) to configure diagnostic settings on enrolled HoloLens devices. The IT administrator can configure these settings to collect logs from enrolled devices.
+
+### Prerequisites
+
+- The device is connected to a network.
+- The device is enrolled in an MDM environment that supports the DiagnosticLog CSP.
+
+### Data locations, access, and retention
+
+Because the device is part of the managed environment, the user implicitly consents to administrative access to diagnostic information.
+
+The IT administrator uses the DiagnosticLog CSP to configure the data storage, retention, and access policies, including the policies that govern the following:
+
+- The cloud infrastructure that stores the diagnostic information.
+- The retention period for the diagnostic information.
+- Permissions that control access to the diagnostic information.
+
+## Fallback diagnostics
+
+While device telemetry usually provides an initial understanding of a problem report, some issues require a broader and deeper understanding of the device state. When you (as a user or an administrator) investigate such issues, diagnostic logs that reside on the device are more useful than the basic device telemetry.
+
+The fallback diagnostics process provides a way for you to gather diagnostic information if no other methods are available. Such scenarios include the following:
+
+- The network or network-based resources (such as the Feedback Hub, MDM, and so on) are not available.
+- The device is "stuck" or locked in a state in which usual troubleshooting capabilities (such as the Settings app) are not available. Such scenarios include the Out-of-Box-Experience (OOBE), kiosk mode, and a locked or "hung" user interface.
+
+> [!IMPORTANT]  
+> - On HoloLens 2 devices, you can use fallback diagnostics under the following conditions only:
+>   - During the Out-of-the-Box-Experience (OOBE) and when you select **Send Full Diagnostics Data**.
+>   - If the environment's Group Policy enforces the **System\AllowTelemetry** policy value of **Full**.
+> - On HoloLens (1st gen) devices, you can use fallback diagnostics on HoloLens version 17763.316 or a later version. This version is the version that the Windows Device Recovery Tool restores when it resets the device.  
+
+### How to use fallback diagnostics
+
+Before you start the fallback diagnostics process, make sure of the following:
+
+- The device is connected to a computer by using a USB cable.
+- The device is powered on.
+- The Power and Volume buttons on the device are functioning correctly.
+
+To collect fallback diagnostic information, follow these steps:
+
+1. On the device, press the Power and Volume Down buttons at the same time and then release them.
+1. Wait for few seconds while the device collects the data.
+
+### Data locations
+
+The device stores the data locally. You can access that information from the connected desktop computer at the following location:
+
+> This PC\\\<*HoloLens device name*>\\Internal Storage\\Documents
+
+For more information about the files that the fallback diagnostics process collects, see [What diagnostics files does the fallback diagnostics process collect?](#what-diagnostics-files-does-the-fallback-diagnostics-process-collect).
+
+### Data access, use, and retention
+
+Because you store the data yourself, only you have access to the data. If you choose to share the data with another user, you implicitly grant permission for that user to access or store the data.
+
+The data remains until you delete it.
+
+### Frequently asked questions about fallback diagnostics on HoloLens
+
+#### Does the device have to be enrolled with an MDM system?
+
+No.
+
+#### How can I use fallback diagnostics on HoloLens?
+
+Before you start the fallback diagnostics process, make sure of the following:
+
+- The device is connected to a computer by using a USB cable.
+- The device is powered on.
+- The Power and Volume buttons on the device are functioning correctly.
+
+To collect fallback diagnostic information, follow these steps:
+
+1. On the device, press the Power and Volume Down buttons at the same time and then release them.
+1. Wait for few seconds while the device collects the data.
+
+#### How would I know that data collection finished?
+
+The fallback diagnostics process does not have a user interface. On HoloLens 2, when the process starts to collect data, it creates a file that is named HololensDiagnostics.temp. When the process finishes, it removes the file.
+
+#### What diagnostics files does the fallback diagnostics process collect?
+
+The fallback diagnostics process collects one or more .zip files, depending on the version of HoloLens. The following table lists each of the possible .zip files, and the applicable versions of HoloLens.
+
+|File |Contents |HoloLens (1st gen) |HoloLens 2 10.0.18362+ |HoloLens 2 10.0.19041+ |
+| --- | --- | --- | --- | --- |
+|HololensDiagnostics.zip |Files&nbsp;for&nbsp;tracing sessions that ran on the device.<br /><br />Diagnostic information that's specific to Hololens. |✔️ |✔️ |✔️ |
+|DeviceEnrollmentDiagnostics.zip |Information that's related to MDM, device enrollment, CSPs, and policies. | |✔️ |✔️ |
+|AutoPilotDiagnostics.zip |Information that's related to autopilot and licensing.| | |✔️ |
+|TPMDiagnostics.zip |Information that's related to the trusted platform module (TPM) on the device | | |✔️ |
+
+> [!NOTE]  
+> Starting on May 2, 2019, the fallback diagnostics process collects EventLog*.etl files only if the signed-in user is the device owner. This is because these files may contain PII data. Such data is accessible to device owners only. This behavior matches the behavior of Windows desktop computers, where administrators have access to event log files but other users do not.
+
+**Sample diagnostic content for HoloLens (1st gen)**
+
+HololensDiagnostics.zip contains files such as the following:
+
+- AuthLogon.etl
+- EventLog-HupRe.etl.001
+- FirstExperience.etl.001
+- HetLog.etl
+- HoloInput.etl.001
+- HoloShell.etl.001
+- WiFi.etl.001
+
+**Sample diagnostic content for HoloLens 2 10.0.18362+**
+
+HololensDiagnostics.zip contains files such as the following:
+
+- EventLog-Application.etl.001*
+- EventLog-System.etl.001*
+- AuthLogon.etl
+- EventLog-HupRe.etl.001
+- FirstExperience.etl.001
+- HetLog.etl
+- HoloInput.etl.001
+- HoloShell.etl.001
+- WiFi.etl.001
+- CSPsAndPolicies.etl.001
+- RadioMgr.etl
+- WiFiDriverIHVSession.etl
+
+DeviceEnrollmentDiagnostics.zip contains files such as the following:
+
+- MDMDiagHtmlReport.html
+- MdmDiagLogMetadata.json
+- MDMDiagReport.xml
+- MdmDiagReport_RegistryDump.reg
+- MdmLogCollectorFootPrint.txt
+
+**Sample diagnostic content for HoloLens 2 10.0.19041+**
+
+HololensDiagnostics.zip contains files such as the following:
+
+- EventLog-Application.etl.001*
+- EventLog-System.etl.001*
+- AuthLogon.etl
+- EventLog-HupRe.etl.001
+- FirstExperience.etl.001
+- HetLog.etl
+- HoloInput.etl.001
+- HoloShell.etl.001
+- WiFi.etl.001
+- CSPsAndPolicies.etl.001
+- RadioMgr.etl
+- WiFiDriverIHVSession.etl
+- DisplayDiagnosticData.json
+- HUP dumps
+
+DeviceEnrollmentDiagnostics.zip contains files such as the following:
+
+- MDMDiagHtmlReport.html
+- MdmDiagLogMetadata.json
+- MDMDiagReport.xml
+- MdmDiagReport_RegistryDump.reg
+- MdmLogCollectorFootPrint.txt
+
+AutoPilotDiagnostics.zip contains files such as the following:
+
+- DeviceHash_HoloLens-U5603.csv
+- LicensingDiag.cab
+- LicensingDiag_Output.txt
+- TpmHliInfo_Output.txt
+- DiagnosticLogCSP_Collector_DeviceEnrollment_\*.etl
+- DiagnosticLogCSP_Collector_Autopilot_*.etl
+
+TPMDiagnostics.zip contains files such as the following:
+
+- CertReq_enrollaik_Output.txt
+- CertUtil_tpminfo_Output.txt
+- TPM\*.etl
diff --git a/devices/hololens/hololens-insider.md b/devices/hololens/hololens-insider.md
index 1f4858772e..68262afb5b 100644
--- a/devices/hololens/hololens-insider.md
+++ b/devices/hololens/hololens-insider.md
@@ -36,13 +36,13 @@ If you no longer want to receive Insider builds of Windows Holographic, you can
 
 To verify that your HoloLens is running a production build:
 
-- Go to **Settings > System > About**, and find the build number.
-- [See the release notes for production build numbers.](hololens-release-notes.md)
+1. Go to **Settings > System > About**, and find the build number.
+1. [See the release notes for production build numbers.](hololens-release-notes.md)
 
 To opt out of Insider builds:
 
-- On a HoloLens running a production build, go to **Settings > Update & Security > Windows Insider Program**, and select **Stop Insider builds**.
-- Follow the instructions to opt out your device.
+1. On a HoloLens running a production build, go to **Settings > Update & Security > Windows Insider Program**, and select **Stop Insider builds**.
+1. Follow the instructions to opt out your device.
 
 ## Provide feedback and report issues
 
@@ -65,8 +65,9 @@ Here's a quick summary of what's new:
 - Seamlessly apply a provisioning package from a USB drive to your HoloLens
 - Use a provisioning packages to enroll your HoloLens to your Mobile Device Management system
 - Use Windows AutoPilot to set up and pre-configure new devices, quickly getting them ready for productive use.  Send a note to hlappreview@microsoft.com to join the preview.
-- Dark Mode - many Windows apps support both dark and light modes, and now HoloLens customers can choose the default mode for apps that support both color schemes! Based on customer feedback, with this update we are setting the default app mode to "dark," but you can easily change this setting at any time. Navigate to Settings > System > Colors to find "Choose your default app mode."
+- Dark Mode - HoloLens customers can now choose the default mode for apps that support both color schemes! Based on customer feedback, with this update we are setting the default app mode to "dark," but you can easily change this setting at any time.
 - Support for additional system voice commands
+- An updated Cortana app with a focus on productivity
 - Hand Tracking improvements to reduce the tendency to close the index finger when pointing. This should make button pressing and 2D slate usage feel more accurate
 - Performance and stability improvements across the product
 - More information in settings on HoloLens about the policy pushed to the device
@@ -95,9 +96,30 @@ You can now can access these commands with your voice:
 - "Volume up"
 - "Volume down"
 - "What is my IP address?"
+- "Take a picture"
+- "Take a video" / "Stop recording"
 
 If you're running your system with a different language, please try the appropriate commands in that language.
 
+### Cortana updates
+The updated app integrates with Microsoft 365, currently in English (United States) only, to help you get more done across your devices. On HoloLens 2, Cortana will no longer support certain device-specific commands like adjusting the volume or restarting the device, which are now supported with the new system voice commands above. Learn more about the new Cortana app and its direction on our blog [here](https://blogs.windows.com/windowsexperience/2020/02/28/cortana-in-the-upcoming-windows-10-release-focused-on-your-productivity-with-enhanced-security-and-privacy/). 
+
+There's currently an issue we're investigating that requires you to launch the app once after booting the device in order to use the "Hey Cortana" keyword activation, and if you updated from a 18362 build, you may see an app tile for the previous version of the Cortana app in Start that no longer works. 
+
+### Dark mode
+Many Windows apps support both dark and light modes, and now HoloLens customers can choose the default mode for apps that support both. Once updated, the default app mode will be "dark," but can be changed easily. Navigate to **Settings > System > Colors to find "Choose your default app mode."**
+Here are some of the in-box apps that support Dark mode!
+- Settings
+- Microsoft Store
+- Mail
+- Calendar
+- File Explorer
+- Feedback Hub
+- OneDrive
+- Photos
+- 3D Viewer
+- Movies & TV
+
 ### FFU download and flash directions
 To test with a flight signed ffu, you first have to flight unlock your device prior to flashing the flight signed ffu.
 1. On PC
diff --git a/devices/hololens/hololens-provisioning.md b/devices/hololens/hololens-provisioning.md
index c350d951eb..70edc38d5e 100644
--- a/devices/hololens/hololens-provisioning.md
+++ b/devices/hololens/hololens-provisioning.md
@@ -1,5 +1,6 @@
 ---
-title: Use a provisioning package to configure HoloLens
+title: Configure HoloLens by using a provisioning package (HoloLens)
+
 description: Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging.
 ms.prod: hololens
 ms.sitesec: library
@@ -9,20 +10,23 @@ ms.custom:
 author: dansimp
 ms.author: dansimp
 ms.topic: article
+ms.custom: 
+- CI 115190
+- CSSTroubleshooting
 ms.localizationpriority: medium
-ms.date: 11/13/2018
-ms.reviewer: 
+ms.date: 03/10/2020
+ms.reviewer: Teresa-Motiv
 manager: dansimp
 appliesto:
 - HoloLens (1st gen)
 - HoloLens 2
 ---
 
-# Use a provisioning package to configure HoloLens
+# Configure HoloLens by using a provisioning package
 
 [Windows provisioning](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-packages) makes it easy for IT administrators to configure end-user devices without imaging. Windows Configuration Designer is a tool for configuring images and runtime settings which are then built into provisioning packages.
 
-Some of the HoloLens configurations that you can apply in a provisioning package:
+Some of the HoloLens configurations that you can apply in a provisioning package include the following:
 
 - Upgrade to Windows Holographic for Business [here](hololens1-upgrade-enterprise.md)
 - Set up a local account
@@ -38,43 +42,42 @@ The HoloLens wizard helps you configure the following settings in a provisioning
 - Upgrade to the enterprise edition
 
     > [!NOTE]
-    > This should only be used for HoloLens 1st Gen devices. Settings in a provisioning package will only be applied if the provisioning package includes an edition upgrade license to Windows Holographic for Business or if [the device has already been upgraded to Windows Holographic for Business](hololens1-upgrade-enterprise.md).
+    > This should only be used for HoloLens 1st gen devices. Settings in a provisioning package are only be applied if the provisioning package includes an edition upgrade license to Windows Holographic for Business or if [the device has already been upgraded to Windows Holographic for Business](hololens1-upgrade-enterprise.md).
 
 - Configure the HoloLens first experience (OOBE)
-- Configure Wi-Fi network
-- Enroll device in Azure Active Directory or create a local account
+- Configure the Wi-Fi network
+- Enroll the device in Azure Active Directory, or create a local account
 - Add certificates
 - Enable Developer Mode
-- Configure kiosk mode. (Detailed instructions for configuring kiosk mode can be found [here](hololens-kiosk.md#set-up-kiosk-mode-using-a-provisioning-package-windows-10-version-1803)).
+- Configure kiosk mode (for detailed instructions,see [Set up kiosk mode using a provisioning package](hololens-kiosk.md#set-up-kiosk-mode-using-a-provisioning-package-windows-10-version-1803)
 
 > [!WARNING]
 > You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.
 
-Provisioning packages can include management instructions and policies, customization of network connections and policies, and more.
+Provisioning packages can include management instructions and policies, custom network connections and policies, and more.
 
 > [!TIP]
 > Use the desktop wizard to create a package with the common settings, then switch to the advanced editor to add other settings, apps, policies, etc.
 
-## Steps for Creating Provisioning Packages
+## Steps for creating provisioning packages
 
-### 1. Install Windows Configuration Designer on your PC. (There are two ways to do this).
+1. **Option 1:** [From Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22). This includes HoloLens 2 capabilities.
+2. **Option 2:** [From the Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). If you install Windows Configuration Designer from the Windows ADK, select **Configuration Designer** from the **Select the features you want to install** dialog box. This option does not include HoloLens 2 capabilities.
 
-1. **Option 1:** [From Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22)
-2. **Option 2:** [From the Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). If you install Windows Configurations Designer from the Windows ADK, select **Configuration Designer** from the **Select the features you want to install** dialog box.
 
-### 2. Create the Provisioning Package
+### 2. Create the provisioning package
 
 Use the Windows Configuration Designer tool to create a provisioning package.
 
 1. Open Windows Configuration Designer (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe).
 
-2. Click **Provision HoloLens devices**.
+2. Select **Provision HoloLens devices**.
 
    ![ICD start options](images/icd-create-options-1703.png)
 
-3. Name your project and click **Finish**.
+3. Name your project and select **Finish**.
 
-4. Read the instructions on the **Getting started** page and select **Next**. The pages for desktop provisioning will walk you through the following steps.
+4. Read the instructions on the **Getting started** page and select **Next**. The pages for desktop provisioning walk you through the following steps.
   
 > [!IMPORTANT]
 > When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
@@ -83,108 +86,110 @@ Use the Windows Configuration Designer tool to create a provisioning package.
 
 <table>
 <tr><td style="width:45%" valign="top"><a id="one"></a><img src="images/one.png" alt="step one"/><img src="images/set-up-device.png" alt="set up device"/></br></br>Browse to and select the enterprise license file to upgrade the HoloLens edition.</br></br>You can also toggle <strong>Yes</strong> or <strong>No</strong> to hide parts of the first experience.</br></br>To set up the device without the need to connect to a Wi-Fi network, toggle <strong>Skip Wi-Fi setup</strong> to <strong>On</strong>.</br></br>Select a region and timezone in which the device will be used. </td><td><img src="images/set-up-device-details.png" alt="Select enterprise licence file and configure OOBE"/></td></tr>
-<tr><td style="width:45%" valign="top"><a id="two"></a><img src="images/two.png" alt="step two"/>  <img src="images/set-up-network.png" alt="set up network"/></br></br>In this section, you can enter the details of the Wi-Fi wireless network that the device should connect to automatically. To do this, select <strong>On</strong>, enter the SSID, the network type (<strong>Open</strong> or <strong>WPA2-Personal</strong>), and (if <strong>WPA2-Personal</strong>) the password for the wireless network.</td><td><img src="images/set-up-network-details-desktop.png" alt="Enter network SSID and type"/></td></tr>
-<tr><td style="width:45%" valign="top"><a id="three"></a><img src="images/three.png" alt="step three"/>  <img src="images/account-management.png" alt="account management"/></br></br>You can enroll the device in Azure Active Directory, or create a local account on the device</br></br>Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, <a href="https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup" data-raw-source="[set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup)">set up Azure AD join in your organization</a>. The <strong>maximum number of devices per user</strong> setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click <strong>Get bulk token</strong>. In the <strong>Let&#39;s get you signed in</strong> window, enter an account that has permissions to join a device to Azure AD, and then the password. Click <strong>Accept</strong> to give Windows Configuration Designer the necessary permissions. </br></br>To create a local account, select that option and enter a user name and password. </br></br><strong>Important:</strong> (For Windows 10, version 1607 only) If you create a local account in the provisioning package, you must change the password using the <strong>Settings</strong> app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in.  </td><td><img src="images/account-management-details.png" alt="join  Azure AD or create a local  account"/></td></tr>
+<tr><td style="width:45%" valign="top"><a id="two"></a><img src="images/two.png" alt="step two"/>  <img src="images/set-up-network.png" alt="set up network"/></br></br>In this section, you can enter the details of the Wi-Fi wireless network that the device should automatically connect to. To do this, select <strong>On</strong>, enter the SSID, the network type (<strong>Open</strong> or <strong>WPA2-Personal</strong>), and (if <strong>WPA2-Personal</strong>) the password for the wireless network.</td><td><img src="images/set-up-network-details-desktop.png" alt="Enter network SSID and type"/></td></tr>
+<tr><td style="width:45%" valign="top"><a id="three"></a><img src="images/three.png" alt="step three"/>  <img src="images/account-management.png" alt="account management"/></br></br>You can enroll the device in Azure Active Directory, or create a local account on the device</br></br>Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, <a href="https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup" data-raw-source="[set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup)">set up Azure AD join in your organization</a>. The <strong>maximum number of devices per user</strong> setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Select <strong>Get bulk token</strong>. In the <strong>Let&#39;s get you signed in</strong> window, enter an account that has permissions to join a device to Azure AD, and then the password. Select <strong>Accept</strong> to give Windows Configuration Designer the necessary permissions. </br></br>To create a local account, select that option and enter a user name and password. </br></br><strong>Important:</strong> <br />(For Windows 10, version 1607 only) If you create a local account in the provisioning package, you must change the password using the <strong>Settings</strong> app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in.  </td><td><img src="images/account-management-details.png" alt="join  Azure AD or create a local  account"/></td></tr>
 <tr><td style="width:45%" valign="top"><a id="four"></a><img src="images/four.png" alt="step four"/> <img src="images/add-certificates.png" alt="add certificates"/></br></br>To provision the device with a certificate, click <strong>Add a certificate</strong>. Enter a name for the certificate, and then browse to and select the certificate to be used.</td><td><img src="images/add-certificates-details.png" alt="add a certificate"/></td></tr> 
 <tr><td style="width:45%" valign="top"><a id="five"></a><img src="images/five.png" alt="step five"/> <img src="images/developer-setup.png" alt="Developer Setup"/></br></br>Toggle <strong>Yes</strong> or <strong>No</strong> to enable Developer Mode on the HoloLens. <a href="https://docs.microsoft.com/windows/uwp/get-started/enable-your-device-for-development#developer-mode" data-raw-source="[Learn more about Developer Mode.](https://docs.microsoft.com/windows/uwp/get-started/enable-your-device-for-development#developer-mode)">Learn more about Developer Mode.</a></td><td><img src="images/developer-setup-details.png" alt="Enable Developer Mode"/></td></tr>
 <tr><td style="width:45%" valign="top"><a id="six"></a><img src="images/six.png" alt="step six"/> <img src="images/finish.png" alt="finish"/></br></br>Do not set a password to protect your provisioning package. If the provisioning package is protected by a password, provisioning the HoloLens device will fail.</td><td><img src="images/finish-details.png" alt="Protect your package"/></td></tr>
 </table>
 
-After you're done, click **Create**. It only takes a few seconds. When the package is built, the location where the package is stored is displayed as a hyperlink at the bottom of the page.
+After you're done, select **Create**. It only takes a few seconds. When the package is built, the location where the package is stored is displayed as a hyperlink at the bottom of the page.
 
-### 3. Create a provisioning package for HoloLens using advanced provisioning
+### 3. Create a provisioning package for HoloLens by using advanced provisioning
 
 > [!NOTE]
-> Settings in a provisioning package will only be applied if the provisioning package includes an edition upgrade license to Windows Holographic for Business or if [the device has already been upgraded to Windows Holographic for Business](hololens1-upgrade-enterprise.md).
+> A provisioning package that you create in **Advanced provisioning** does not need to include an edition upgrade license to Windows Holographic for Business to succesfully apply to a HoloLens (1st gen). [See more on Windows Holographic for Business for HoloLens (1st gen)](hololens1-upgrade-enterprise.md).
 
 1. On the Windows Configuration Designer start page, select **Advanced provisioning**.
 2. In the **Enter project details** window, specify a name for your project and the location for your project. Optionally, enter a brief description to describe your project.
 
-3. Click **Next**.
+3. Select **Next**.
 
-4. In the **Choose which settings to view and configure** window, select **Windows 10 Holographic**, and then click **Next**.
+4. In the **Choose which settings to view and configure** window, select **Windows 10 Holographic**, and then select **Next**.
 
-6. Click **Finish**.
+5. Select **Finish**.
 
-7. Expand **Runtime settings** and customize the package with any of the settings [described below](#what-you-can-configure).
+6. Expand **Runtime settings** and customize the package by using any of the settings [described later in this article](#what-you-can-configure).
 
     > [!IMPORTANT]
     > (For Windows 10, version 1607 only) If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. If the user account is locked out, you must [perform a full device recovery](https://developer.microsoft.com/windows/mixed-reality/reset_or_recover_your_hololens#perform_a_full_device_recovery).
 
-8. On the **File** menu, click **Save**.
+7. Select **File** > **Save**.
 
-4. Read the warning that project files may contain sensitive information, and click **OK**.
+8. Read the warning that project files may contain sensitive information, and select **OK**.
 
     > [!IMPORTANT]
     > When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
     
-3. On the **Export** menu, click **Provisioning package**.
+9. Select **Export** > **Provisioning package**.
 
-4. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next**.
+10. Change **Owner** to **IT Admin**. This sets the precedence of this provisioning package higher than provisioning packages applied to this device from other sources. Select **Next**.
 
-5. Set a value for **Package Version**.
+11. Set a value for **Package Version**.
 
     > [!TIP]
     > You can make changes to existing packages and change the version number to update previously applied packages.
 
-6. On the **Select security details for the provisioning package**, click **Next**.
+12. On the **Select security details for the provisioning package**, select **Next**.
 
     > [!WARNING]
     > If you encrypt the provisioning package, provisioning the HoloLens device will fail.  
 
-7. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows Configuration Designer uses the project folder as the output location.
+13. Select **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows Configuration Designer uses the project folder as the output location.
 
-    Optionally, you can click **Browse** to change the default output location.
+    Optionally, you can select **Browse** to change the default output location.
 
-8. Click **Next**.
+14. Select **Next**.
 
-9. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.
+15. Select **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.
 
-10. When the build completes, click **Finish**.
+16. When the build completes, select **Finish**.
 
 <span id="apply" />
 
 ## Apply a provisioning package to HoloLens during setup
 
-1. Connect the device via USB to a PC and start the device, but do not continue past the **Fit** page of OOBE (the first page with the blue box).
+1. Use the USB cable to connect the device to a PC, and then start the device. Do not continue past the **First interactable moment** page of OOBE.   
+    - On HoloLens (1st gen), this page contains a blue box. 
+    - On HoloLens 2, this page contains the hummingbird.
 
-2. Briefly press and release the **Volume Down** and **Power** buttons simultaneously. (This step isn't needed in Windows 10, version 1803.)
+2. Briefly press and release the **Volume Down** and **Power** buttons simultaneously. 
 
-3. HoloLens will show up as a device in File Explorer on the PC.
+3. HoloLens shows up as a device in File Explorer on the PC.
 
 4. In File Explorer, drag and drop the provisioning package (.ppkg) onto the device storage.
 
 5. Briefly press and release the **Volume Down** and **Power** buttons simultaneously again while on the **fit** page.
 
-6. The device will ask you if you trust the package and would like to apply it. Confirm that you trust the package.
+6. The device asks you if you trust the package and would like to apply it. Confirm that you trust the package.
 
 7. You will see whether the package was applied successfully or not. If it failed, you can fix your package and try again. If it succeeded, proceed with OOBE.
 
 > [!NOTE]
-> If the device was purchased before August 2016, you will need to sign into the device with a Microsoft account, get the latest OS update, and then reset the OS in order to apply the provisioning package.
+> If the device was purchased before August 2016, you will need to sign in to the device by using a Microsoft account, get the latest operating system update, and then reset the operating system in order to apply the provisioning package.
 
 ### 4. Apply a provisioning package to HoloLens after setup
 
 > [!NOTE]
-> Windows 10, version 1809 only
+> These steps apply only toWindows 10, version 1809.
 
-On your PC:
+On your PC, follow these steps:
 1. Create a provisioning package as described at [Create a provisioning package for HoloLens using the HoloLens wizard](hololens-provisioning.md).
-2. Connect the HoloLens device via USB to a PC. HoloLens will show up as a device in File Explorer on the PC.
+2. Connect the HoloLens device to a PC by using a USB cable. HoloLens shows up as a device in File Explorer on the PC.
 3. Drag and drop the provisioning package to the Documents folder on the HoloLens.
 
-On your HoloLens:
-1. Go to **Settings > Accounts > Access work or school**. 
+On your HoloLens, follow these steps:
+1. Go to **Settings** > **Accounts** > **Access work or school**. 
 2. In **Related Settings**, select **Add or remove a provisioning package**.
 3. On the next page, select **Add a package** to launch the file picker and select your provisioning package. If the folder is empty, make sure you select **This Device** and select **Documents**.
 
-After your package has been applied, it will show in the list of **Installed packages**. To view package details or to remove the package from the device, select the listed package.
+After your package has been applied, it shows up in the list of **Installed packages**. To view the package details or to remove the package from the device, select the listed package.
 
 ## What you can configure
 
-Provisioning packages make use of configuration service providers (CSPs). If you're not familiar with CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](https://technet.microsoft.com/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers).
+Provisioning packages make use of configuration service providers (CSPs). If you're not familiar with CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](https://docs.microsoft.com/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers).
 
-In Windows Configuration Designer, when you create a provisioning package for Windows Holographic, the settings in **Available customizations** are based on [CSPs that are supported in Windows Holographic](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/configuration-service-provider-reference#hololens). The following table describes settings that you might want to configure for HoloLens.
+In Windows Configuration Designer, when you create a provisioning package for Windows Holographic, the settings in **Available customizations** are based on [CSPs that are supported in Windows Holographic](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference#csps-supported-in-hololens-devices). The following table describes settings that you might want to configure for HoloLens.
 
 ![Common runtime settings for HoloLens](images/icd-settings.png)
 
@@ -193,9 +198,9 @@ In Windows Configuration Designer, when you create a provisioning package for Wi
 | **Certificates** | Deploy a certificate to HoloLens.  |
 | **ConnectivityProfiles** | Deploy a Wi-Fi profile to HoloLens.   |
 | **EditionUpgrade** | [Upgrade to Windows Holographic for Business.](hololens1-upgrade-enterprise.md)  |
-| **Policies** | Allow or prevent developer mode on HoloLens. [Policies supported by Windows Holographic for Business](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#hololenspolicies) |
+| **Policies** | Allow or prevent developer mode on HoloLens. [Policies supported by Windows Holographic for Business](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#hololenspolicies) |
 
 > [!NOTE]
-> App installation (**UniversalAppInstall**) using a provisioning package is not currently supported for HoloLens.
+> HoloLens does not currently support installing apps (**UniversalAppInstall**) by using a provisioning package.
 
 ## Next Step: [Enroll your device](hololens-enroll-mdm.md)
diff --git a/devices/hololens/hololens-release-notes.md b/devices/hololens/hololens-release-notes.md
index 737b6bcc0e..79c2e77dc1 100644
--- a/devices/hololens/hololens-release-notes.md
+++ b/devices/hololens/hololens-release-notes.md
@@ -26,6 +26,37 @@ appliesto:
 > [!Note]
 > HoloLens Emulator Release Notes can be found [here](https://docs.microsoft.com/windows/mixed-reality/hololens-emulator-archive).
 
+### Coming Soon
+
+**Dark mode for supported apps** 
+
+Many Windows apps support both dark and light modes, and soon HoloLens 2 customers can choose the default mode for apps that support both color schemes! Based on overwhelmingly positive customer feedback, with this update we are setting the default app mode to "dark," but you can easily change this setting at any time.
+Navigate to **Settings > System > Colors** to find **"Choose your default app mode."**
+
+Here are some of the in-box apps that support dark mode:
+- Settings
+- Microsoft Store
+- Mail
+- Calendar
+- File Explorer
+- Feedback Hub
+- OneDrive
+- Photos
+- 3D Viewer
+- Movies & TV
+
+**Improvements and fixes also in the update:** 
+- Ensure shell overlays are included in mixed reality captures.
+- Unreal developers are now able to use the 3D View page in Device Portal to test and debug their applications.
+- Improve hologram stability in mixed reality capture when the HolographicDepthReprojectionMethod DepthReprojection algorithm is used.
+- Fixed WinRT IStreamSocketListener API Class Not Registered error on 32-bit ARM app.
+
+### March Update - build 18362.1056
+
+- Improve hologram stability in mixed reality capture when the HolographicDepthReprojectionMethod AutoPlanar algorithm is used.
+- Ensures the coordinate system attached to a depth MF sample is consistent with public documentation.
+- Developers productivity improvement by enabling customers to paste large amount of text through device portal.
+
 ### February Update - build 18362.1053
 
 - Temporarily disabled the HolographicSpace.UserPresence API for Unity applications to avoid an issue which causes some apps to pause when the visor is flipped up, even if the setting to run in the background is enabled.
diff --git a/devices/hololens/hololens-updates.md b/devices/hololens/hololens-updates.md
index 561eb79861..2b4e28a971 100644
--- a/devices/hololens/hololens-updates.md
+++ b/devices/hololens/hololens-updates.md
@@ -8,10 +8,11 @@ ms.author: v-tea
 audience: ITPro
 ms.topic: article
 ms.localizationpriority: high
-ms.date: 11/7/2019
+ms.date: 03/24/2020
 ms.reviewer: jarrettr
 manager: jarrettr
 ms.custom: 
+- CI 115825
 - CI 111456
 - CSSTroubleshooting
 appliesto:
@@ -21,80 +22,195 @@ appliesto:
 
 # Manage HoloLens updates
 
-HoloLens uses Windows Update, just like other Windows 10 devices. When an update is available, it will be automatically downloaded and installed the next time your device is plugged in and connected to the Internet.
+HoloLens uses Windows Update in the same manner as other Windows 10 devices. When an update is available, it is automatically downloaded and installed the next time that your device is plugged in and connected to the internet. This article describes how to manage updates in an enterprise or other managed environment. For information about managing updates to individual HoloLens devices, see [Update HoloLens](hololens-update-hololens.md).
 
-This article will walk through all of the way to manage updates on HoloLens.
+## Manage updates automatically
 
-## Manually check for updates
+Windows Holographic for Business can use [Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb) to manage updates. All HoloLens 2 devices can use Windows Holographic for Business. Make sure that they use Windows Holographic for Business build 10.0.18362.1042 or a later build. If you have HoloLens (1st gen) devices, you have to [upgrade them to Windows Holographic for Business](hololens1-upgrade-enterprise.md) to manage their updates.
 
-While HoloLens periodically checks for system updates so you don't have to, there may be circumstances in which you want to manually check.
+Windows Update for Business connects HoloLens devices directly to the Windows Update service. By using Windows Update for Business, you can control multiple aspects of the update process&mdash;that is, which devices get which updates at what time. For example, you can roll out updates to a subset of devices for testing, then roll out updates to the remaining devices at a later date. Or, you can define different update schedules for different types of updates.
 
-To manually check for updates, go to **Settings** > **Update & Security** > **Check for updates**. If the Settings app says your device is up to date, you have all the updates that are currently available.
+> [!NOTE]  
+> For HoloLens devices, you can automatically manage feature updates (released twice a year) and quality updates (released monthly or as required, including critical security updates). For more information about update types, see [Types of updates managed by Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb#types-of-updates-managed-by-windows-update-for-business).
 
-## Go back to a previous version (HoloLens 2)
+You can configure Windows Update for Business settings for HoloLens by using policies in a Mobile Device Management (MDM) solution such as Microsoft Intune.
 
-In some cases, you might want to go back to a previous version of the HoloLens software. You can do this by using the Advanced Recovery Companion to reset your HoloLens to the earlier version.
+For a detailed discussion about how to use Intune to configure Windows Update for Business, see [Manage Windows 10 software updates in Intune](https://docs.microsoft.com/intune/protect/windows-update-for-business-configure).
 
-> [!NOTE]
-> Going back to an earlier version deletes your personal files and settings.
+> [!IMPORTANT]  
+> Intune provides two policy types for managing updates: *Windows 10 update ring* and *Windows 10 feature updates*. The Windows 10 feature update policy type is in public preview at this time and is not supported for HoloLens.
+>  
+> You can use Windows 10 update ring policies to manage HoloLens 2 updates.
 
-To go back to a previous version of HoloLens 2, follow these steps:
+### Configure update policies for HoloLens 2 or HoloLens (1st gen)
 
-1. Make sure that you don't have any phones or Windows devices plugged in to your PC.
-1. On your PC, download the [Advanced Recovery Companion](https://www.microsoft.com/p/advanced-recovery-companion/9p74z35sfrs8?activetab=pivot:overviewtab) from the Microsoft Store.
-1. Download the [most recent HoloLens 2 release](https://aka.ms/hololens2download).
-1. When you have finished these downloads, open **File explorer** > **Downloads**. Right-click the zipped folder that you just downloaded, and select **Extract all** > **Extract** to unzip it.
-1. Connect your HoloLens to your PC using a USB-A to USB-C cable . (Even if you've been using other cables to connect your HoloLens, this one works best.)
-1. The Advanced Recovery Companion automatically detects your HoloLens. Select the **Microsoft HoloLens** tile.
-1. On the next screen, select **Manual package selection** and then select the installation file contained in the folder that you unzipped in step 4. (Look for a file with the .ffu extension.)
-1. Select **Install software**, and follow the instructions.
+This section describes the policies that you can use to manage updates for either HoloLens 2 or HoloLens (1st gen). For information about additional functionality that is available for HoloLens 2, see [Plan and configure update rollouts for HoloLens 2](#plan-and-configure-update-rollouts-for-hololens-2).
 
-## Go back to a previous version (HoloLens (1st gen))
+The [Policy configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update) defines the policies that configure Windows Update for Business.
 
-In some cases, you might want to go back to a previous version of the HoloLens software. You can do this by using the Windows Device Recovery Tool to reset your HoloLens to the earlier version.
+> [!NOTE]  
+> For details about specific policies that are supported by specific editions of HoloLens, see [Policies supported by HoloLens devices](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#policies-supported-by-hololens-devices).
 
-> [!NOTE]
-> Going back to an earlier version deletes your personal files and settings.
+#### Configure automatic checks for updates
 
-To go back to a previous version of HoloLens (1st gen), follow these steps:
+You can use the **Update/AllowAutoUpdate** policy to manage automatic update behavior, such as scanning, downloading, and installing updates.
 
-1. Make sure that you don't have any phones or Windows devices plugged in to your PC.
-1. On your PC, download the [Windows Device Recovery Tool (WDRT)](https://support.microsoft.com/help/12379).
-1. Download the [HoloLens Anniversary Update recovery package](https://aka.ms/hololensrecovery).
-1. When the downloads finish, open **File explorer** > **Downloads**. Right-click the zipped folder you just downloaded, and select **Extract all** > **Extract** to unzip it.
-1. Connect your HoloLens to your PC using the micro-USB cable that it came with. (Even if you've been using other cables to connect your HoloLens, this one works best.)
-1. The WDRT will automatically detect your HoloLens. Select the **Microsoft HoloLens** tile.
-1. On the next screen, select **Manual package selection** and choose the installation file contained in the folder you unzipped in step 4. (Look for a file with the .ffu extension.)
-1. Select **Install software**, and follow the instructions.
+This policy supports the following values:
 
-> [!NOTE]
-> If the WDRT doesn't detect your HoloLens, try restarting your PC. If that doesn't work, select **My device was not detected**, select **Microsoft HoloLens**, and then follow the instructions.
+- **0** - Notify the user when there is an update that is ready to download that applies to the device.
+- **1** - Automatically install the update, and then notify the user to schedule a device restart.  
+- **2** - Automatically install the update, and then restart the device. This is the recommended value, and it is the default value for this policy.  
 
-## Use policies to manage updates to HoloLens
+- **3** - Automatically install the update, and then restart at a specified time. Specify the installation day and time. If no day and time are specified, the default is daily at 3 A.M.  
 
-> [!NOTE]
-> HoloLens (1st gen) devices must be [upgraded to Windows Holographic for Business](hololens1-upgrade-enterprise.md) to manage updates.
+- **4** - Automatically install the update, and then restart the device. This option also sets the Settings page to read-only.
+
+- **5** - Turn off automatic updates.
+
+For more details about the available settings for this policy, see [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate).
+
+> [!NOTE]  
+> In Microsoft Intune, you can use **Automatic Update Behavior** to change this policy. For more information, see [Manage software updates in Microsoft Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure).
+
+#### Configure an update schedule
 
 To configure how and when updates are applied, use the following policies:
 
-- [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate)
-- [Update/ScheduledInstallDay](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallday)
-- [Update/ScheduledInstallTime](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstalltime)
+- [Update/ScheduledInstallDay](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallday).  
+   - Values: **0**–**7** (0 = every day, 1 = Sunday, 7 = Saturday)
+   - Default value: **0** (every day)
+- [Update/ScheduledInstallTime](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstalltime).
+   - Values: 0–23 (0 = midnight, 23 = 11 P.M.)
+   - Default value: 3 P.M.
 
-To turn off the automatic check for updates, set the following policy to value **5** – Turn off Automatic Updates:
+#### For devices that run Windows 10, version 1607 only
 
-- [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate)
-
-In Microsoft Intune, you can use **Automatic Update Behavior** to change this policy. (See [Manage software updates in Microsoft Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure))
-
-For devices on Windows 10, version 1607 only: You can use the following update policies to configure devices and get updates from the Windows Server Update Service (WSUS), instead of Windows Update:
+You can use the following update policies to configure devices to get updates from the Windows Server Update Service (WSUS), instead of Windows Update:
 
 - [Update/AllowUpdateService](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowupdateservice)
 - [Update/RequireUpdateApproval](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-requireupdateapproval)
 - [Update/UpdateServiceUrl](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-updateserviceurl)
 
-For more information about using policies to manage HoloLens, see the following articles:
+### Plan and configure update rollouts for HoloLens 2
 
-- [Policies supported by HoloLens 2](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#policies-supported-by-hololens-2)
-- [Policies supported by Windows Holographic for Business](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#a-href-idhololenspoliciesapolicies-supported-by-windows-holographic-for-business)
-- [Manage software updates in Microsoft Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure)
+HoloLens 2 supports more update automation features than HoloLens (1st gen). this is especially true if you use Microsoft Intune to manage Windows Update for Business policy. These features make it easier for you to plan and implement update rollouts across your organization.
+
+#### Plan the update strategy
+
+Windows Updates for Business supports deferral policies. After Microsoft releases an update, you can use a deferral policy to define how long to wait before installing that update on devices. By associating subsets of your devices (referred to as *update rings*) with different deferral policies, you can coordinate an update rollout strategy for your organization.
+
+For example, consider an organization that has 1,000 devices and has to update them in five ways. The organization can create five update rings, as shown in the following table.
+
+|Group |Number of devices |Deferral (days) |
+| ---| :---: | :---: |
+|Grp 1 (IT staff) |5 |0 |
+|Grp 2 (early adopters) |50 |60 |
+|Grp 3 (main 1) |250 |120 |
+|Grp 4 (main 2) |300 |150 |
+|Grp 5 (main 3) |395 |180 |
+
+Here's how the rollout progresses over time to the entire organization.
+
+![Timeline for deploying updates](./images/hololens-updates-timeline.png)
+
+#### Configure an update deferral policy
+
+A deferral policy specifies the number of days between the date that an update becomes available and the date that the update is offered to a device.
+
+You can configure different deferrals for feature updates and quality updates. The following table lists the specific policies to use for each type, as well as the maximum deferral for each.
+
+|Category |Policy |Maximum deferral |
+| --- | --- | --- |
+|Feature updates |DeferFeatureUpdatesPeriodInDays |365 days |
+|Quality updates |DeferQualityUpdatesPeriodInDays |30 days |
+
+####  Examples: Using Intune to manage updates
+
+**Example 1: Create and assign an update ring**
+
+For a more detailed version of this example, see [Create and assign update rings](https://docs.microsoft.com/mem/intune/protect/windows-update-for-business-configure#create-and-assign-update-rings).
+
+1. Sign in to the [Microsoft Endpoint Manager Admin Center](https://go.microsoft.com/fwlink/?linkid=2109431), and navigate to your Intune profiles.
+1. Select **Software Updates** > **Windows 10 update rings** > **Create**.
+1. Under **Basics**, specify a name and a description (optional), and then select **Next**.
+1. Under **Update ring settings**, for **Servicing channel**, select **Semi-Annual Channel**, and then change **Feature update deferral period** to **120**. Then, select **Next**.
+1. Under **Assignments**, select **+ Select groups to include**, and then assign the update ring to one or more groups. Use **+ Select groups to exclude** to fine-tune the assignments. Then, select **Next**.
+1. Under **Review + create**, review the settings. When you're ready to save the update ring configuration, select **Create**.
+
+The list of update rings now includes the new Windows 10 update ring.
+
+**Example 2: Pause an update ring**
+
+If you encounter a problem when you deploy a feature or quality update, you can pause the update for 35 days (starting from a specified date). This pause prevents other devices from installing the update until you resolve or mitigate the issue. If you pause a feature update, quality updates are still offered to devices to make sure that they stay secure. After the specified time has passed, the pause automatically expires. At that point, the update process resumes.
+
+To pause an update ring in Intune, follow these steps:
+
+1. On the overview page for the update ring, select **Pause**.
+1. Select the type of update (**Feature** or **Quality**) to pause, and then select **OK**.
+
+When an update type is paused, the Overview pane for that ring displays how many days remain before that update type resumes.
+
+While the update ring is paused, you can select either of the following options:
+
+- To extend the pause period for an update type for 35 days, select **Extend**.
+- To restore updates for that ring to active operation, select **Resume**. You can pause the update ring again if it is necessary.
+
+> [!NOTE]  
+> The **Uninstall** operation for update rings is not supported for HoloLens 2 devices.
+
+## Manually check for updates
+
+Although HoloLens periodically checks for system updates so that you don't have to, there may be circumstances in which you want to manually check.
+
+To manually check for updates, go to **Settings** > **Update & Security** > **Check for updates**. If the Settings app indicates that your device is up to date, you have all the updates that are currently available.
+
+## Manually revert an update
+
+In some cases, you might want to go back to a previous version of the HoloLens software. The process for doing this depends on whether you are using HoloLens 2 or HoloLens (1st gen).
+
+### Go back to a previous version (HoloLens 2)
+
+You can roll back updates and return to a previous version of HoloLens 2 by using the Advanced Recovery Companion to reset your HoloLens to the earlier version.
+
+> [!NOTE]
+> Reverting to an earlier version deletes your personal files and settings.
+
+To go back to a previous version of HoloLens 2, follow these steps:
+
+1. Make sure that you don't have any phones or Windows devices plugged in to your computer.
+1. On your computer, download the [Advanced Recovery Companion](https://www.microsoft.com/p/advanced-recovery-companion/9p74z35sfrs8?activetab=pivot:overviewtab) from the Microsoft Store.
+1. Download the [most recent HoloLens 2 release](https://aka.ms/hololens2download).
+1. When you have finished these downloads, open **File explorer** > **Downloads**, right-click the compressed (zipped) folder that you just downloaded, and then select **Extract all** > **Extract** to expand the file.
+1. Use a USB-A to USB-C cable to connect your HoloLens device to your computer. Even if you've been using other cables to connect your HoloLens, this kind of cable works best.
+1. The Advanced Recovery Companion automatically detects your HoloLens device. Select the **Microsoft HoloLens** tile.
+1. On the next screen, select **Manual package selection**, and then open the folder that you previously expanded. 
+1. Select the installation file (the file that has an .ffu extension).
+1. Select **Install software**, and then follow the instructions.
+
+### Go back to a previous version (HoloLens (1st gen))
+
+You can roll back updates and return to a previous version of HoloLens (1st gen) by using the Windows Device Recovery Tool to reset your HoloLens to the earlier version.
+
+> [!NOTE]
+> Reverting to an earlier version deletes your personal files and settings.
+
+To go back to a previous version of HoloLens (1st gen), follow these steps:
+
+1. Make sure that you don't have any phones or Windows devices plugged in to your computer.
+1. On your computer, download the [Windows Device Recovery Tool (WDRT)](https://support.microsoft.com/help/12379).
+1. Download the [HoloLens Anniversary Update recovery package](https://aka.ms/hololensrecovery).
+1. After the downloads finish, open **File explorer** > **Downloads**, right-click the compressed (zipped) folder that you just downloaded, and then select **Extract all** > **Extract** to expand the file.
+1. Use the micro-USB cable that was provided together with your HoloLens device to connect your HoloLens device to your computer. Even if you've been using other cables to connect your HoloLens device, this one works best.
+1. The WDRT automatically detects your HoloLens device. Select the **Microsoft HoloLens** tile.
+1. On the next screen, select **Manual package selection**, and then open the folder that you previously expanded. 
+1. Select the installation file (the file that has an .ffu extension).
+1. Select **Install software**, and then follow the instructions.
+
+> [!NOTE]
+> If the WDRT doesn't detect your HoloLens device, try restarting your computer. If that doesn't work, select **My device was not detected**, select **Microsoft HoloLens**, and then follow the instructions.
+
+## Related articles
+
+- [Deploy updates using Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb)
+- [Assign devices to servicing channels for Windows 10 updates](https://docs.microsoft.com/windows/deployment/update/waas-servicing-channels-windows-10-updates)
+- [Manage Windows 10 software updates in Intune](https://docs.microsoft.com/mem/intune/protect/windows-update-for-business-configure)
diff --git a/devices/hololens/hololens2-language-support.md b/devices/hololens/hololens2-language-support.md
index 9c56ec9d8c..955eec82e6 100644
--- a/devices/hololens/hololens2-language-support.md
+++ b/devices/hololens/hololens2-language-support.md
@@ -7,7 +7,11 @@ author: Teresa-Motiv
 ms.author: v-tea
 ms.topic: article
 ms.localizationpriority: medium
-ms.date: 9/12/2019
+ms.custom: 
+- CI 115225
+- CSSTroubleshooting
+keywords: localize, language support, display language, keyboard language, IME, keyboard layout
+ms.date: 03/12/2020
 audience: ITPro
 ms.reviewer: jarrettr
 manager: jarrettr
@@ -17,7 +21,7 @@ appliesto:
 
 # Supported languages for HoloLens 2
 
-HoloLens 2 supports the following languages, including voice commands and dictation features, keyboard layouts, and OCR recognition within apps.
+HoloLens 2 is localized into the following languages. The localization features include speech commands and dictation, keyboard layouts, and OCR recognition within apps.
 
 - Chinese Simplified (China)
 - English (Australia)
@@ -31,43 +35,43 @@ HoloLens 2 supports the following languages, including voice commands and dictat
 - Japanese (Japan)
 - Spanish (Spain)
 
-HoloLens 2 is also available in the following languages. However, this support does not include speech commands or dictation features.
+HoloLens 2 also supports the following languages. However, this support does not include speech commands or dictation features.
 
 - Chinese Traditional (Taiwan and Hong Kong)
 - Dutch (Netherlands)
 - Korean (Korea)
 
-## Changing language or keyboard
-
-The setup process configures your HoloLens for a region and language. You can change this configuration by using the **Time & language** section of **Settings**.
-
-> [!NOTE]
-> Your speech and dictation language depends on the Windows display language.
-
-## To change the Windows display language
-
-1. Go to the **Start** menu, and then select **Settings** > **Time and language** > **Language**.
-2. Select **Windows display language**, and then select a language.  
-
-If the supported language you’re looking for is not in the menu, follow these steps: 
-
-1. Under **Preferred languages** select **Add a language**. 
-2. Search for and add the language.
-3. Select the **Windows display language** menu again and choose the language you added.
-
-The Windows display language affects the following settings for Windows and for apps that support localization:
+Some features of HoloLens 2 use the Windows display language. The Windows display language affects the following settings for Windows and for apps that support localization:
 
 - The user interface text language.
 - The speech language.
 - The default layout of the on-screen keyboard.
 
-## To change the keyboard layout
+## Change the language or keyboard layout
 
-To add or remove a keyboard layout, open the **Start** menu and then select **Settings** > **Time & language** > **Keyboard**.
+The setup process configures your HoloLens for a specific region and language. You can change this configuration by using the **Time & language** section of **Settings**.
+
+> [!NOTE]  
+> Your speech and dictation language depends on (and is the same as) the Windows display language.
+
+### To change the Windows display language
+
+1. Open the **Start** menu, and then select **Settings** > **Time and language** > **Language**.
+2. Select **Windows display language**, and then select a language.  
+
+If the supported language that you're looking for is not in the menu, follow these steps:  
+
+1. Under **Preferred languages**, select **Add a language**.
+2. Locater and add the language.
+3. Select the **Windows display language** menu again, and then select the language that you added in the previous step.
+
+### To change the keyboard layout
+
+To add or remove a keyboard layout, open the **Start** menu, and then select **Settings** > **Time & language** > **Keyboard**.
 
 If your HoloLens has more than one keyboard layout, use the **Layout** key to switch between them. The **Layout** key is in the lower right corner of the on-screen keyboard.
 
-> [!NOTE]
+> [!NOTE]  
 > The on-screen keyboard can use Input Method Editor (IME) to enter characters in languages such as Chinese. However, HoloLens does not support external Bluetooth keyboards that use IME.
-> 
-> While you use IME with the on-screen keyboard, you can continue to use a Bluetooth keyboard to type in English. To switch between keyboards, press ~.
+>  
+> While you use IME together with the on-screen keyboard, you can continue to use a Bluetooth keyboard to type in English. To switch between keyboards, press the tilde character button (**~**).
diff --git a/devices/hololens/hololens2-maintenance.md b/devices/hololens/hololens2-maintenance.md
new file mode 100644
index 0000000000..1faaca4425
--- /dev/null
+++ b/devices/hololens/hololens2-maintenance.md
@@ -0,0 +1,84 @@
+---
+title: HoloLens 2 device care and cleaning FAQ
+description: 
+author: Teresa-Motiv
+ms.author: v-tea
+ms.date: 3/26/2020
+ms.prod: hololens
+ms.topic: article
+ms.custom: 
+- CI 115560
+- CSSTroubleshooting
+audience: ITPro
+ms.localizationpriority: medium
+keywords: 
+manager: jarrettr
+appliesto:
+- HoloLens 2
+---
+
+# Frequently asked questions about cleaning HoloLens 2 devices
+
+> [!IMPORTANT]  
+> Microsoft cannot make a determination of the effectiveness of any given disinfectant product in fighting pathogens such as COVID-19. Please refer to your local public health authority's guidance about how to stay safe from potential infection.  
+
+## What are the general cleaning instructions for HoloLens 2 devices?
+
+**To clean the device**
+
+1. Remove any dust by using a dry, lint-free microfiber cloth to gently wipe the surface of the device.
+1. Lightly moisten the cloth by using medical "70%" isopropyl alcohol, and then use the moistened cloth to gently wipe the surface of the device.
+
+   ![Image that shows how to clean the visor](images/hololens-cleaning-visor.png)
+
+1. Let the device dry completely.
+
+**To clean the brow pad**
+
+1. Use water and a mild, antibiotic soap to moisten a cloth, and then use the moistened cloth to wipe the brow pad.
+1. Let the brow pad dry completely.
+
+## Can I use any lens cleaner for cleaning the HoloLens visor?
+
+No. Lens cleaners can be abrasive to the coatings on the visor. To clean the visor, follow these steps:  
+
+1. Remove any dust by using a dry lint-free microfiber cloth to gently wipe the visor.
+1. Lightly moisten a cloth by using medical "70%" isopropyl alcohol, and then gently wipe the visor.
+1. Let the visor dry completely.
+
+## Can I use disinfecting wipes to clean the device?
+
+Yes, if the wipes do not contain bleach. You can use non-bleach disinfecting wipes to [gently wipe the HoloLens surfaces](#what-are-the-general-cleaning-instructions-for-hololens-2-devices).  
+
+> [!CAUTION]  
+> Avoid using disinfecting wipes that contains bleach to clean the HoloLens surfaces. It is acceptable to use bleach wipes in critical situations, when nothing else is available. However, bleach may damage the HoloLens visor or other surfaces.
+
+## Can I use alcohol to clean the device?
+
+Yes. You can use a solution of "70%" isopropyl alcohol and water to clean the hard surfaces of the device, including the visor. Lightly moisten the cloth by using a mix of isopropyl alcohol and water, and then gently wipe the surface of the device
+
+## Is the brow pad replaceable?
+
+Yes. The brow pad is magnetically attached to the device. To detach it, pull it gently away from the headband. To replace it, snap it back into place.
+
+![Remove or replace the brow pad](images/hololens2-remove-browpad.png)
+
+## How can I clean the brow pad?
+
+To clean the brow pad, wipe it by using a cloth that's moistened by using water and a mild antibiotic soap. Let the brow pad dry completely before you use it again.
+
+## Can I use ultraviolet (UV) light to sanitize the device?
+
+UV germicidal irradiation has not been tested on HoloLens 2.
+
+> [!CAUTION]  
+> High levels of UV exposure can degrade the display quality of the device and damage the visor coating. Over-exposure to UV radiation has the following effects, in order of the duration and intensity of exposure:
+>  
+> 1. The brow pad and device closures become discolored.
+> 1. Defects appear in the anti-reflective (AR) coating on the visor and on the sensor windows.
+> 1. Defects appear in the base materials of the visor and on the sensor windows.
+> 1. SRG performance degrades.
+
+## Is the rear pad replaceable?
+
+No.
diff --git a/devices/hololens/images/hololens-updates-timeline.png b/devices/hololens/images/hololens-updates-timeline.png
new file mode 100644
index 0000000000..4b1e986948
Binary files /dev/null and b/devices/hololens/images/hololens-updates-timeline.png differ
diff --git a/devices/surface-hub/TOC.md b/devices/surface-hub/TOC.md
index b26023e070..67516c9773 100644
--- a/devices/surface-hub/TOC.md
+++ b/devices/surface-hub/TOC.md
@@ -1,4 +1,4 @@
-# [Microsoft Surface Hub](index.md)
+# [Microsoft Surface Hub](index.yml)
 
 # Surface Hub 2S
 
@@ -45,6 +45,7 @@
 ### [Update pen firmware on Surface Hub 2S](surface-hub-2s-pen-firmware.md)
 
 ## Secure
+### [Surface Hub security overview](surface-hub-security.md)
 ### [Secure and manage Surface Hub 2S with SEMM and UEFI](surface-hub-2s-secure-with-uefi-semm.md)
 ### [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md)
 
@@ -58,8 +59,8 @@
 ## Overview
 ### [What's new in Windows 10, version 1703 for Surface Hub?](surfacehub-whats-new-1703.md)
 ### [Operating system essentials (Surface Hub)](differences-between-surface-hub-and-windows-10-enterprise.md)
-### [Technical information for 55” Microsoft Surface Hub](surface-hub-technical-55.md)
-### [Technical information for 84” Microsoft Surface Hub](surface-hub-technical-84.md)
+### [Technical information for 55" Microsoft Surface Hub](surface-hub-technical-55.md)
+### [Technical information for 84" Microsoft Surface Hub](surface-hub-technical-84.md)
 ### [Use Microsoft Whiteboard on a Surface Hub](https://support.office.com/article/use-microsoft-whiteboard-on-a-surface-hub-5c594985-129d-43f9-ace5-7dee96f7621d)
 
 ## Plan
diff --git a/devices/surface-hub/device-reset-surface-hub.md b/devices/surface-hub/device-reset-surface-hub.md
index 6d7d33415f..d8d0269900 100644
--- a/devices/surface-hub/device-reset-surface-hub.md
+++ b/devices/surface-hub/device-reset-surface-hub.md
@@ -90,7 +90,7 @@ On rare occasions, a Surface Hub may encounter an error while cleaning up user a
 
 1. Use the power switch to turn the Surface Hub back on. The device starts and displays the Surface Hub Logo screen. When you see spinning dots under the Surface Hub Logo, use the power switch to turn the Surface Hub off again.  
 
-1. Repeat step 3 three times, or until the Surface Hub displays the “Preparing Automatic Repair” message. After it displays this message, the Surface Hub displays the Windows RE screen.
+1. Repeat step 3 three times, or until the Surface Hub displays the "Preparing Automatic Repair" message. After it displays this message, the Surface Hub displays the Windows RE screen.
 
 1. Select **Advanced Options**.
 
@@ -115,6 +115,12 @@ On rare occasions, a Surface Hub may encounter an error while cleaning up user a
    ![downloading 97&](images/recover-progress.png)
 
    When the download finishes, the recovery process restores the Surface Hub according to the options that you selected.
+   
+
+## Contact Support
+
+If you have questions or need help, you can [create a support request](https://support.microsoft.com/supportforbusiness/productselection).
+
 
 ## Related topics
 
diff --git a/devices/surface-hub/images/sccm-additional.png b/devices/surface-hub/images/configmgr-additional.png
similarity index 100%
rename from devices/surface-hub/images/sccm-additional.png
rename to devices/surface-hub/images/configmgr-additional.png
diff --git a/devices/surface-hub/images/sccm-create.png b/devices/surface-hub/images/configmgr-create.png
similarity index 100%
rename from devices/surface-hub/images/sccm-create.png
rename to devices/surface-hub/images/configmgr-create.png
diff --git a/devices/surface-hub/images/sccm-oma-uri.png b/devices/surface-hub/images/configmgr-oma-uri.png
similarity index 100%
rename from devices/surface-hub/images/sccm-oma-uri.png
rename to devices/surface-hub/images/configmgr-oma-uri.png
diff --git a/devices/surface-hub/images/sccm-platform.png b/devices/surface-hub/images/configmgr-platform.png
similarity index 100%
rename from devices/surface-hub/images/sccm-platform.png
rename to devices/surface-hub/images/configmgr-platform.png
diff --git a/devices/surface-hub/images/sccm-team.png b/devices/surface-hub/images/configmgr-team.png
similarity index 100%
rename from devices/surface-hub/images/sccm-team.png
rename to devices/surface-hub/images/configmgr-team.png
diff --git a/devices/surface-hub/images/hub-sec-1.png b/devices/surface-hub/images/hub-sec-1.png
new file mode 100644
index 0000000000..fe4e25d084
Binary files /dev/null and b/devices/surface-hub/images/hub-sec-1.png differ
diff --git a/devices/surface-hub/images/hub-sec-2.png b/devices/surface-hub/images/hub-sec-2.png
new file mode 100644
index 0000000000..fdf7af7ca6
Binary files /dev/null and b/devices/surface-hub/images/hub-sec-2.png differ
diff --git a/devices/surface-hub/index.yml b/devices/surface-hub/index.yml
index 7f4e46228a..249deba5a0 100644
--- a/devices/surface-hub/index.yml
+++ b/devices/surface-hub/index.yml
@@ -25,13 +25,17 @@ highlightedContent:
 # itemType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new
   items:
     # Card
-    - title: What is Surface Hub 2S?
-      itemType: overview
-      url: https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/Behind-the-design-Surface-Hub-2S/ba-p/464099
-    # Card
     - title: What's new in Surface Hub 2S?
       itemType: whats-new
       url: surface-hub-2s-whats-new.md
+     # Card
+    - title: Surface Hub security overview 
+      itemType: learn
+      url: surface-hub-security.md
+   # Card
+    - title: Manage Surface Hub 2S with Intune
+      itemType: how-to-guide
+      url: surface-hub-2s-manage-intune.md
     # Card
     - title: Operating system essentials
       itemType: learn
@@ -41,10 +45,6 @@ highlightedContent:
       itemType: learn
       url: surface-hub-2s-site-readiness-guide.md
     # Card
-    - title: Install and mount Surface Hub 2S
-      itemType: how-to-guide
-      url: surface-hub-2s-install-mount.md
-    # Card
     - title: Customize Surface Hub 2S installation
       itemType: how-to-guide
       url: surface-hub-2s-custom-install.md
diff --git a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
index b3a74fc47d..5394d7c761 100644
--- a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
+++ b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
@@ -18,7 +18,7 @@ ms.localizationpriority: medium
 
 Surface Hub and other Windows 10 devices allow IT administrators to manage settings and policies using a mobile device management (MDM) provider. A built-in management component communicates with the management server, so there is no need to install additional clients on the device. For more information, see [Windows 10 mobile device management](https://msdn.microsoft.com/library/windows/hardware/dn914769.aspx).
 
-Surface Hub has been validated with Microsoft’s first-party MDM providers:
+Surface Hub has been validated with Microsoft's first-party MDM providers:
 - Microsoft Intune standalone
 - On-premises MDM with Microsoft Endpoint Configuration Manager
 
@@ -65,25 +65,25 @@ For more information, see [SurfaceHub configuration service provider](https://ms
 |                                Maintenance hours                                 |                        MaintenanceHoursSimple/Hours/StartTime <br> MaintenanceHoursSimple/Hours/Duration                         |                       Yes                        |                       Yes                       |             Yes             |
 |              Automatically turn on the screen using motion sensors               |                                                 InBoxApps/Welcome/AutoWakeScreen                                                 |                       Yes                        |                       Yes                       |             Yes             |
 |                      Require a pin for wireless projection                       |                                             InBoxApps/WirelessProjection/PINRequired                                             |                       Yes                        |                       Yes                       |             Yes             |
-|                            Enable wireless projection                            |                                               InBoxApps/WirelessProjection/Enabled                                               |                       Yes                        | Yes.<br> [Use a custom setting.](#example-sccm) |             Yes             |
-|                 Miracast channel to use for wireless projection                  |                                               InBoxApps/WirelessProjection/Channel                                               |                       Yes                        | Yes.<br> [Use a custom setting.](#example-sccm) |             Yes             |
-|              Connect to your Operations Management Suite workspace               |                                         MOMAgent/WorkspaceID <br> MOMAgent/WorkspaceKey                                          |                       Yes                        | Yes.<br> [Use a custom setting.](#example-sccm) |             Yes             |
-|                         Welcome screen background image                          |                                             InBoxApps/Welcome/CurrentBackgroundPath                                              |                       Yes                        | Yes.<br> [Use a custom setting.](#example-sccm) |             Yes             |
-|               Meeting information displayed on the welcome screen                |                                               InBoxApps/Welcome/MeetingInfoOption                                                |                       Yes                        | Yes.<br> [Use a custom setting.](#example-sccm) |             Yes             |
-|                      Friendly name for wireless projection                       |                                                     Properties/FriendlyName                                                      | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) |             Yes             |
+|                            Enable wireless projection                            |                                               InBoxApps/WirelessProjection/Enabled                                               |                       Yes                        | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) |             Yes             |
+|                 Miracast channel to use for wireless projection                  |                                               InBoxApps/WirelessProjection/Channel                                               |                       Yes                        | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) |             Yes             |
+|              Connect to your Operations Management Suite workspace               |                                         MOMAgent/WorkspaceID <br> MOMAgent/WorkspaceKey                                          |                       Yes                        | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) |             Yes             |
+|                         Welcome screen background image                          |                                             InBoxApps/Welcome/CurrentBackgroundPath                                              |                       Yes                        | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) |             Yes             |
+|               Meeting information displayed on the welcome screen                |                                               InBoxApps/Welcome/MeetingInfoOption                                                |                       Yes                        | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager |             Yes             |
+|                      Friendly name for wireless projection                       |                                                     Properties/FriendlyName                                                      | Yes <br> [Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) |             Yes             |
 |                   Device account, including password rotation                    | DeviceAccount/*`<name_of_policy>`* <br> See [SurfaceHub CSP](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx). |                        No                        |                       No                        |             Yes             |
-|                               Specify Skype domain                               |                                              InBoxApps/SkypeForBusiness/DomainName                                               |                    Yes </br>                     | Yes.<br> [Use a custom setting.](#example-sccm) |             Yes             |
-|               Auto launch Connect App when projection is initiated               |                                                   InBoxApps/Connect/AutoLaunch                                                   |                    Yes </br>                     | Yes.<br> [Use a custom setting.](#example-sccm) |             Yes             |
-|                                Set default volume                                |                                                     Properties/DefaultVolume                                                     |                    Yes </br>                     | Yes.<br> [Use a custom setting.](#example-sccm) |             Yes             |
-|                                Set screen timeout                                |                                                     Properties/ScreenTimeout                                                     |                    Yes </br>                     | Yes.<br> [Use a custom setting.](#example-sccm) |             Yes             |
-|                               Set session timeout                                |                                                    Properties/SessionTimeout                                                     |                    Yes </br>                     | Yes.<br> [Use a custom setting.](#example-sccm) |             Yes             |
-|                                Set sleep timeout                                 |                                                     Properties/SleepTimeout                                                      |                    Yes </br>                     | Yes.<br> [Use a custom setting.](#example-sccm) |             Yes             |
-|                   Allow session to resume after screen is idle                   |                                                  Properties/AllowSessionResume                                                   |                    Yes </br>                     | Yes.<br> [Use a custom setting.](#example-sccm) |             Yes             |
-|             Allow device account to be used for proxy authentication             |                                                  Properties/AllowAutoProxyAuth                                                   |                    Yes </br>                     | Yes.<br> [Use a custom setting.](#example-sccm) |             Yes             |
-| Disable auto-populating the sign-in dialog with invitees from scheduled meetings |                                               Properties/DisableSignInSuggestions                                                |                    Yes </br>                     | Yes.<br> [Use a custom setting.](#example-sccm) |             Yes             |
-|              Disable "My meetings and files" feature in Start menu               |                                              Properties/DoNotShowMyMeetingsAndFiles                                              |                    Yes </br>                     | Yes.<br> [Use a custom setting.](#example-sccm) |             Yes             |
-|                     Set the LanProfile for 802.1x Wired Auth                     |                                                         Dot3/LanProfile                                                          | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) |             Yes             |
-|                    Set the EapUserData for 802.1x Wired Auth                     |                                                         Dot3/EapUserData                                                         | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) |             Yes             |
+|                               Specify Skype domain                               |                                              InBoxApps/SkypeForBusiness/DomainName                                               |                    Yes </br>                     | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) |             Yes             |
+|               Auto launch Connect App when projection is initiated               |                                                   InBoxApps/Connect/AutoLaunch                                                   |                    Yes </br>                     | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) |             Yes             |
+|                                Set default volume                                |                                                     Properties/DefaultVolume                                                     |                    Yes </br>                     | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) |             Yes             |
+|                                Set screen timeout                                |                                                     Properties/ScreenTimeout                                                     |                    Yes </br>                     | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) |             Yes             |
+|                               Set session timeout                                |                                                    Properties/SessionTimeout                                                     |                    Yes </br>                     | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) |             Yes             |
+|                                Set sleep timeout                                 |                                                     Properties/SleepTimeout                                                      |                    Yes </br>                     | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) |             Yes             |
+|                   Allow session to resume after screen is idle                   |                                                  Properties/AllowSessionResume                                                   |                    Yes </br>                     | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) |             Yes             |
+|             Allow device account to be used for proxy authentication             |                                                  Properties/AllowAutoProxyAuth                                                   |                    Yes </br>                     | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) |             Yes             |
+| Disable auto-populating the sign-in dialog with invitees from scheduled meetings |                                               Properties/DisableSignInSuggestions                                                |                    Yes </br>                     | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) |             Yes             |
+|              Disable "My meetings and files" feature in Start menu               |                                              Properties/DoNotShowMyMeetingsAndFiles                                              |                    Yes </br>                     | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) |             Yes             |
+|                     Set the LanProfile for 802.1x Wired Auth                     |                                                         Dot3/LanProfile                                                          | Yes <br> [Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) |             Yes             |
+|                    Set the EapUserData for 802.1x Wired Auth                     |                                                         Dot3/EapUserData                                                         | Yes <br> [Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) |             Yes             |
 
 \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
 
@@ -97,12 +97,12 @@ The following tables include info on Windows 10 settings that have been validate
 
 |      Setting       |                                            Details                                             |                                                                          CSP reference                                                                           |            Supported with<br>Intune?             |    Supported with<br>Configuration Manager?     | Supported with<br>SyncML\*? |
 |--------------------|------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------|
-|  Allow Bluetooth   |                      Keep this enabled to support Bluetooth peripherals.                       |                   [Connectivity/AllowBluetooth](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Connectivity_AllowBluetooth)                   |                    Yes. <br>                     | Yes.<br> [Use a custom setting.](#example-sccm) |             Yes             |
-| Bluetooth policies | Use to set the Bluetooth device name, and block advertising, discovery, and automatic pairing. |                     Bluetooth/*`<name of policy>`* <br> See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx)                      |                    Yes. <br>                     | Yes.<br> [Use a custom setting.](#example-sccm) |             Yes             |
-|    Allow camera    |                           Keep this enabled for Skype for Business.                            |                            [Camera/AllowCamera](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Camera_AllowCamera)                            |                    Yes. <br>                     | Yes.<br> [Use a custom setting.](#example-sccm) |             Yes             |
-|   Allow location   |                        Keep this enabled to support apps such as Maps.                         |                          [System/AllowLocation](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowLocation)                          |                   Yes. <br> .                    | Yes.<br> [Use a custom setting.](#example-sccm) |             Yes             |
-|  Allow telemetry   |                    Keep this enabled to help Microsoft improve Surface Hub.                    |                         [System/AllowTelemetry](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowTelemetry)                         |                    Yes. <br>                     | Yes.<br> [Use a custom setting.](#example-sccm) |             Yes             |
-|  Allow USB Drives  |                     Keep this enabled to support USB drives on Surface Hub                     | [System/AllowStorageCard](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowstoragecard) | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) |             Yes             |
+|  Allow Bluetooth   |                      Keep this enabled to support Bluetooth peripherals.                       |                   [Connectivity/AllowBluetooth](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Connectivity_AllowBluetooth)                   |                    Yes. <br>                     | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) |             Yes             |
+| Bluetooth policies | Use to set the Bluetooth device name, and block advertising, discovery, and automatic pairing. |                     Bluetooth/*`<name of policy>`* <br> See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx)                      |                    Yes. <br>                     | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) |             Yes             |
+|    Allow camera    |                           Keep this enabled for Skype for Business.                            |                            [Camera/AllowCamera](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Camera_AllowCamera)                            |                    Yes. <br>                     | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) |             Yes             |
+|   Allow location   |                        Keep this enabled to support apps such as Maps.                         |                          [System/AllowLocation](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowLocation)                          |                   Yes. <br> .                    | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) |             Yes             |
+|  Allow telemetry   |                    Keep this enabled to help Microsoft improve Surface Hub.                    |                         [System/AllowTelemetry](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowTelemetry)                         |                    Yes. <br>                     | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) |             Yes             |
+|  Allow USB Drives  |                     Keep this enabled to support USB drives on Surface Hub                     | [System/AllowStorageCard](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowstoragecard) | Yes <br> [Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) |             Yes             |
 
 \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. 
 
@@ -110,15 +110,15 @@ The following tables include info on Windows 10 settings that have been validate
 
 |                          Setting                          |                                                                        Details                                                                        |                                                                             CSP reference                                                                              |            Supported with<br>Intune?             |    Supported with<br>Configuration Manager?     | Supported with<br>SyncML\*? |
 |-----------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------|
-|                         Homepages                         |                                               Use to configure the default homepages in Microsoft Edge.                                               |                                [Browser/Homepages](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_Homepages)                                | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) |             Yes             |
-|                       Allow cookies                       |                    Surface Hub automatically deletes cookies at the end of a session. Use this to block cookies within a session.                     |                             [Browser/AllowCookies](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowCookies)                             | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) |             Yes             |
-|                   Allow developer tools                   |                                                   Use to stop users from using F12 Developer Tools.                                                   |                      [Browser/AllowDeveloperTools](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDeveloperTools)                      | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) |             Yes             |
-|                    Allow Do Not Track                     |                                                          Use to enable Do Not Track headers.                                                          |                          [Browser/AllowDoNotTrack](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDoNotTrack)                          | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) |             Yes             |
-|                       Allow pop-ups                       |                                                         Use to block pop-up browser windows.                                                          |                              [Browser/AllowPopups](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowPopups)                              | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) |             Yes             |
-|                 Allow search suggestions                  |                                                  Use to block search suggestions in the address bar.                                                  |       [Browser/AllowSearchSuggestionsinAddressBar](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSearchSuggestionsinAddressBar)       | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) |             Yes             |
-|                     Allow Windows Defender SmartScreen                     |                                                       Keep this enabled to turn on Windows Defender SmartScreen.                                                       |                         [Browser/AllowSmartScreen](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSmartScreen)                         | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) |             Yes             |
-| Prevent ignoring Windows Defender SmartScreen warnings for websites |     For extra security, use to stop users from ignoring Windows Defender SmartScreen warnings and block them from accessing potentially malicious websites.     |         [Browser/PreventSmartScreenPromptOverride](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverride)         | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) |             Yes             |
-|  Prevent ignoring Windows Defender SmartScreen warnings for files   | For extra security, use to stop users from ignoring Windows Defender SmartScreen warnings and block them from downloading unverified files from Microsoft Edge. | [Browser/PreventSmartScreenPromptOverrideForFiles](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverrideForFiles) | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) |             Yes             |
+|                         Homepages                         |                                               Use to configure the default homepages in Microsoft Edge.                                               |                                [Browser/Homepages](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_Homepages)                                | Yes <br> [Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) |             Yes             |
+|                       Allow cookies                       |                    Surface Hub automatically deletes cookies at the end of a session. Use this to block cookies within a session.                     |                             [Browser/AllowCookies](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowCookies)                             | Yes <br> [Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) |             Yes             |
+|                   Allow developer tools                   |                                                   Use to stop users from using F12 Developer Tools.                                                   |                      [Browser/AllowDeveloperTools](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDeveloperTools)                      | Yes <br> [Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) |             Yes             |
+|                    Allow Do Not Track                     |                                                          Use to enable Do Not Track headers.                                                          |                          [Browser/AllowDoNotTrack](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDoNotTrack)                          | Yes <br> [Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) |             Yes             |
+|                       Allow pop-ups                       |                                                         Use to block pop-up browser windows.                                                          |                              [Browser/AllowPopups](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowPopups)                              | Yes <br> [Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) |             Yes             |
+|                 Allow search suggestions                  |                                                  Use to block search suggestions in the address bar.                                                  |       [Browser/AllowSearchSuggestionsinAddressBar](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSearchSuggestionsinAddressBar)       | Yes <br> [Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) |             Yes             |
+|                     Allow Windows Defender SmartScreen                     |                                                       Keep this enabled to turn on Windows Defender SmartScreen.                                                       |                         [Browser/AllowSmartScreen](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSmartScreen)                         | Yes <br> [Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) |             Yes             |
+| Prevent ignoring Windows Defender SmartScreen warnings for websites |     For extra security, use to stop users from ignoring Windows Defender SmartScreen warnings and block them from accessing potentially malicious websites.     |         [Browser/PreventSmartScreenPromptOverride](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverride)         | Yes <br> [Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) |             Yes             |
+|  Prevent ignoring Windows Defender SmartScreen warnings for files   | For extra security, use to stop users from ignoring Windows Defender SmartScreen warnings and block them from downloading unverified files from Microsoft Edge. | [Browser/PreventSmartScreenPromptOverrideForFiles](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverrideForFiles) | Yes <br> [Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) |             Yes             |
 
 \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
 
@@ -126,13 +126,13 @@ The following tables include info on Windows 10 settings that have been validate
 
 |                      Setting                      |                                                                                                           Details                                                                                                            |                                                                    CSP reference                                                                    |            Supported with<br>Intune?             |    Supported with<br>Configuration Manager?     | Supported with<br>SyncML\*? |
 |---------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------|
-| Use Current Branch or Current Branch for Business |                                                       Use to configure Windows Update for Business – see [Windows updates](manage-windows-updates-for-surface-hub.md).                                                       |            [Update/BranchReadinessLevel](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_BranchReadinessLevel)             | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) |             Yes             |
-|               Defer feature updates               |                                                                                                          See above.                                                                                                          | [Update/ DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferFeatureUpdatesPeriodInDays) | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) |             Yes             |
-|               Defer quality updates               |                                                                                                          See above.                                                                                                          | [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferQualityUpdatesPeriodInDays)  | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) |             Yes             |
-|               Pause feature updates               |                                                                                                          See above.                                                                                                          |             [Update/PauseFeatureUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates)              | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) |             Yes             |
-|               Pause quality updates               |                                                                                                          See above.                                                                                                          |             [Update/PauseQualityUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates)              | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) |             Yes             |
-|           Configure device to use WSUS            |                                            Use to connect your Surface Hub to WSUS instead of Windows Update – see [Windows updates](manage-windows-updates-for-surface-hub.md).                                             |                [Update/UpdateServiceUrl](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl)                 | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) |             Yes             |
-|               Delivery optimization               | Use peer-to-peer content sharing to reduce bandwidth issues during updates. See [Configure Delivery Optimization for Windows 10](https://technet.microsoft.com/itpro/windows/manage/waas-delivery-optimization) for details. |         DeliveryOptimization/*`<name of policy>`* <br> See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx)          | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) |             Yes             |
+| Use Current Branch or Current Branch for Business |                                                       Use to configure Windows Update for Business – see [Windows updates](manage-windows-updates-for-surface-hub.md).                                                       |            [Update/BranchReadinessLevel](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_BranchReadinessLevel)             | Yes <br> [Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) |             Yes             |
+|               Defer feature updates               |                                                                                                          See above.                                                                                                          | [Update/ DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferFeatureUpdatesPeriodInDays) | Yes <br> [Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) |             Yes             |
+|               Defer quality updates               |                                                                                                          See above.                                                                                                          | [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferQualityUpdatesPeriodInDays)  | Yes <br> [Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) |             Yes             |
+|               Pause feature updates               |                                                                                                          See above.                                                                                                          |             [Update/PauseFeatureUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates)              | Yes <br> [Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) |             Yes             |
+|               Pause quality updates               |                                                                                                          See above.                                                                                                          |             [Update/PauseQualityUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates)              | Yes <br> [Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) |             Yes             |
+|           Configure device to use WSUS            |                                            Use to connect your Surface Hub to WSUS instead of Windows Update – see [Windows updates](manage-windows-updates-for-surface-hub.md).                                             |                [Update/UpdateServiceUrl](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl)                 | Yes <br> [Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) |             Yes             |
+|               Delivery optimization               | Use peer-to-peer content sharing to reduce bandwidth issues during updates. See [Configure Delivery Optimization for Windows 10](https://technet.microsoft.com/itpro/windows/manage/waas-delivery-optimization) for details. |         DeliveryOptimization/*`<name of policy>`* <br> See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx)          | Yes <br> [Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) |             Yes             |
 
 \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
 
@@ -140,7 +140,7 @@ The following tables include info on Windows 10 settings that have been validate
 
 |      Setting      |                                              Details                                               |                                                     CSP reference                                                      |            Supported with<br>Intune?             |    Supported with<br>Configuration Manager?     | Supported with<br>SyncML\*? |
 |-------------------|----------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------|
-| Defender policies |            Use to configure various Defender settings, including a scheduled scan time.            | Defender/*`<name of policy>`* <br> See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) |             Yes             |
+| Defender policies |            Use to configure various Defender settings, including a scheduled scan time.            | Defender/*`<name of policy>`* <br> See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes <br> [Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) |             Yes             |
 |  Defender status  | Use to initiate a Defender scan, force a Security intelligence update, query any threats detected. |                   [Defender CSP](https://msdn.microsoft.com/library/windows/hardware/mt187856.aspx)                    |                       Yes                        |                       Yes                       |             Yes             |
 
 \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
@@ -150,8 +150,8 @@ The following tables include info on Windows 10 settings that have been validate
 |                       Setting                        |                                                          Details                                                          |                                                             CSP reference                                                             |            Supported with<br>Intune?             |    Supported with<br>Configuration Manager?     | Supported with<br>SyncML\*? |
 |------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------|
 |            Reboot the device immediately             | Use in conjunction with OMS to minimize support costs – see [Monitor your Microsoft Surface Hub](monitor-surface-hub.md). |        ./Vendor/MSFT/Reboot/RebootNow <br> See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx)        |                       Yes                        |                       No                        |             Yes             |
-|    Reboot the device at a scheduled date and time    |                                                        See above.                                                         |     ./Vendor/MSFT/Reboot/Schedule/Single <br> See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx)     | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) |             Yes             |
-| Reboot the device daily at a scheduled date and time |                                                        See above.                                                         | ./Vendor/MSFT/Reboot/Schedule/DailyRecurrent <br> See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) |             Yes             |
+|    Reboot the device at a scheduled date and time    |                                                        See above.                                                         |     ./Vendor/MSFT/Reboot/Schedule/Single <br> See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx)     | Yes <br> [Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) |             Yes             |
+| Reboot the device daily at a scheduled date and time |                                                        See above.                                                         | ./Vendor/MSFT/Reboot/Schedule/DailyRecurrent <br> See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes <br> [Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) |             Yes             |
 
 \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
 
@@ -180,7 +180,7 @@ The following tables include info on Windows 10 settings that have been validate
 
 |        Setting         |                                                            Details                                                             |                                                    CSP reference                                                     |            Supported with<br>Intune?             |    Supported with<br>Configuration Manager?     | Supported with<br>SyncML\*? |
 |------------------------|--------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------|
-| Set Network QoS Policy | Use to set a QoS policy to perform a set of actions on network traffic. This is useful for prioritizing Skype network packets. | [NetworkQoSPolicy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkqospolicy-csp) | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) |             Yes             |
+| Set Network QoS Policy | Use to set a QoS policy to perform a set of actions on network traffic. This is useful for prioritizing Skype network packets. | [NetworkQoSPolicy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkqospolicy-csp) | Yes <br> [Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) |             Yes             |
 
 \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
 
@@ -188,7 +188,7 @@ The following tables include info on Windows 10 settings that have been validate
 
 |      Setting      |                               Details                               |                                                CSP reference                                                 |            Supported with<br>Intune?             |    Supported with<br>Configuration Manager?     | Supported with<br>SyncML\*? |
 |-------------------|---------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------|
-| Set Network proxy | Use to configure a proxy server for ethernet and Wi-Fi connections. | [NetworkProxy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkproxy-csp) | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) |             Yes             |
+| Set Network proxy | Use to configure a proxy server for ethernet and Wi-Fi connections. | [NetworkProxy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkproxy-csp) | Yes <br> [Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) |             Yes             |
 
 \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
 
@@ -196,12 +196,12 @@ The following tables include info on Windows 10 settings that have been validate
 
 |       Setting        |                                                                       Details                                                                        |                                                        CSP reference                                                         |            Supported with<br>Intune?             |    Supported with<br>Configuration Manager?     | Supported with<br>SyncML\*? |
 |----------------------|------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------|
-| Configure Start menu | Use to configure which apps are displayed on the Start menu. For more information, see [Configure Surface Hub Start menu](surface-hub-start-menu.md) | [Policy CSP: Start/StartLayout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-startlayout) | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) |             Yes             |
+| Configure Start menu | Use to configure which apps are displayed on the Start menu. For more information, see [Configure Surface Hub Start menu](surface-hub-start-menu.md) | [Policy CSP: Start/StartLayout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-startlayout) | Yes <br> [Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.<br> [Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) |             Yes             |
 
 \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
 
 ### Generate OMA URIs for settings 
-You need to use a setting’s OMA URI to create a custom policy in Intune, or a custom setting in Microsoft Endpoint Configuration Manager.
+You need to use a setting's OMA URI to create a custom policy in Intune, or a custom setting in Microsoft Endpoint Configuration Manager.
 
 **To generate the OMA URI for any setting in the CSP documentation**
 1. In the CSP documentation, identify the root node of the CSP. Generally, this looks like `./Vendor/MSFT/<name of CSP>` <br>
@@ -217,15 +217,13 @@ The data type is also stated in the CSP documentation. The most common data type
 - bool (Boolean)
 
 
-<span id="example-intune">
 ## Example: Manage Surface Hub settings with Microsoft Intune
 
 You can use Microsoft Intune to manage Surface Hub settings. For custom settings, follow the instructions in [How to configure custom device settings in Microsoft Intune](https://docs.microsoft.com/intune/custom-settings-configure). For **Platform**, select **Windows 10 and later**, and in **Profile type**, select **Device restrictions (Windows 10 Team)**.
 
 
 
-<span id="example-sccm">
-## Example: Manage Surface Hub settings with  Microsoft Endpoint Configuration Manager
+## Example: Manage Surface Hub settings with Microsoft Endpoint Configuration Manager
 Configuration Manager supports managing modern devices that do not require the Configuration Manager client to manage them, including Surface Hub. If you already use Configuration Manager to manage other devices in your organization, you can continue to use the Configuration Manager console as your single location for managing Surface Hubs.
 
 > [!NOTE]
@@ -238,26 +236,26 @@ Configuration Manager supports managing modern devices that do not require the C
 3. On the **General** page of the Create Configuration Item Wizard, specify a name and optional description for the configuration item.
 4. Under **Settings for devices managed without the Configuration Manager client**, select **Windows 8.1 and Windows 10**, and then click **Next**.
 
-    ![example of UI](images/sccm-create.png)
+    ![example of UI](images/configmgr-create.png)
 5. On the **Supported Platforms** page, expand **Windows 10** and select **All Windows 10 Team and higher**. Unselect the other Windows platforms, and then click **Next**.
 
-    ![select platform](images/sccm-platform.png)
+    ![select platform](images/configmgr-platform.png)
 7. On the **Device Settings** page, under **Device settings groups**, select **Windows 10 Team**.
 
 
 8. On the **Windows 10 Team** page, configure the settings you require.
 
-    ![Windows 10 Team](images/sccm-team.png)
+    ![Windows 10 Team](images/configmgr-team.png)
 9. You'll need to create custom settings to manage settings that are not available in the Windows 10 Team page. On the **Device Settings** page, select the check box **Configure additional settings that are not in the default setting groups**.
 
-    ![additional settings](images/sccm-additional.png)
+    ![additional settings](images/configmgr-additional.png)
 10. On the **Additional Settings** page, click **Add**.
 11. In the **Browse Settings** dialog, click **Create Setting**.
 12. In the **Create Setting** dialog, under the **General** tab, specify a name and optional description for the custom setting.
 13. Under **Setting type**, select **OMA URI**.
 14. Complete the form to create a new setting, and then click **OK**.
 
-    ![OMA URI setting](images/sccm-oma-uri.png)
+    ![OMA URI setting](images/configmgr-oma-uri.png)
 15. On the **Browse Settings** dialog, under **Available settings**, select the new setting you created, and then click **Select**.
 16. On the **Create Rule** dialog, complete the form to specify a rule for the setting, and then click **OK**.
 17. Repeat steps 9 to 15 for each custom setting you want to add to the configuration item.
diff --git a/devices/surface-hub/miracast-troubleshooting.md b/devices/surface-hub/miracast-troubleshooting.md
index 9517857676..eb33f483d6 100644
--- a/devices/surface-hub/miracast-troubleshooting.md
+++ b/devices/surface-hub/miracast-troubleshooting.md
@@ -21,13 +21,13 @@ In traditional Miracast, the projecting device will connect the access point set
 - The first step is an initial connection using 2.4GHz. 
 - After that initial handshake, the projecting device sends traffic to the monitor using the wireless channel settings on the monitor. If Surface Hub is connected to a Wi-Fi network, the access point, it will use the same channel as the connected network, otherwise it will use the Miracast channel from Settings.
 
-There are generally two types of issues with Miracast to Surface Hub: [connection](#connect-issues) and [performance](#performance-issues). In either case, it is a good idea to get a general picture of wireless network activity in the Surface Hub’s location. Running a network scanning tool will show you the available networks and channel usage in the environment.
+There are generally two types of issues with Miracast to Surface Hub: [connection](#connect-issues) and [performance](#performance-issues). In either case, it is a good idea to get a general picture of wireless network activity in the Surface Hub's location. Running a network scanning tool will show you the available networks and channel usage in the environment.
 
 ## Connect issues
 
 Ensure both Wi-Fi and Miracast are both enabled in Settings on Surface Hub. 
 
-If you ran a network scan, you should see Surface Hub Miracast listed as an access point. If Surface Hub’s Miracast network shows up on the scan, but you cannot not see it as an available device, you can try to adjust the Miracast channel used by Surface Hub. 
+If you ran a network scan, you should see Surface Hub Miracast listed as an access point. If Surface Hub's Miracast network shows up on the scan, but you cannot not see it as an available device, you can try to adjust the Miracast channel used by Surface Hub. 
 
 When Surface Hub is connected to a Wi-Fi network it will use the same channel settings as the Wi-Fi access point for its Miracast access point. For troubleshooting purposes, disconnect Surface Hub from any Wi-Fi networks (but keep Wi-Fi enabled), so you can control the channel used for Miracast. You can manually select the Miracast channel in Settings. You will need to restart Surface Hub after each change. Generally speaking, you will want to use channels that do not show heavy utilization from the network scan.
 
@@ -42,7 +42,7 @@ It is also a good idea to ensure the latest drivers and updates are installed on
 Next, ensure Miracast is supported on the device. 
 
 1. Press Windows Key + R and type `dxdiag`. 
-2. Click “Save all information”. 
+2. Click "Save all information". 
 3. Open the saved dxdiag.txt and find **Miracast**. It should say **Available, with HDCP**. 
     
 ### Check firewall
@@ -63,7 +63,7 @@ On domain-joined devices, Group Policy can also block Miracast.
 
 ### Check event logs
 
-The last place to check is in the Event logs. Miracast events will be logged to **Wlanautoconfig**. This is true on both Surface Hub and the projecting device. If you export Surface Hub logs, you can view Surface Hub’s Wlanautoconfig in the **WindowsEventLog** folder. Errors in the event log can provide some additional details on where the connection fails.
+The last place to check is in the Event logs. Miracast events will be logged to **Wlanautoconfig**. This is true on both Surface Hub and the projecting device. If you export Surface Hub logs, you can view Surface Hub's Wlanautoconfig in the **WindowsEventLog** folder. Errors in the event log can provide some additional details on where the connection fails.
 
 ## Performance issues
 
@@ -75,7 +75,10 @@ Channel switching is caused when the Wi-Fi adapter needs to send traffic to mult
 
 If Surface Hub and the projecting device are both connected to Wi-Fi but using different access points with different channels, this will force Surface Hub and the projecting device to channel switch while Miracast is connected. This will result in both poor wireless project and poor network performance over Wi-Fi. The channel switching will affect the performance of all wireless traffic, not just wireless projection. 
 
-Channel switching will also occur if the projecting device is connected to an Wi-Fi network using a different channel than the channel that Surface Hub uses for Miracast. So, a best practice is to set Surface Hub’s Miracast channel to the same channel as the most commonly used access point. 
+Channel switching will also occur if the projecting device is connected to an Wi-Fi network using a different channel than the channel that Surface Hub uses for Miracast. So, a best practice is to set Surface Hub's Miracast channel to the same channel as the most commonly used access point. 
 
 If there are multiple Wi-Fi networks or access points in the environment, some channel switching is unavoidable. This is best addressed by ensuring all Wi-Fi drivers are up to date.
 
+## Contact Support
+
+If you have questions or need help, you can [create a support request](https://support.microsoft.com/supportforbusiness/productselection).
diff --git a/devices/surface-hub/surface-hub-2s-pack-components.md b/devices/surface-hub/surface-hub-2s-pack-components.md
index ff8dbd07ad..2c713a0a21 100644
--- a/devices/surface-hub/surface-hub-2s-pack-components.md
+++ b/devices/surface-hub/surface-hub-2s-pack-components.md
@@ -36,7 +36,7 @@ Use the following steps to pack your Surface Hub 2S 50" for shipment.
 | **7.** | Replace the cover and slide the Compute Cartridge back into the unit.                                            | ![Replace the cover and slide the Compute Cartridge back into the unit.](images/surface-hub-2s-repack-9.png)|
 | **8.**  | Re-fasten the locking screw and slide the cover into place.                                                      | ![Re-fasten the locking screw and slide the cover into place.](images/surface-hub-2s-repack-10.png)|
 | **9.**  | Remove any base or mounting hardware. Using two people, place the unit in the base of the shipping container.    | ![Remove any base or mounting hardware. Using two people, place the unit in the base of the shipping container.](images/surface-hub-2s-repack-11.png)|
-| **10.** | Replace the cover of the shipping container, and insert the four clips.                                          | ![Replace the cover of the shipping container, and insert the four clips.](images/surface-hub-2s-repack-12.png|
+| **10.** | Replace the cover of the shipping container, and insert the four clips.                                          | ![Replace the cover of the shipping container, and insert the four clips.](images/surface-hub-2s-repack-12.png)|
 | **11.** | Close the four clips.                                                                                            | ![Close the four clips.](images/surface-hub-2s-repack-13.png)|
 
 
diff --git a/devices/surface-hub/surface-hub-2s-recover-reset.md b/devices/surface-hub/surface-hub-2s-recover-reset.md
index 1f0e98f92b..7493e10c3c 100644
--- a/devices/surface-hub/surface-hub-2s-recover-reset.md
+++ b/devices/surface-hub/surface-hub-2s-recover-reset.md
@@ -69,3 +69,7 @@ At the end of a session, Surface Hub 2S may occasionally encounter an error duri
 
 > [!NOTE]
 > To enter recovery mode, unplug the power cord and plug it in again three times.
+
+## Contact Support
+
+If you have questions or need help, you can [create a support request](https://support.microsoft.com/supportforbusiness/productselection).
diff --git a/devices/surface-hub/surface-hub-security.md b/devices/surface-hub/surface-hub-security.md
new file mode 100644
index 0000000000..4dc2b7518e
--- /dev/null
+++ b/devices/surface-hub/surface-hub-security.md
@@ -0,0 +1,158 @@
+---
+title: "Surface Hub security overview"
+description: "This page explains the Defense in Depth design of Surface Hub and describes security enhancements in Surface Hub 2S, wireless security protections, and related features."
+keywords: separate values with commas
+ms.prod: surface-hub
+ms.sitesec: library
+author: coveminer
+ms.author: v-jokai
+manager: laurawi
+audience: Admin
+ms.topic: article
+ms.date: 03/27/2020
+ms.localizationpriority: High
+---
+# Surface Hub security overview
+
+Surface Hub provides a locked-down computing appliance with custom platform firmware running the Windows 10 Team Edition operating system. The resulting device takes the traditional, "single use" secure kiosk, "only run what you need" philosophy and delivers a modern take on it. Built to support a rich collaborative user experience, Surface Hub is protected against continually evolving security threats.
+
+Built on Windows 10, Surface Hub delivers enterprise-grade modern security enabling IT admins to enforce data protection with BitLocker, Trusted Platform Module 2.0 (TPM), plus cloud-powered security with Windows Defender (also known as Microsoft Defender).
+
+## Defense in Depth security
+
+Security protocols begin as soon as Surface Hub is turned on. Starting at the firmware level, Surface Hub will only load the operating system and its components in response to multiple security checks. Surface Hub employs a strategy called Defense in Depth that involves layering independent defensive sub-components to protect the whole of the system in the event of partial failure. This industry practice has proven to be highly effective in mitigating against potential unilateral exploits and weakness in sub-components.
+
+The modern Unified Extensible Firmware Interface (UEFI) is statically and securely configured by Microsoft to only boot an authenticated Windows 10 Team Edition operating system from internal storage.  Every line of code that runs on Surface Hub has its signature verified prior to execution. Only applications signed by Microsoft, either as part of the operating system or installed via the Microsoft Store, can run on the Surface Hub. Code or apps not meeting these requirements are blocked.
+
+Surface Hub security systems include the following:
+
+- **Boot-time defenses.** Loads only trusted Surface Hub operating system components.
+- **Operating system defenses.** Protects against execution of unintended or malicious software or code.
+- **User interface defenses.** Provides a user interface that's safe for end users, preventing access to potentially risky activities such as running executables from the command line.
+
+### Boot-time defenses
+
+The SoC has a security processor that's separate from every other core. When you first start Surface Hub, only the security processor starts before anything else can be loaded.
+
+![Hub startup boot phases showing security processor protections](images/hub-sec-1.png)
+
+#### Secure Boot
+
+Secure Boot is used to verify that the components of the boot process, including drivers and the operating system, are validated against a database of valid and known signatures. On Surface Hub, a platform-specific signature must first be validated before the authorized Windows Team operating system can be loaded. This helps prevent attacks from a cloned or modified system running malicious code hidden in what appears to be an otherwise normal user experience.  For more information, see [Secure Boot overview](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-secure-boot).
+
+### Operating system defenses
+
+Once the operating system is verified as originating from Microsoft and Surface Hub successfully completes the boot process, the device scrutinizes the executable code. Our approach to securing the operating system involves identifying the code signature of all executables, allowing only those that pass our restrictions to be loaded into the runtime. This code signing method enables the operating system to verify the author and confirm that code was not altered prior to running on the device.
+
+Surface Hub uses a code signing feature known as User Mode Code Integrity (UMCI) in Windows Application Control (formerly known as Device Guard). Policy settings are configured to only allow apps that meet one of these requirements:
+
+- Universal Windows Platform (Microsoft Store) apps that are [officially certified](https://docs.microsoft.com/windows/uwp/publish/the-app-certification-process).
+- Apps signed with the unique Microsoft Production Root Certification Authority (CA), which can only be signed by Microsoft employees with authorized access to those certificates.
+- Apps signed with the unique Surface Hub Production Root C.
+
+The configuration file is signed using the Microsoft Production Root CA designed to prevent restrictions from being removed or modified by a third party. All other executables at this point are simply blocked at the operating system runtime level and prevented from accessing processing power. This attack surface reduction provides the following protections:
+
+- No legacy document modes
+- No legacy script engines
+- No Vector Markup Language
+- No Browser Helper Objects
+- No ActiveX controls
+
+In addition to blocking unsigned or incorrectly signed code via UMCI, Surface Hub uses Windows Application Control to block Windows components, such as the Command Prompt, PowerShell, and Task Manager. These safeguards reflect a key design feature of Surface Hub as a secure computing appliance. For more information, see the following:
+
+- [Application Control overview](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)
+
+- [Windows Defender Application Control and virtualization-based protection of code integrity](https://docs.microsoft.com/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control)
+
+### User interface defenses
+
+While boot-time defenses and operating system lockdown safeguards deliver foundational security, the user interface provides an additional layer designed to further reduce risk. To prevent malicious code from reaching the device through drivers, Surface Hub does not download advanced drivers for plug and play (PnP) devices. Devices that leverage basic drivers, such as USB flash drives or certified Surface Hub peripherals (speakers, microphones, cameras) work as expected, but advanced systems, such as printers, will not.
+
+User interface defenses also simplify the UI, further preventing the execution of malicious software or code. The following Surface Hub UI elements layer the core security provided by code signing:
+
+- **File Explorer.** Surface Hub has a custom File Explorer that enables quick access to Music, Videos, Documents, Pictures, and Downloads folders — without exposing users to system or program files. Other locations on the local hard drive are not available through File Explorer. In addition, many file types running such as .exe, and .msi installation files cannot run providing another layer of safety against potentially malicious executables.
+
+- **Start & All Apps.** The Start and All Apps components of Surface Hub do not expose access to Command Prompt, PowerShell, or other Windows components blocked via Application Control. In addition, Windows run functionality typically accessed on PCs from the Search box is turned off for Surface Hub.
+
+## Security enhancements in Surface Hub 2S
+
+Although Surface Hub and Surface Hub 2S both run the same operating system software, some features unique to Surface Hub 2S provide additional management and security capabilities enabling IT admins to perform the following tasks:
+
+- Manage UEFI settings with SEMM
+- Recover Hub with bootable USB
+- Harden device account with password rotation
+
+### Manage UEFI settings with SEMM
+
+UEFI is an interface between the underlying hardware platform pieces and the operating system. On Surface Hub, a custom UEFI implementation allows granular control over these settings and prevents any non-Microsoft entity from changing the UEFI settings of the device — or booting to a removable drive to modify or change the operating system.
+
+At a high level, during the factory provisioning process, Surface Hub UEFI is preconfigured to enable Secure Boot and is set to only boot from the internal solid-state drive (SSD), with access to UEFI menus locked down and shortcuts removed. This seals UEFI access and ensures the device can only boot into the Windows Team operating system installed on Surface Hub.
+
+When managed via Microsoft Surface Enterprise Management Mode (SEMM), IT admins can deploy UEFI settings on Hub devices across an organization. This includes the ability to enable or disable built-in hardware components, protect UEFI settings from being changed by unauthorized users, and adjust boot settings.
+
+![Surface Hub UEFI settings](images/hub-sec-2.png)
+
+Admins can implement SEMM and enrolled Surface Hub 2S devices using the downloadable [Microsoft Surface UEFI Configurator](https://www.microsoft.com/download/details.aspx?id=46703). For more information, see [Secure and manage Surface Hub 2S with SEMM and UEFI](https://docs.microsoft.com/surface-hub/surface-hub-2s-secure-with-uefi-semm).
+Secured using a certificate to protect the configuration from unauthorized tampering or removal, SEMM enables management of the following components:
+
+- Wired LAN
+- Camera
+- Bluetooth
+- Wi-Fi
+- Occupancy sensor
+- IPv6 for PXE Boot
+- Alternate Boot
+- Boot Order Lock
+- USB Boot
+- UEFI front page interface
+    - Devices
+    - Boot
+    - Date/Time
+
+    
+### Recover Hub with bootable USB
+
+Surface Hub 2S enables admins to reinstall the device to factory settings using a recovery image in as little as 20 minutes. Typically, you would only need to do this if your Surface Hub is no longer functioning. Recovery is also useful if you have lost the Bitlocker key or no longer have admin credentials to the Settings app.
+
+### Harden device account with password rotation
+
+Surface Hub uses a device account, also known as a "room account" to authenticate with Exchange, Microsoft Teams, and other services. When you enable password rotation, Hub 2S automatically generates a new password every 7 days, consisting of 15-32 characters with a combination of uppercase and lowercase letters, numbers, and special characters. Because no one knows the password, the device account password rotation effectively mitigates associated risk from human error and potential social engineering security attacks.
+
+## Windows 10 enterprise-grade security
+
+In addition to Surface Hub-specific configurations and features addressed in this document, Surface Hub also uses the standard security features of Windows 10. These include:
+
+- **BitLocker**. The Surface Hub SSD is equipped with BitLocker to protect the data on the device. Its configuration follows industry standards. For more information, see [BitLocker overview](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-secure-boot).
+- **Windows Defender.** The Windows Defender anti-malware engine runs continuously on Surface Hub and works to automatically remediate threats found on Surface Hub. The Windows Defender engine receives updates automatically and is manageable via remote management tools for IT admins. The Windows Defender engine is a perfect example of our Defense in Depth approach: If malware can find a way around our core code-signage-based security solution, it will be caught here. For more information, see [Windows Defender Application Control and virtualization-based protection of code integrity](https://docs.microsoft.com/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control).
+- **Plug and play drivers.** To prevent malicious code from reaching the device through drivers, Surface Hub does not download advanced drivers for PnP devices. This allows devices that leverage basic drivers such as USB flash drives to work as expected while blocking more advanced systems such as printers.
+- **Trusted Platform Module 2.0.** Surface Hub has an industry standard discrete Trusted Platform Module (dTPM) for generating and storing cryptographic keys and hashes. The dTPM protects keys used for the verification of boot phases, the BitLocker master key, password-less sign-on key, and more. The dTPM meets [FIPS 140-2 Level 2](https://docs.microsoft.com/windows/security/threat-protection/fips-140-validation) certification, the U.S. government computer security standard, and is compliant with [Common Criteria](https://docs.microsoft.com/windows/security/threat-protection/windows-platform-common-criteria) certification used worldwide.
+
+## Wireless security for Surface Hub
+
+Surface Hub uses Wi-Fi Direct / Miracast technology and the associated 802.11, Wi-Fi Protected Access (WPA2), and Wireless Protected Setup (WPS) standards. Since the device only supports WPS (as opposed to WPA2 Pre-Shared Key (PSK) or WPA2 Enterprise), issues traditionally associated with 802.11 encryption are simplified by design.
+
+Miracast is part of the Wi-Fi Display standard, which itself is supported by the Wi-Fi Direct protocol. These standards are supported in modern mobile devices for screen sharing and collaboration.
+
+Wi-Fi Direct or Wi-Fi "peer to peer" (P2P) is a standard released by the Wi-Fi Alliance for "Ad-Hoc" networks. This allows supported devices to communicate directly and create groups of networks without requiring a traditional Wi-Fi Access Point or an Internet connection.
+
+Security for Wi-Fi Direct is provided by WPA2 using the WPS standard. Devices can be authenticated using a numerical pin, a physical or virtual push button, or an out-of-band message using near-field communication. Surface Hub supports both push button by default as well PIN methods. For more information, see [How Surface Hub addresses Wi-Fi Direct security issues](https://docs.microsoft.com/surface-hub/surface-hub-wifi-direct).
+
+## Learn more
+
+- [Secure Boot overview](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-secure-boot)
+
+- [BitLocker overview](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview)
+
+- [Application Control overview](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)
+
+- [Secure and manage Surface Hub 2S with SEMM and UEFI](https://docs.microsoft.com/surface-hub/surface-hub-2s-secure-with-uefi-semm)
+
+- [How Surface Hub addresses Wi-Fi Direct security issues](https://docs.microsoft.com/surface-hub/surface-hub-wifi-direct)
+
+- [Windows Defender Application Control and virtualization-based protection of code integrity](https://docs.microsoft.com/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control)
+
+- [Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703)
+
+- [FIPS 140-2 Level 2](https://docs.microsoft.com/windows/security/threat-protection/fips-140-validation)
+
+- [Common Criteria certification](https://docs.microsoft.com/windows/security/threat-protection/windows-platform-common-criteria)
diff --git a/devices/surface-hub/troubleshoot-surface-hub.md b/devices/surface-hub/troubleshoot-surface-hub.md
index af6809a477..cf02da1a6e 100644
--- a/devices/surface-hub/troubleshoot-surface-hub.md
+++ b/devices/surface-hub/troubleshoot-surface-hub.md
@@ -456,15 +456,15 @@ This section lists status codes, mapping, user messages, and actions an admin ca
 <tr class="even">
 <td align="left"><p>0x80072EFD</p></td>
 <td align="left"><p>WININET_E_CANNOT_CONNECT</p></td>
-<td align="left"><p>Can’t connect to the server right now. Wait a while and try again, or check the account settings.</p></td>
+<td align="left"><p>Can't connect to the server right now. Wait a while and try again, or check the account settings.</p></td>
 <td align="left"><p>Verify that the server name is correct and reachable. Verify that the device is connected to the network.</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>0x86000C29</p></td>
-<td align="left"><p>E_NEXUS_STATUS_DEVICE_NOTPROVISIONED (policies don’t match)</p></td>
+<td align="left"><p>E_NEXUS_STATUS_DEVICE_NOTPROVISIONED (policies don't match)</p></td>
 <td align="left"><p>The account is configured with policies not compatible with Surface Hub.</p></td>
 <td align="left"><p>Disable the <strong>PasswordEnabled</strong> policy for this account.</p>
-<p>We have a bug were we may surface policy errors if the account doesn’t receive any server notifications within the policy refresh interval.</p></td>
+<p>We have a bug were we may surface policy errors if the account doesn't receive any server notifications within the policy refresh interval.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>0x86000C4C</p></td>
@@ -475,7 +475,7 @@ This section lists status codes, mapping, user messages, and actions an admin ca
 <tr class="odd">
 <td align="left"><p>0x86000C0A</p></td>
 <td align="left"><p>E_NEXUS_STATUS_SERVERERROR_RETRYLATER</p></td>
-<td align="left"><p>Can’t connect to the server right now.</p></td>
+<td align="left"><p>Can't connect to the server right now.</p></td>
 <td align="left"><p>Wait until the server comes back online. If the issue persists, re-provision the account.</p></td>
 </tr>
 <tr class="even">
@@ -487,7 +487,7 @@ This section lists status codes, mapping, user messages, and actions an admin ca
 <tr class="odd">
 <td align="left"><p>0x8505000D</p></td>
 <td align="left"><p>E_AIRSYNC_RESET_RETRY</p></td>
-<td align="left"><p>Can’t connect to the server right now. Wait a while or check the account’s settings.</p></td>
+<td align="left"><p>Can't connect to the server right now. Wait a while or check the account's settings.</p></td>
 <td align="left"><p>This is normally a transient error but if the issue persists check the number of devices associated with the account and delete some of them if the number is large.</p></td>
 </tr>
 <tr class="even">
@@ -499,13 +499,13 @@ This section lists status codes, mapping, user messages, and actions an admin ca
 <tr class="odd">
 <td align="left"><p>0x85010004</p></td>
 <td align="left"><p>E_HTTP_FORBIDDEN</p></td>
-<td align="left"><p>Can’t connect to the server right now. Wait a while and try again, or check the account’s settings.</p></td>
+<td align="left"><p>Can't connect to the server right now. Wait a while and try again, or check the account's settings.</p></td>
 <td align="left"><p>Verify the server name to make sure it is correct. If the account is using cert based authentication make sure the certificate is still valid and update it if not.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>0x85030028</p></td>
 <td align="left"><p>E_ACTIVESYNC_PASSWORD_OR_GETCERT</p></td>
-<td align="left"><p>The account’s password or client certificate are missing or invalid.</p></td>
+<td align="left"><p>The account's password or client certificate are missing or invalid.</p></td>
 <td align="left"><p>Update the password and/or deploy the client certificate.</p></td>
 </tr>
 <tr class="odd">
@@ -523,7 +523,7 @@ This section lists status codes, mapping, user messages, and actions an admin ca
 <tr class="odd">
 <td align="left"><p>0x80072EE2</p></td>
 <td align="left"><p>WININET_E_TIMEOUT</p></td>
-<td align="left"><p>The network doesn’t support the minimum idle timeout required to receive server notification, or the server is offline.</p></td>
+<td align="left"><p>The network doesn't support the minimum idle timeout required to receive server notification, or the server is offline.</p></td>
 <td align="left"><p>Verify that the server is running. Verify the NAT settings.</p></td>
 </tr>
 <tr class="even">
@@ -535,13 +535,13 @@ This section lists status codes, mapping, user messages, and actions an admin ca
 <tr class="odd">
 <td align="left"><p>0x85010017</p></td>
 <td align="left"><p>E_HTTP_SERVICE_UNAVAIL</p></td>
-<td align="left"><p>Can’t connect to the server right now. Wait a while or check the account’s settings.</p></td>
+<td align="left"><p>Can't connect to the server right now. Wait a while or check the account's settings.</p></td>
 <td align="left"><p>Verify the server name to make sure it is correct. Wait until the server comes back online. If the issue persists, re-provision the account.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>0x86000C0D</p></td>
 <td align="left"><p>E_NEXUS_STATUS_MAILBOX_SERVEROFFLINE</p></td>
-<td align="left"><p>Can’t connect to the server right now. Wait a while or check the account’s settings.</p></td>
+<td align="left"><p>Can't connect to the server right now. Wait a while or check the account's settings.</p></td>
 <td align="left"><p>Verify the server name to make sure it is correct. Wait until the server comes back online. If the issue persists, re-provision the account.</p></td>
 </tr>
 <tr class="odd">
@@ -555,7 +555,7 @@ This section lists status codes, mapping, user messages, and actions an admin ca
 <td align="left"><p>E_NEXUS_STATUS_INVALID_POLICYKEY</p></td>
 <td align="left"><p>The account is configured with policies not compatible with Surface Hub.</p></td>
 <td align="left"><p>Disable the PasswordEnabled policy for this account.</p>
-<p>We have a bug were we may surface policy errors if the account doesn’t receive any server notifications within the policy refresh interval.</p></td>
+<p>We have a bug were we may surface policy errors if the account doesn't receive any server notifications within the policy refresh interval.</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>0x85010005</p></td>
@@ -566,7 +566,7 @@ This section lists status codes, mapping, user messages, and actions an admin ca
 <tr class="even">
 <td align="left"><p>0x85010014</p></td>
 <td align="left"><p>E_HTTP_SERVER_ERROR</p></td>
-<td align="left"><p>Can’t connect to the server.</p></td>
+<td align="left"><p>Can't connect to the server.</p></td>
 <td align="left"><p>Verify the server name to make sure it is correct. Trigger a sync and, if the issue persists, re-provision the account.</p></td>
 </tr>
 <tr class="odd">
@@ -602,7 +602,10 @@ This section lists status codes, mapping, user messages, and actions an admin ca
 </tbody>
 </table>
 
- 
+## Contact Support
+
+If you have questions or need help, you can [create a support request](https://support.microsoft.com/supportforbusiness/productselection).
+
 
  
 ## Related content
diff --git a/devices/surface-hub/whiteboard-collaboration.md b/devices/surface-hub/whiteboard-collaboration.md
index a6e9524cd2..416610d656 100644
--- a/devices/surface-hub/whiteboard-collaboration.md
+++ b/devices/surface-hub/whiteboard-collaboration.md
@@ -1,6 +1,6 @@
 ---
 title: Set up and use Microsoft Whiteboard
-description: Microsoft Whiteboard’s latest update includes the capability for two Surface Hubs to collaborate in real time on the same board.
+description: Microsoft Whiteboard's latest update includes the capability for two Surface Hubs to collaborate in real time on the same board.
 ms.prod: surface-hub
 ms.sitesec: library
 author: dansimp
@@ -14,7 +14,7 @@ ms.localizationpriority: medium
 
 # Set up and use Microsoft Whiteboard
 
-The Microsoft Whiteboard app includes the capability for Surface Hubs and other devices to collaborate in real time on the same board.
+The Microsoft Whiteboard app includes the capability for Surface Hubs and other devices with the Microsoft Whiteboard app installed to collaborate in real time on the same board.
 
 ## Prerequisites
 
@@ -48,14 +48,16 @@ On the other device, such as a Surface Hub, when you are signed in, the shared b
 - You can also change the background color and design from solid to grid or dots. Pick the background, then choose the color from the wheel around it.
 - You can export a copy of the Whiteboard collaboration for yourself through the Share charm and leave the board for others to continue working.
 
+For more information, see [Use Microsoft Whiteboard on a Surface Hub](https://support.office.com/article/use-microsoft-whiteboard-on-a-surface-hub-5c594985-129d-43f9-ace5-7dee96f7621d).
+
 > [!NOTE]
->  If you are using Whiteboard and cannot sign in, you can collaborate by joining a Teams or Skype for Business meeting, and then sharing your screen. After you’re done, tap **Settings** > **Export to email** or save a copy of the board. The SVG export provides higher resolution than PNG and can be opened in a web browser.
+>  If you are using Whiteboard and cannot sign in, you can collaborate by joining a Teams or Skype for Business meeting, and then sharing your screen. After you're done, tap **Settings** > **Export to email** or save a copy of the board. If you choose to export to SVG, it exports vector graphics and provides higher resolution than PNG and can be opened in a web browser.
 
 ## New features in Whiteboard
 
 The Microsoft Whiteboard app, updated for Surface Hub on July 1, 2019 includes a host of new features including:
 
-- **Automatic Saving** - Boards are saved to the cloud automatically when you sign in, and can be found in the board gallery. 
+- **Automatic Saving** - Boards are saved to the cloud automatically when you sign in, and can be found in the board gallery. There is no local folder name or directory.
 - **Extended collaboration across devices** - You can collaborate using new apps for Windows 10 PC and iOS, and a web version for other devices.
 - **Richer canvas** - In addition to ink and images, Whiteboard now includes sticky notes, text and GIFs, with more objects coming soon.
 - **Intelligence** – In addition to ink to shape and table, Whiteboard now includes ink beautification to improve handwriting and ink grab to convert images to ink.
@@ -68,3 +70,5 @@ The Microsoft Whiteboard app, updated for Surface Hub on July 1, 2019 includes a
 - [Windows 10 Creators Update for Surface Hub](https://www.microsoft.com/surface/support/surface-hub/windows-10-creators-update-surface-hub)
 
 - [Support documentation for Microsoft Whiteboard](https://support.office.com/article/Whiteboard-Help-0c0f2aa0-b1bb-491c-b814-fd22de4d7c01)
+
+- [Use Microsoft Whiteboard on a Surface Hub](https://support.office.com/article/use-microsoft-whiteboard-on-a-surface-hub-5c594985-129d-43f9-ace5-7dee96f7621d)
diff --git a/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md b/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md
index c677b56488..2ab8b6b45b 100644
--- a/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md
+++ b/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md
@@ -10,10 +10,9 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.pagetype: surface, devices, security
 ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
 ms.topic: article
-ms.date: 07/27/2017
 ---
 
 # Advanced UEFI security features for Surface Pro 3
diff --git a/devices/surface/assettag.md b/devices/surface/assettag.md
index db6a63ad69..21d5947ce2 100644
--- a/devices/surface/assettag.md
+++ b/devices/surface/assettag.md
@@ -5,10 +5,9 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.localizationpriority: medium
 ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
 ms.topic: article
-ms.date: 10/21/2019
 ms.reviewer: hachidan
 manager: dansimp
 ---
diff --git a/devices/surface/battery-limit.md b/devices/surface/battery-limit.md
index c5d75cda00..8866b5c37b 100644
--- a/devices/surface/battery-limit.md
+++ b/devices/surface/battery-limit.md
@@ -5,11 +5,10 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.pagetype: surface, devices
 ms.sitesec: library
-author: dansimp
-ms.date: 10/31/2019
+author: coveminer
 ms.reviewer: 
 manager: dansimp
-ms.author: dansimp
+ms.author: v-jokai
 ms.topic: article
 ms.localizationpriority: medium
 ms.audience: itpro
diff --git a/devices/surface/change-history-for-surface.md b/devices/surface/change-history-for-surface.md
index 18fc041b85..c3a2ef2f31 100644
--- a/devices/surface/change-history-for-surface.md
+++ b/devices/surface/change-history-for-surface.md
@@ -6,12 +6,11 @@ description: This topic lists new and updated topics in the Surface documentatio
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
 ms.topic: article
 ms.localizationpriority: medium
 ms.audience: itpro
-ms.date: 10/21/2019
 ---
 
 # Change history for Surface documentation
diff --git a/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md b/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md
index 0b9915c4b0..5aac305c5a 100644
--- a/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md
+++ b/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md
@@ -6,12 +6,11 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.pagetype: surface, devices
 ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
 ms.topic: article
 ms.localizationpriority: medium
 ms.audience: itpro
-ms.date: 11/25/2019
 ms.reviewer: 
 manager: dansimp
 ---
diff --git a/devices/surface/customize-the-oobe-for-surface-deployments.md b/devices/surface/customize-the-oobe-for-surface-deployments.md
index 46c321367b..bd26347d6a 100644
--- a/devices/surface/customize-the-oobe-for-surface-deployments.md
+++ b/devices/surface/customize-the-oobe-for-surface-deployments.md
@@ -10,11 +10,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.pagetype: surface, devices
 ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
 ms.topic: article
 ms.audience: itpro
-ms.date: 10/21/2019
 ---
 
 # Customize the OOBE for Surface deployments
diff --git a/devices/surface/deploy-surface-app-with-windows-store-for-business.md b/devices/surface/deploy-surface-app-with-windows-store-for-business.md
index a03f6e46fa..4b24dd9589 100644
--- a/devices/surface/deploy-surface-app-with-windows-store-for-business.md
+++ b/devices/surface/deploy-surface-app-with-windows-store-for-business.md
@@ -6,12 +6,11 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.pagetype: surface, store
 ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
 ms.topic: article
 ms.localizationpriority: medium
 ms.audience: itpro
-ms.date: 10/21/2019
 ms.reviewer: 
 manager: dansimp
 ---
diff --git a/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md b/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md
index 61fc8352df..e1debff872 100644
--- a/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md
+++ b/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md
@@ -6,12 +6,11 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.pagetype: surface
 ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
 ms.topic: article
 ms.localizationpriority: medium
 ms.audience: itpro
-ms.date: 01/15/2020
 ms.reviewer: 
 manager: dansimp
 ---
diff --git a/devices/surface/deploy.md b/devices/surface/deploy.md
index 68749b654c..f0b8a6490f 100644
--- a/devices/surface/deploy.md
+++ b/devices/surface/deploy.md
@@ -5,11 +5,10 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.pagetype: surface, devices
 ms.sitesec: library
-author: dansimp
-ms.date: 10/02/2018
+author: coveminer
 ms.reviewer: 
 manager: dansimp
-ms.author: dansimp
+ms.author: v-jokai
 ms.topic: article
 ms.localizationpriority: medium
 ms.audience: itpro
diff --git a/devices/surface/documentation/surface-system-sku-reference.md b/devices/surface/documentation/surface-system-sku-reference.md
index 55a45cdd43..0d49be965e 100644
--- a/devices/surface/documentation/surface-system-sku-reference.md
+++ b/devices/surface/documentation/surface-system-sku-reference.md
@@ -7,7 +7,6 @@ ms.sitesec: library
 author: coveminer
 ms.author: v-jokai
 ms.topic: article
-ms.date: 03/12/2019
 ---
 # Surface System SKU Reference
 This document provides a reference of System SKU names that you can use to quickly determine the machine state of a specific device using PowerShell, WMI, and related tools. 
diff --git a/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md b/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md
index 49e1bc555b..65453aeaf5 100644
--- a/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md
+++ b/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md
@@ -10,10 +10,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.pagetype: surface, devices
 ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
 ms.topic: article
-ms.date: 07/27/2017
 ---
 
 # Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices
diff --git a/devices/surface/enable-surface-keyboard-for-windows-pe-deployment.md b/devices/surface/enable-surface-keyboard-for-windows-pe-deployment.md
index b49b04d13a..18011a1ca5 100644
--- a/devices/surface/enable-surface-keyboard-for-windows-pe-deployment.md
+++ b/devices/surface/enable-surface-keyboard-for-windows-pe-deployment.md
@@ -9,7 +9,6 @@ ms.sitesec: library
 author: Teresa-Motiv
 ms.author: v-tea
 ms.topic: article
-ms.date: 01/30/2020
 ms.reviewer: scottmca
 ms.localizationpriority: medium
 ms.audience: itpro
diff --git a/devices/surface/enroll-and-configure-surface-devices-with-semm.md b/devices/surface/enroll-and-configure-surface-devices-with-semm.md
index 50ecb3cb35..8e512c1511 100644
--- a/devices/surface/enroll-and-configure-surface-devices-with-semm.md
+++ b/devices/surface/enroll-and-configure-surface-devices-with-semm.md
@@ -6,12 +6,11 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.pagetype: surface, devices, security
 ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
 ms.topic: article
 ms.localizationpriority: medium
 ms.audience: itpro
-ms.date: 10/21/2019
 ms.reviewer: 
 manager: dansimp
 ---
diff --git a/devices/surface/ethernet-adapters-and-surface-device-deployment.md b/devices/surface/ethernet-adapters-and-surface-device-deployment.md
index 3c05a0d165..4acda64004 100644
--- a/devices/surface/ethernet-adapters-and-surface-device-deployment.md
+++ b/devices/surface/ethernet-adapters-and-surface-device-deployment.md
@@ -10,11 +10,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.pagetype: surface, devices
 ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
 ms.topic: article
 ms.audience: itpro
-ms.date: 10/21/2019
 ---
 
 # Ethernet adapters and Surface deployment
diff --git a/devices/surface/index.yml b/devices/surface/index.yml
index 29bd13e5da..d9d7043dc2 100644
--- a/devices/surface/index.yml
+++ b/devices/surface/index.yml
@@ -24,17 +24,18 @@ additionalContent:
     - title: For IT Professionals # < 60 chars (optional)
       items:
         # Card
-        - title: Surface devices
+        - title: Surface devices documentation
           summary: Harness the power of Surface, Windows, and Office connected together through the cloud. Find tools, step-by-step guides, and other resources to help you plan, deploy, and manage Surface devices in your organization.
           url: https://docs.microsoft.com/en-us/surface/get-started
         # Card
-        - title: Surface Hub
-          summary: Surface Hub 2S is an all-in-one digital interactive whiteboard, meetings platform, and collaborative computing device that brings the power of Windows 10 to team collaboration. Learn how to plan, deploy, manage, and support your Surface Hub devices.
+        - title: Surface Hub documentation
+          summary: Learn how to deploy and manage Surface Hub 2S, the all-in-one digital interactive whiteboard, meetings platform, and collaborative computing device. 
           url: https://docs.microsoft.com/surface-hub/index
-        # Card
-        - title: Surface for Business
-          summary: Explore how Surface devices are transforming the modern workplace with people-centric design and flexible form factors, helping you get the most out of AI, big data, the cloud, and other foundational technologies.
-          url: https://www.microsoft.com/surface/business
+         # Card
+        - title: Surface Hub adoption guidance
+          summary: Get best practices for technical readiness and adoption across your lines of business. 
+          url: https://docs.microsoft.com/surface-hub/surface-hub-2s-adoption-kit
+        
     - title: Other resources # < 60 chars (optional)
       items:
         # Card
@@ -51,8 +52,7 @@ additionalContent:
               url: https://docs.microsoft.com/learn/browse/?term=Surface
             - text: Microsoft Mechanics Surface videos
               url: https://www.youtube.com/watch?v=Uk2kJ5FUZxY&list=PLXtHYVsvn_b__1Baibdu4elN4SoF3JTBZ
-            - text: Surface Hub 2S adoption and training
-              url: https://docs.microsoft.com/surface-hub/surface-hub-2s-adoption-kit
+            
         # Card
         - title: Need help?
           links:
@@ -60,3 +60,5 @@ additionalContent:
               url: https://support.microsoft.com/products/surface-devices
             - text: Surface Hub
               url: https://support.microsoft.com/hub/4343507/surface-hub-help
+            - text: Contact Surface Hub Support
+              url: https://support.microsoft.com/supportforbusiness/productselection?sapId=bb7066fb-e329-c1c0-9c13-8e9949c6a64e
diff --git a/devices/surface/ltsb-for-surface.md b/devices/surface/ltsb-for-surface.md
index 5e14c8444d..9d47e34bb2 100644
--- a/devices/surface/ltsb-for-surface.md
+++ b/devices/surface/ltsb-for-surface.md
@@ -5,8 +5,8 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.pagetype: surface, devices
 ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
 ms.topic: article
 ms.reviewer: 
 manager: dansimp
diff --git a/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md b/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md
index 2631b5f837..3760d85a4d 100644
--- a/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md
+++ b/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md
@@ -4,8 +4,8 @@ description: This topic provides best practice recommendations for maintaining o
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
 ms.topic: article
 ms.reviewer: 
 manager: dansimp
diff --git a/devices/surface/manage-surface-driver-and-firmware-updates.md b/devices/surface/manage-surface-driver-and-firmware-updates.md
index e2913ed910..827d2c64c5 100644
--- a/devices/surface/manage-surface-driver-and-firmware-updates.md
+++ b/devices/surface/manage-surface-driver-and-firmware-updates.md
@@ -10,11 +10,10 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.pagetype: surface, devices
 ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
 ms.topic: article
 ms.audience: itpro
-ms.date: 03/10/2020
 ---
 
 # Manage and deploy Surface driver and firmware updates
diff --git a/devices/surface/manage-surface-uefi-settings.md b/devices/surface/manage-surface-uefi-settings.md
index 1a6d09a545..224cc16744 100644
--- a/devices/surface/manage-surface-uefi-settings.md
+++ b/devices/surface/manage-surface-uefi-settings.md
@@ -7,10 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: devices, surface
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
 ms.topic: article
-ms.date: 02/26/2020
 ms.reviewer: 
 manager: dansimp
 ---
diff --git a/devices/surface/microsoft-surface-brightness-control.md b/devices/surface/microsoft-surface-brightness-control.md
index 1761581ced..84ef8a1b9f 100644
--- a/devices/surface/microsoft-surface-brightness-control.md
+++ b/devices/surface/microsoft-surface-brightness-control.md
@@ -5,10 +5,9 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.pagetype: surface, devices
 ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
 ms.topic: article
-ms.date: 10/31/2019
 ms.reviewer: hachidan
 manager: dansimp
 ms.localizationpriority: medium
diff --git a/devices/surface/microsoft-surface-data-eraser.md b/devices/surface/microsoft-surface-data-eraser.md
index a835026b8b..4ee475b184 100644
--- a/devices/surface/microsoft-surface-data-eraser.md
+++ b/devices/surface/microsoft-surface-data-eraser.md
@@ -10,11 +10,10 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.pagetype: surface, devices, security
 ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
 ms.topic: article
 ms.audience: itpro
-ms.date: 02/20/2020
 ---
 
 # Microsoft Surface Data Eraser
diff --git a/devices/surface/microsoft-surface-deployment-accelerator.md b/devices/surface/microsoft-surface-deployment-accelerator.md
index 8fbc32d7df..e60688692b 100644
--- a/devices/surface/microsoft-surface-deployment-accelerator.md
+++ b/devices/surface/microsoft-surface-deployment-accelerator.md
@@ -4,15 +4,14 @@ description: Microsoft Surface Deployment Accelerator provides a quick and simpl
 ms.assetid: E7991E90-4AAE-44B6-8822-58BFDE3EADE4
 ms.reviewer: hachidan
 manager: dansimp
-ms.date: 10/31/2019
 ms.localizationpriority: medium
 keywords: deploy, install, tool
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.pagetype: surface, devices
 ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
 ms.topic: article
 ms.audience: itpro
 ---
diff --git a/devices/surface/step-by-step-surface-deployment-accelerator.md b/devices/surface/step-by-step-surface-deployment-accelerator.md
index 04d78253ee..42f641271c 100644
--- a/devices/surface/step-by-step-surface-deployment-accelerator.md
+++ b/devices/surface/step-by-step-surface-deployment-accelerator.md
@@ -10,8 +10,8 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.pagetype: surface, devices
 ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
 ms.topic: article
 ms.date: 10/31/2019
 ---
diff --git a/devices/surface/support-solutions-surface.md b/devices/surface/support-solutions-surface.md
index b311e28937..4fe99f1ebd 100644
--- a/devices/surface/support-solutions-surface.md
+++ b/devices/surface/support-solutions-surface.md
@@ -9,8 +9,8 @@ ms.prod: w10
 ms.mktglfcycl: support
 ms.sitesec: library
 ms.pagetype: surfacehub
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
 ms.topic: article
 ms.date: 09/26/2019
 ms.localizationpriority: medium
diff --git a/devices/surface/surface-device-compatibility-with-windows-10-ltsc.md b/devices/surface/surface-device-compatibility-with-windows-10-ltsc.md
index d57966b6cf..15f3dc33f0 100644
--- a/devices/surface/surface-device-compatibility-with-windows-10-ltsc.md
+++ b/devices/surface/surface-device-compatibility-with-windows-10-ltsc.md
@@ -6,12 +6,11 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.pagetype: surface, devices
 ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
 ms.topic: article
 ms.localizationpriority: medium
 ms.audience: itpro
-ms.date: 10/21/2019
 ms.reviewer: scottmca
 manager: dansimp
 ---
diff --git a/devices/surface/surface-diagnostic-toolkit-business.md b/devices/surface/surface-diagnostic-toolkit-business.md
index 62c4129d08..9c71c1cee4 100644
--- a/devices/surface/surface-diagnostic-toolkit-business.md
+++ b/devices/surface/surface-diagnostic-toolkit-business.md
@@ -5,8 +5,8 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.localizationpriority: medium
 ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
 ms.topic: article
 ms.date: 10/31/2019
 ms.reviewer: hachidan
diff --git a/devices/surface/surface-diagnostic-toolkit-command-line.md b/devices/surface/surface-diagnostic-toolkit-command-line.md
index 6ea9d9ac55..7dca10584e 100644
--- a/devices/surface/surface-diagnostic-toolkit-command-line.md
+++ b/devices/surface/surface-diagnostic-toolkit-command-line.md
@@ -4,10 +4,9 @@ description: How to run Surface Diagnostic Toolkit in a command console
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
 ms.topic: article
-ms.date: 11/15/2018
 ms.reviewer: hachidan
 manager: dansimp
 ms.localizationpriority: medium
diff --git a/devices/surface/surface-diagnostic-toolkit-desktop-mode.md b/devices/surface/surface-diagnostic-toolkit-desktop-mode.md
index 738ec1ecae..8586cb543a 100644
--- a/devices/surface/surface-diagnostic-toolkit-desktop-mode.md
+++ b/devices/surface/surface-diagnostic-toolkit-desktop-mode.md
@@ -4,10 +4,9 @@ description: How to use SDT to help users in your organization run the tool to i
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
 ms.topic: article
-ms.date: 10/31/2019
 ms.reviewer: hachidan
 manager: dansimp
 ms.localizationpriority: medium
diff --git a/devices/surface/surface-diagnostic-toolkit-for-business-intro.md b/devices/surface/surface-diagnostic-toolkit-for-business-intro.md
index a64fb3cc4f..7c84f5c0e4 100644
--- a/devices/surface/surface-diagnostic-toolkit-for-business-intro.md
+++ b/devices/surface/surface-diagnostic-toolkit-for-business-intro.md
@@ -4,8 +4,8 @@ description: This page provides an introduction to the Surface Diagnostic Toolki
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
 ms.topic: article
 ms.reviewer: cottmca
 manager: dansimp
@@ -29,7 +29,7 @@ Before you run the diagnostic tool, make sure you have the latest Windows update
 
 **To run the Surface Diagnostic Toolkit for Business:**
 
-1. Download the [Surface Diagnostic Toolkit for Business](https://aka.ms/SDT4B).
+1. Download the Surface Diagnostic Toolkit for Business. To do this, go to the [**Surface Tools for IT** download page](https://www.microsoft.com/download/details.aspx?id=46703), choose **Download**, select **Surface Diagnostic Toolkit for Business** from the provided list, and choose **Next**.
 2. Select Run and follow the on-screen instructions. For full details, refer to [Deploy Surface Diagnostic Toolkit for Business](https://docs.microsoft.com/surface/surface-diagnostic-toolkit-business).
 
 The diagnosis and repair time averages 15 minutes but could take an hour or longer, depending on internet connection speed and the number of updates or repairs required. 
diff --git a/devices/surface/surface-dock-firmware-update.md b/devices/surface/surface-dock-firmware-update.md
index e872ddc649..d748891d49 100644
--- a/devices/surface/surface-dock-firmware-update.md
+++ b/devices/surface/surface-dock-firmware-update.md
@@ -11,7 +11,6 @@ ms.topic: article
 ms.reviewer: scottmca
 manager: dansimp
 ms.audience: itpro
-ms.date: 02/07/2020
 ---
 # Microsoft Surface Dock Firmware Update
 
diff --git a/devices/surface/surface-enterprise-management-mode.md b/devices/surface/surface-enterprise-management-mode.md
index 52e193b6dd..493b04c1ae 100644
--- a/devices/surface/surface-enterprise-management-mode.md
+++ b/devices/surface/surface-enterprise-management-mode.md
@@ -6,10 +6,9 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.pagetype: surface, devices, security
 ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
 ms.topic: article
-ms.date: 12/02/2019
 ms.reviewer: scottmca
 manager: dansimp
 ms.localizationpriority: medium
diff --git a/devices/surface/surface-manage-dfci-guide.md b/devices/surface/surface-manage-dfci-guide.md
index efb5fa93b5..41a2f2f912 100644
--- a/devices/surface/surface-manage-dfci-guide.md
+++ b/devices/surface/surface-manage-dfci-guide.md
@@ -5,8 +5,8 @@ ms.localizationpriority: medium
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
 ms.topic: article
 ms.date: 11/13/2019
 ms.reviewer: jesko
diff --git a/devices/surface/surface-pro-arm-app-management.md b/devices/surface/surface-pro-arm-app-management.md
index fd98f72368..fb4f9b552d 100644
--- a/devices/surface/surface-pro-arm-app-management.md
+++ b/devices/surface/surface-pro-arm-app-management.md
@@ -5,10 +5,9 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.localizationpriority: high
 ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
 ms.topic: article
-ms.date: 1/22/2020
 ms.reviewer: jessko
 manager: dansimp
 ms.audience: itpro
diff --git a/devices/surface/surface-pro-arm-app-performance.md b/devices/surface/surface-pro-arm-app-performance.md
index baa547d04b..0057104b59 100644
--- a/devices/surface/surface-pro-arm-app-performance.md
+++ b/devices/surface/surface-pro-arm-app-performance.md
@@ -5,8 +5,8 @@ ms.prod: w10
 ms.localizationpriority: medium
 ms.mktglfcycl: manage
 ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
 ms.topic: article
 ms.date: 10/03/2019
 ms.reviewer: jessko
diff --git a/devices/surface/surface-system-sku-reference.md b/devices/surface/surface-system-sku-reference.md
index f74ee76e83..9c7b32f336 100644
--- a/devices/surface/surface-system-sku-reference.md
+++ b/devices/surface/surface-system-sku-reference.md
@@ -6,8 +6,8 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.pagetype: surface, devices, security
 ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
 ms.topic: article
 ms.date: 03/09/2020
 ms.reviewer: 
@@ -39,6 +39,7 @@ System Model and System SKU are variables that are stored in the System Manageme
 | Surface Go Commercial                                        | Surface Go       | Surface_Go_1824_Commercial       |
 | Surface Pro 6 Consumer                                       | Surface Pro 6    | Surface_Pro_6_1796_Consumer      |
 | Surface Pro 6 Commercial                                     | Surface Pro 6    | Surface_Pro_6_1796_Commercial    |
+| Surface Laptop                                               | Surface Laptop   | Surface_Laptop                   |
 | Surface Laptop 2 Consumer                                    | Surface Laptop 2 | Surface_Laptop_2_1769_Consumer   |
 | Surface Laptop 2 Commercial                                  | Surface Laptop 2 | Surface_Laptop_2_1769_Commercial |
 | Surface Pro 7                 | Surface Pro 7    | Surface_Pro_7_1866         |
diff --git a/devices/surface/surface-wireless-connect.md b/devices/surface/surface-wireless-connect.md
index 6e225137c2..d30a955dac 100644
--- a/devices/surface/surface-wireless-connect.md
+++ b/devices/surface/surface-wireless-connect.md
@@ -4,12 +4,11 @@ description: This topic describes recommended Wi-Fi settings to ensure Surface d
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-author: dansimp
+author: coveminer
 ms.audience: itpro
 ms.localizationpriority: medium
-ms.author: dansimp
+ms.author: v-jokai
 ms.topic: article
-ms.date: 10/31/2019
 ms.reviewer: tokatz
 manager: dansimp
 ---
diff --git a/devices/surface/unenroll-surface-devices-from-semm.md b/devices/surface/unenroll-surface-devices-from-semm.md
index 39b70f6006..6174474de7 100644
--- a/devices/surface/unenroll-surface-devices-from-semm.md
+++ b/devices/surface/unenroll-surface-devices-from-semm.md
@@ -6,10 +6,9 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.pagetype: surface, devices, security
 ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
 ms.topic: article
-ms.date: 01/06/2017
 ms.reviewer: 
 manager: dansimp
 ms.localizationpriority: medium
diff --git a/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md b/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md
index ac6102c2ef..bac99f89bc 100644
--- a/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md
+++ b/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md
@@ -6,12 +6,11 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.pagetype: surface
 ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
 ms.topic: article
 ms.localizationpriority: medium
 ms.audience: itpro
-ms.date: 10/21/2019
 ms.reviewer: 
 manager: dansimp
 ---
diff --git a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md
index 1ac8eb8aa2..da2a90ea0b 100644
--- a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md
+++ b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md
@@ -6,10 +6,9 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.pagetype: surface, devices
 ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
 ms.topic: article
-ms.date: 11/22/2019
 ms.reviewer: 
 manager: dansimp
 ms.localizationpriority: medium
diff --git a/devices/surface/using-the-sda-deployment-share.md b/devices/surface/using-the-sda-deployment-share.md
index 20ad4f6903..40c991f145 100644
--- a/devices/surface/using-the-sda-deployment-share.md
+++ b/devices/surface/using-the-sda-deployment-share.md
@@ -6,12 +6,11 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.pagetype: surface, devices
 ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
 ms.topic: article
 ms.localizationpriority: medium
 ms.audience: itpro
-ms.date: 10/21/2019
 ms.reviewer: 
 manager: dansimp
 ---
diff --git a/devices/surface/wake-on-lan-for-surface-devices.md b/devices/surface/wake-on-lan-for-surface-devices.md
index 53ff389c02..37cb7a1d1e 100644
--- a/devices/surface/wake-on-lan-for-surface-devices.md
+++ b/devices/surface/wake-on-lan-for-surface-devices.md
@@ -7,10 +7,9 @@ ms.mktglfcycl: manage
 ms.pagetype: surface, devices
 ms.sitesec: library
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
 ms.topic: article
-ms.date: 12/30/2019
 ms.reviewer: scottmca
 manager: dansimp
 ms.audience: itpro
diff --git a/devices/surface/windows-autopilot-and-surface-devices.md b/devices/surface/windows-autopilot-and-surface-devices.md
index 1fbdba19cf..b008fa625a 100644
--- a/devices/surface/windows-autopilot-and-surface-devices.md
+++ b/devices/surface/windows-autopilot-and-surface-devices.md
@@ -8,12 +8,11 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.pagetype: surface, devices
 ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
 ms.topic: article
 ms.localizationpriority: medium
 ms.audience: itpro
-ms.date: 02/14/2020
 ---
 
 # Windows Autopilot and Surface devices
diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md
index c326ec1cba..69d4efc9c1 100644
--- a/education/windows/take-a-test-multiple-pcs.md
+++ b/education/windows/take-a-test-multiple-pcs.md
@@ -20,7 +20,7 @@ manager: dansimp
 -   Windows 10  
 
 
-Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. 
+Many schools use online testing for formative and summation assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. 
 
 Follow the guidance in this topic to set up Take a Test on multiple PCs.
 
@@ -130,7 +130,7 @@ To set up a test account through Windows Configuration Designer, follow these st
 
 1. [Install Windows Configuration Designer](https://technet.microsoft.com/itpro/windows/configure/provisioning-install-icd).
 2. Create a provisioning package by following the steps in [Provision PCs with common settings for initial deployment (desktop wizard)](https://technet.microsoft.com/itpro/windows/configure/provision-pcs-for-initial-deployment). However, make a note of these other settings to customize the test account.
-   1. After you're done with the wizard, do not click **Create**. Instead, click the **Switch to advanced editor** to switch the project to the advanced editor to see all the available **Runtine settings**.
+   1. After you're done with the wizard, do not click **Create**. Instead, click the **Switch to advanced editor** to switch the project to the advanced editor to see all the available **Runtime settings**.
    2. Under **Runtime settings**, go to **AssignedAccess > AssignedAccessSettings**.
    3. Enter **{"Account":"*redmond\\kioskuser*","AUMID":” Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App "}**, using the account that you want to set up.
 
@@ -211,7 +211,7 @@ Anything hosted on the web can be presented in a locked down manner, not just as
 
      For this option, you can just copy the assessment URL, select the options you want to allow during the test, and click a button to create the link. We recommend this for option for teachers.
 
-     To get started, go here: [Create a link using a web UI](https://education.microsoft.com/courses-and-resources/windows-10-create-a-take-a-test-link).
+     To get started, go here: [Create a link using a web UI](https://aka.ms/create-a-take-a-test-link).
 
    - Create a link using schema activation
 
@@ -255,7 +255,7 @@ One of the ways you can present content in a locked down manner is by embedding
    See [Permissive mode](take-a-test-app-technical.md#permissive-mode) and [Secure Browser API Specification](https://github.com/SmarterApp/SB_BIRT/blob/master/irp/doc/req/SecureBrowserAPIspecification.md) for more info.
 
 ### Create a shortcut for the test link
-You can also distribute the test link by creating a shortcut. To do this, create the link to the test by either using the [web UI](https://education.microsoft.com/courses-and-resources/windows-10-create-a-take-a-test-link) or using [schema activation](#create-a-link-using-schema-activation). After you have the link, follow these steps:
+You can also distribute the test link by creating a shortcut. To do this, create the link to the test by either using the [web UI](https://aka.ms/create-a-take-a-test-link) or using [schema activation](#create-a-link-using-schema-activation). After you have the link, follow these steps:
 
 1. On a device running Windows, right-click on the desktop and then select **New > Shortcut**.
 2. In the **Create Shortcut** window, paste the assessment URL in the field under **Type the location of the item**.
diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md
index 41fbb7b7fd..1286a5aec8 100644
--- a/education/windows/take-a-test-single-pc.md
+++ b/education/windows/take-a-test-single-pc.md
@@ -66,7 +66,7 @@ Anything hosted on the web can be presented in a locked down manner, not just as
 
      For this option, you can just copy the assessment URL, select the options you want to allow during the test, and click a button to create the link. We recommend this for option for teachers.
 
-     To get started, go here: [Create a link using a web UI](https://education.microsoft.com/courses-and-resources/windows-10-create-a-take-a-test-link).
+     To get started, go here: [Create a link using a web UI](https://aka.ms/create-a-take-a-test-link).
 
    - Create a link using schema activation
 
@@ -117,7 +117,7 @@ One of the ways you can present content in a locked down manner is by embedding
 
 
 ### Create a shortcut for the test link
-You can also distribute the test link by creating a shortcut. To do this, create the link to the test by either using the [web UI](https://education.microsoft.com/courses-and-resources/windows-10-create-a-take-a-test-link) or using [schema activation](#create-a-link-using-schema-activation). After you have the link, follow these steps:
+You can also distribute the test link by creating a shortcut. To do this, create the link to the test by either using the [web UI](https://aka.ms/create-a-take-a-test-link) or using [schema activation](#create-a-link-using-schema-activation). After you have the link, follow these steps:
 
 1. On a device running Windows, right-click on the desktop and then select **New > Shortcut**.
 2. In the **Create Shortcut** window, paste the assessment URL in the field under **Type the location of the item**.
diff --git a/education/windows/take-tests-in-windows-10.md b/education/windows/take-tests-in-windows-10.md
index fed3ff8374..7e016c22c0 100644
--- a/education/windows/take-tests-in-windows-10.md
+++ b/education/windows/take-tests-in-windows-10.md
@@ -34,8 +34,12 @@ Many schools use online testing for formative and summative assessments. It's cr
 
 ![Set up and user flow for the Take a Test app](images/take_a_test_flow_dark.png)
 
-There are several ways to configure devices for assessments. You can:
-- **Configure an assessment URL and a dedicated testing account**
+There are several ways to configure devices for assessments, depending on your use case:
+
+- For higher stakes testing such as mid-term exams, you can set up a device with a dedicated testing account and URL. 
+- For lower stakes assessments such as a quick quiz in a class, you can quickly create and distribute the assessment URL through any method of your choosing.
+
+1. **Configure an assessment URL and a dedicated testing account**
 
     In this configuration, a user signs into in to the account and the **Take a Test** app automatically launches the pre-configured assessment URL in Microsoft Edge in a single-app, kiosk mode. A student will never have access to the desktop in this configuration. We recommend this configuration for high stakes testing.
 
@@ -58,9 +62,9 @@ There are several ways to configure devices for assessments. You can:
 
       For more info about these methods, see [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md).
 
-- **Distribute the assessment URL through the web, email, OneNote, or any other method of your choosing. You can also create shortcuts to distribute the link**
+2. **Create and distribute the assessment URL through the web, email, OneNote, or any other method** 
 
-    This allows teachers and test administrators an easier way to deploy assessments. We recommend this method for lower stakes assessments.
+    This allows teachers and test administrators an easier way to deploy assessments quickly and simply. We recommend this method for lower stakes assessments. You can also create shortcuts to distribute the link.
 
     You can enable this using a schema activation.
 
diff --git a/mdop/agpm/agpm-4-navengl.md b/mdop/agpm/agpm-4-navengl.md
index 76b3146249..d9b63043f8 100644
--- a/mdop/agpm/agpm-4-navengl.md
+++ b/mdop/agpm/agpm-4-navengl.md
@@ -25,7 +25,8 @@ ms.date: 06/16/2016
 
 -   [Release Notes for Microsoft Advanced Group Policy Management 4.0](release-notes-for-microsoft-advanced-group-policy-management-40.md)
 
- 
+> [!NOTE]
+> Advanced Group Policy Management (AGPM) 4.0 will be end of life on January 12, 2021. Please upgrade to a supported version, such as AGPM 4.0 with Service Pack 3 prior to this date.
 
  
 
diff --git a/mdop/agpm/release-notes-for-microsoft-advanced-group-policy-management-40.md b/mdop/agpm/release-notes-for-microsoft-advanced-group-policy-management-40.md
index abe185ad6b..5fa848da03 100644
--- a/mdop/agpm/release-notes-for-microsoft-advanced-group-policy-management-40.md
+++ b/mdop/agpm/release-notes-for-microsoft-advanced-group-policy-management-40.md
@@ -45,9 +45,9 @@ For more information about AGPM, see the following:
 
 -   [Advanced Group Policy Management TechNet Library](https://go.microsoft.com/fwlink/?LinkID=146846) (https://go.microsoft.com/fwlink/?LinkID=146846)
 
--   [Microsoft Desktop Optimization Pack TechCenter](https://go.microsoft.com/fwlink/?LinkId=159870) (http://www.microsoft.com/technet/mdop)
+-   [Microsoft Desktop Optimization Pack TechCenter](https://go.microsoft.com/fwlink/?LinkId=159870) (https://www.microsoft.com/technet/mdop)
 
--   [Group Policy TechCenter](https://go.microsoft.com/fwlink/?LinkId=145531) (http://www.microsoft.com/gp)
+-   [Group Policy TechCenter](https://go.microsoft.com/fwlink/?LinkId=145531) (https://www.microsoft.com/gp)
 
 ## Providing feedback
 
diff --git a/mdop/appv-v5/about-app-v-50-dynamic-configuration.md b/mdop/appv-v5/about-app-v-50-dynamic-configuration.md
index 8a54d8a0da..03301519d2 100644
--- a/mdop/appv-v5/about-app-v-50-dynamic-configuration.md
+++ b/mdop/appv-v5/about-app-v-50-dynamic-configuration.md
@@ -102,7 +102,7 @@ The structure of the App-V 5.0 Dynamic Configuration file is explained in the fo
 
 **Header** - the header of a dynamic user configuration file is as follows:
 
-&lt;?xml version="1.0" encoding="utf-8"?&gt;&lt;UserConfiguration **PackageId**="1f8488bf-2257-46b4-b27f-09c9dbaae707" DisplayName="Reserved" xmlns="<http://schemas.microsoft.com/appv/2010/userconfiguration"&gt>;
+&lt;?xml version="1.0" encoding="utf-8"?&gt;&lt;UserConfiguration **PackageId**="1f8488bf-2257-46b4-b27f-09c9dbaae707" DisplayName="Reserved" xmlns="<https://schemas.microsoft.com/appv/2010/userconfiguration"&gt>;
 
 The **PackageId** is the same value as exists in the Manifest file.
 
@@ -110,7 +110,7 @@ The **PackageId** is the same value as exists in the Manifest file.
 
 1. **Applications** - All app-extensions that are contained in the Manifest file within a package are assigned with an Application ID, which is also defined in the manifest file. This allows you to enable or disable all the extensions for a given application within a package. The **Application ID** must exist in the Manifest file or it will be ignored.
 
-   &lt;UserConfiguration **PackageId**="1f8488bf-2257-46b4-b27f-09c9dbaae707" DisplayName="Reserved" xmlns="<http://schemas.microsoft.com/appv/2010/userconfiguration"&gt>;
+   &lt;UserConfiguration **PackageId**="1f8488bf-2257-46b4-b27f-09c9dbaae707" DisplayName="Reserved" xmlns="<https://schemas.microsoft.com/appv/2010/userconfiguration"&gt>;
 
    &lt;Applications&gt;
 
@@ -128,7 +128,7 @@ The **PackageId** is the same value as exists in the Manifest file.
 
 2. **Subsystems** - AppExtensions and other subsystems are arranged as subnodes under the &lt;Subsystems&gt;:
 
-   &lt;UserConfiguration **PackageId**="1f8488bf-2257-46b4-b27f-09c9dbaae707" DisplayName="Reserved" xmlns="<http://schemas.microsoft.com/appv/2010/userconfiguration"&gt>;
+   &lt;UserConfiguration **PackageId**="1f8488bf-2257-46b4-b27f-09c9dbaae707" DisplayName="Reserved" xmlns="<https://schemas.microsoft.com/appv/2010/userconfiguration"&gt>;
 
    &lt;Subsystems&gt;
 
@@ -572,7 +572,7 @@ The **PackageId** is the same value as exists in the Manifest file.
 
 **Header** - The header of a Deployment Configuration file is as follows:
 
-&lt;?xml version="1.0" encoding="utf-8"?&gt;&lt;DeploymentConfiguration **PackageId**="1f8488bf-2257-46b4-b27f-09c9dbaae707" DisplayName="Reserved" xmlns="<http://schemas.microsoft.com/appv/2010/deploymentconfiguration"&gt>;
+&lt;?xml version="1.0" encoding="utf-8"?&gt;&lt;DeploymentConfiguration **PackageId**="1f8488bf-2257-46b4-b27f-09c9dbaae707" DisplayName="Reserved" xmlns="<https://schemas.microsoft.com/appv/2010/deploymentconfiguration"&gt>;
 
 The **PackageId** is the same value as exists in the manifest file.
 
@@ -582,7 +582,7 @@ The **PackageId** is the same value as exists in the manifest file.
 
 -   Machine Configuration section–contains information that can be configured only for an entire machine, not for a specific user on the machine. For example, HKEY\_LOCAL\_MACHINE registry keys in the VFS.
 
-&lt;DeploymentConfiguration **PackageId**="1f8488bf-2257-46b4-b27f-09c9dbaae707" DisplayName="Reserved" xmlns="<http://schemas.microsoft.com/appv/2010/deploymentconfiguration"&gt>;
+&lt;DeploymentConfiguration **PackageId**="1f8488bf-2257-46b4-b27f-09c9dbaae707" DisplayName="Reserved" xmlns="<https://schemas.microsoft.com/appv/2010/deploymentconfiguration"&gt>;
 
 &lt;UserConfiguration&gt;
 
diff --git a/mdop/appv-v5/about-app-v-51-reporting.md b/mdop/appv-v5/about-app-v-51-reporting.md
index b37f88f1db..381a1231a7 100644
--- a/mdop/appv-v5/about-app-v-51-reporting.md
+++ b/mdop/appv-v5/about-app-v-51-reporting.md
@@ -16,36 +16,32 @@ ms.date: 08/30/2016
 
 # About App-V 5.1 Reporting
 
-
 Microsoft Application Virtualization (App-V) 5.1 includes a built-in reporting feature that helps you collect information about computers running the App-V 5.1 client as well as information about virtual application package usage. You can use this information to generate reports from a centralized database.
 
 ## <a href="" id="---------app-v-5-1-reporting-overview"></a> App-V 5.1 Reporting Overview
 
-
 The following list displays the end–to-end high-level workflow for reporting in App-V 5.1.
 
-1.  The App-V 5.1 Reporting server has the following prerequisites:
+1. The App-V 5.1 Reporting server has the following prerequisites:
 
-    -   Internet Information Service (IIS) web server role
+    - Internet Information Service (IIS) web server role
 
-    -   Windows Authentication role (under **IIS / Security**)
+    - Windows Authentication role (under **IIS / Security**)
 
-    -   SQL Server installed and running with SQL Server Reporting Services (SSRS)
+    - SQL Server installed and running with SQL Server Reporting Services (SSRS)
 
     To confirm SQL Server Reporting Services is running, view `http://localhost/Reports` in a web browser as administrator on the server that will host App-V 5.1 Reporting. The SQL Server Reporting Services Home page should display.
 
-2.  Install the App-V 5.1 reporting server and associated database. For more information about installing the reporting server see [How to install the Reporting Server on a Standalone Computer and Connect it to the Database](how-to-install-the-reporting-server-on-a-standalone-computer-and-connect-it-to-the-database51.md). Configure the time when the computer running the App-V 5.1 client should send data to the reporting server.
+2. Install the App-V 5.1 reporting server and associated database. For more information about installing the reporting server see [How to install the Reporting Server on a Standalone Computer and Connect it to the Database](how-to-install-the-reporting-server-on-a-standalone-computer-and-connect-it-to-the-database51.md). Configure the time when the computer running the App-V 5.1 client should send data to the reporting server.
 
-3.  If you are not using an electronic software distribution system such as Configuration Manager to view reports then you can define reports in SQL Server Reporting Service. Download predefined appvshort Reports from the Download Center at <https://go.microsoft.com/fwlink/?LinkId=397255>.
+3. If you are not using an electronic software distribution system such as Configuration Manager to view reports then you can define reports in SQL Server Reporting Service. Download predefined SSRS Reports from the [Download Center](https://go.microsoft.com/fwlink/?LinkId=397255).
 
-    **Note**  
-    If you are using the Configuration Manager integration with App-V 5.1, most reports are generated from Configuration Manager rather than from App-V 5.1.
+    > [!NOTE]
+    > If you are using the Configuration Manager integration with App-V 5.1, most reports are generated from Configuration Manager rather than from App-V 5.1.
 
-     
+4. After importing the App-V 5.1 PowerShell module using `Import-Module AppvClient` as administrator, enable the App-V 5.1 client. This sample PowerShell cmdlet enables App-V 5.1 reporting:
 
-4.  After importing the App-V 5.1 PowerShell module using `Import-Module AppvClient` as administrator, enable the App-V 5.1 client. This sample PowerShell cmdlet enables App-V 5.1 reporting:
-
-    ``` syntax
+    ```powershell
     Set-AppvClientConfiguration –reportingserverurl <url>:<port> -reportingenabled 1 – ReportingStartTime <0-23> - ReportingRandomDelay <#min>
     ```
 
@@ -53,18 +49,14 @@ The following list displays the end–to-end high-level workflow for reporting i
 
     For more information about installing the App-V 5.1 client with reporting enabled see [About Client Configuration Settings](about-client-configuration-settings51.md). To administer App-V 5.1 Reporting with Windows PowerShell, see [How to Enable Reporting on the App-V 5.1 Client by Using PowerShell](how-to-enable-reporting-on-the-app-v-51-client-by-using-powershell.md).
 
-5.  After the reporting server receives the data from the App-V 5.1 client it sends the data to the reporting database. When the database receives and processes the client data, a successful reply is sent to the reporting server and then a notification is sent to the App-V 5.1 client.
+5. After the reporting server receives the data from the App-V 5.1 client it sends the data to the reporting database. When the database receives and processes the client data, a successful reply is sent to the reporting server and then a notification is sent to the App-V 5.1 client.
 
-6.  When the App-V 5.1 client receives the success notification, it empties the data cache to conserve space.
+6. When the App-V 5.1 client receives the success notification, it empties the data cache to conserve space.
 
-    **Note**  
-    By default the cache is cleared after the server confirms receipt of data. You can manually configure the client to save the data cache.
+    > [!NOTE]
+    > By default the cache is cleared after the server confirms receipt of data. You can manually configure the client to save the data cache.
 
-     
-
-~~~
 If the App-V 5.1 client device does not receive a success notification from the server, it retains data in the cache and tries to resend data at the next configured interval. Clients continue to collect data and add it to the cache.
-~~~
 
 ### <a href="" id="-------------app-v-5-1-reporting-server-frequently-asked-questions"></a> App-V 5.1 reporting server frequently asked questions
 
@@ -121,52 +113,50 @@ The following table displays answers to common questions about App-V 5.1 reporti
 <strong>Note</strong><br/><p>Group Policy settings override local settings configured using PowerShell.</p>
 </div>
 <div>
-
 </div></li>
 </ol></td>
 </tr>
 </tbody>
 </table>
- 
-
 
 ## <a href="" id="---------app-v-5-1-client-reporting"></a> App-V 5.1 Client Reporting
 
-
 To use App-V 5.1 reporting you must install and configure the App-V 5.1 client. After the client has been installed, use the **Set-AppVClientConfiguration** PowerShell cmdlet or the **ADMX Template** to configure reporting. The reporting feature cmdlets are available by using the following link and are prefaced by **Reporting**. For a complete list of client configuration settings see [About Client Configuration Settings](about-client-configuration-settings51.md). The following section provides examples of App-V 5.1 client reporting configuration using PowerShell.
 
 ### Configuring App-V Client reporting using PowerShell
 
 The following examples show how PowerShell parameters can configure the reporting features of the App-V 5.1 client.
 
-**Note**  
-The following configuration task can also be configured using Group Policy settings in the App-V 5.1 ADMX template. For more information about using the ADMX template, see [How to Modify App-V 5.1 Client Configuration Using the ADMX Template and Group Policy](how-to-modify-app-v-51-client-configuration-using-the-admx-template-and-group-policy.md).
- 
-
+> [!NOTE]
+> The following configuration task can also be configured using Group Policy settings in the App-V 5.1 ADMX template. For more information about using the ADMX template, see [How to Modify App-V 5.1 Client Configuration Using the ADMX Template and Group Policy](how-to-modify-app-v-51-client-configuration-using-the-admx-template-and-group-policy.md).
 
 **To enable reporting and to initiate data collection on the computer running the App-V 5.1 client**:
 
-`Set-AppVClientConfiguration –ReportingEnabled 1`
+```powershell
+Set-AppVClientConfiguration –ReportingEnabled 1
+```
 
 **To configure the client to automatically send data to a specific reporting server**:
 
-``` syntax
-Set-AppVClientConfiguration –ReportingServerURL http://MyReportingServer:MyPort/ -ReportingStartTime 20 -ReportingInterval 1 -ReportingRandomDelay 30
+```powershell
+Set-AppVClientConfiguration –ReportingServerURL http://MyReportingServer:MyPort/ -ReportingStartTime 20 -ReportingInterval 1 -ReportingRandomDelay 30 -ReportingInterval 1 -ReportingRandomDelay 30
 ```
 
-`-ReportingInterval 1 -ReportingRandomDelay 30`
-
-This example configures the client to automatically send the reporting data to the reporting server URL <strong>http://MyReportingServer:MyPort/</strong>. Additionally, the reporting data will be sent daily between 8:00 and 8:30 PM, depending on the random delay generated for the session.
+This example configures the client to automatically send the reporting data to the reporting server URL **http://MyReportingServer:MyPort/**. Additionally, the reporting data will be sent daily between 8:00 and 8:30 PM, depending on the random delay generated for the session.
 
 **To limit the size of the data cache on the client**:
 
-`Set-AppvClientConfiguration –ReportingDataCacheLimit 100`
+```powershell
+Set-AppvClientConfiguration –ReportingDataCacheLimit 100
+```
 
 Configures the maximum size of the reporting cache on the computer running the App-V 5.1 client to 100 MB. If the cache limit is reached before the data is sent to the server, then the log rolls over and data will be overwritten as necessary.
 
 **To configure the data block size transmitted across the network between the client and the server**:
 
-`Set-AppvClientConfiguration –ReportingDataBlockSize 10240`
+```powershell
+Set-AppvClientConfiguration –ReportingDataBlockSize 10240
+```
 
 Specifies the maximum data block that the client sends to 10240 MB.
 
@@ -174,59 +164,15 @@ Specifies the maximum data block that the client sends to 10240 MB.
 
 The following table displays the types of information you can collect by using App-V 5.1 reporting.
 
-<table>
-<colgroup>
-<col width="33%" />
-<col width="33%" />
-<col width="33%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Client Information</th>
-<th align="left">Package Information</th>
-<th align="left">Application Usage</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>Host Name</p></td>
-<td align="left"><p>Package Name</p></td>
-<td align="left"><p>Start and End Times</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>App-V 5.1 Client Version</p></td>
-<td align="left"><p>Package Version</p></td>
-<td align="left"><p>Run Status</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Processor Architecture</p></td>
-<td align="left"><p>Package Source</p></td>
-<td align="left"><p>Shutdown State</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Operating System Version</p></td>
-<td align="left"><p>Percent Cached</p></td>
-<td align="left"><p>Application Name</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Service Pack Level</p></td>
-<td align="left"><p></p></td>
-<td align="left"><p>Application Version</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Operating System Type</p></td>
-<td align="left"><p></p></td>
-<td align="left"><p>Username</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p></p></td>
-<td align="left"><p></p></td>
-<td align="left"><p>Connection Group</p></td>
-</tr>
-</tbody>
-</table>
- 
-
+|Client Information  |Package Information  |Application Usage  |
+|---------|---------|---------|
+|Host Name |Package Name|Start and End Times|
+|App-V 5.1 Client Version |Package Version|Run Status|
+|Processor Architecture |Package Source|Shutdown State|
+|Operating System Version|Percent Cached|Application Name|
+|Service Pack Level| |Application Version|
+|Operating System Type| |Username|
+| | |Connection Group|
 
 The client collects and saves this data in an **.xml** format. The data cache is hidden by default and requires administrator rights to open the XML file.
 
@@ -234,19 +180,17 @@ The client collects and saves this data in an **.xml** format. The data cache is
 
 You can configure the computer that is running the App-V 5.1 client to automatically send data to the specified reporting server. To specify the server use the **Set-AppvClientConfiguration** cmdlet with the following settings:
 
--   ReportingEnabled
-
--   ReportingServerURL
-
--   ReportingStartTime
-
--   ReportingInterval
-
--   ReportingRandomDelay
+- ReportingEnabled
+- ReportingServerURL
+- ReportingStartTime
+- ReportingInterval
+- ReportingRandomDelay
 
 After you configure the previous settings, you must create a scheduled task. The scheduled task will contact the server specified by the **ReportingServerURL** setting and will initiate the transfer. If you want to manually send data outside of the scheduled times, use the following PowerShell cmdlet:
 
-`Send-AppVClientReport –URL http://MyReportingServer:MyPort/ -DeleteOnSuccess`
+```powershell
+Send-AppVClientReport –URL http://MyReportingServer:MyPort/ -DeleteOnSuccess
+```
 
 If the reporting server has been previously configured, then the **–URL** parameter can be omitted. Alternatively, if the data should be sent to an alternate location, specify a different URL to override the configured **ReportingServerURL** for this data collection.
 
@@ -277,23 +221,20 @@ You can also use the **Send-AppVClientReport** cmdlet to manually collect data.
 <strong>Note</strong><br/><p>If a location other than the Reporting Server is specified, the data is sent using <strong>.xml</strong> format with no additional processing.</p>
 </div>
 <div>
- 
 </div></td>
 </tr>
 </tbody>
 </table>
 
- 
-
 ### Creating Reports
 
 To retrieve report information and create reports using App-V 5.1 you must use one of the following methods:
 
--   **Microsoft SQL Server Reporting Services (SSRS)** - Microsoft SQL Server Reporting Services is available with Microsoft SQL Server. SSRS is not installed when you install the App-V 5.1 reporting server. It must be deployed separately to generate the associated reports.
+- **Microsoft SQL Server Reporting Services (SSRS)** - Microsoft SQL Server Reporting Services is available with Microsoft SQL Server. SSRS is not installed when you install the App-V 5.1 reporting server. It must be deployed separately to generate the associated reports.
 
     Use the following link for more information about using [Microsoft SQL Server Reporting Services](https://go.microsoft.com/fwlink/?LinkId=285596).
 
--   **Scripting** – You can generate reports by scripting directly against the App-V 5.1 reporting database. For example:
+- **Scripting** – You can generate reports by scripting directly against the App-V 5.1 reporting database. For example:
 
     **Stored Procedure:**
 
@@ -303,25 +244,10 @@ To retrieve report information and create reports using App-V 5.1 you must use o
 
     The stored procedure is also created when using the App-V 5.1 database scripts.
 
-You should also ensure that the reporting server web service’s **Maximum Concurrent Connections** is set to a value that the server will be able to manage without impacting availability. The recommended number of **Maximum Concurrent Connections** for the **Reporting Web Service** is **10,000**.
-
-
-
-
-
+You should also ensure that the reporting server web service's **Maximum Concurrent Connections** is set to a value that the server will be able to manage without impacting availability. The recommended number of **Maximum Concurrent Connections** for the **Reporting Web Service** is **10,000**.
 
 ## Related topics
 
-
 [Deploying the App-V 5.1 Server](deploying-the-app-v-51-server.md)
 
 [How to install the Reporting Server on a Standalone Computer and Connect it to the Database](how-to-install-the-reporting-server-on-a-standalone-computer-and-connect-it-to-the-database51.md)
-
- 
-
- 
-
-
-
-
-
diff --git a/mdop/appv-v5/about-the-connection-group-file.md b/mdop/appv-v5/about-the-connection-group-file.md
index 6052eca8c9..49785fcb96 100644
--- a/mdop/appv-v5/about-the-connection-group-file.md
+++ b/mdop/appv-v5/about-the-connection-group-file.md
@@ -87,7 +87,7 @@ The following table describes the parameters in the XML file that define the con
 <td align="left"><p>Schema name</p></td>
 <td align="left"><p>Name of the schema.</p>
 <p><strong>Applicable starting in App-V 5.0 SP3</strong>: If you want to use the new “optional packages” and “use any version” features that are described in this table, you must specify the following schema in the XML file:</p>
-<p><code>xmlns=&quot;<a href="http://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup&amp;quot" data-raw-source="http://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup&amp;quot">http://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup&quot</a>;</code></p></td>
+<p><code>xmlns=&quot;<a href="https://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup&amp;quot" data-raw-source="https://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup&amp;quot">https://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup&quot</a>;</code></p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>AppConnectionGroupId</p></td>
@@ -160,8 +160,8 @@ The following example connection group XML file shows examples of the fields in
 ```XML
 <?xml version="1.0" encoding="UTF-16"?>
 <appv:AppConnectionGroup 
-   xmlns="http://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup"
-   xmlns:appv="http://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup"
+   xmlns="https://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup"
+   xmlns:appv="https://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup"
    AppConnectionGroupId="61BE9B14-D2B4-41CE-A6E3-A1B658DE7000"
    VersionId="E6B6AA57-F2A7-49C9-ADF8-F2B5B3C8A42F"  
    Priority="0"  
@@ -188,8 +188,8 @@ The following example connection group XML file applies to App-V 5.0 through App
 ```XML
 <?xml version="1.0" encoding="UTF-16"?>
 <appv:AppConnectionGroup
-   xmlns="http://schemas.microsoft.com/appv/2010/virtualapplicationconnectiongroup"
-   xmlns:appv="http://schemas.microsoft.com/appv/2010/virtualapplicationconnectiongroup"
+   xmlns="https://schemas.microsoft.com/appv/2010/virtualapplicationconnectiongroup"
+   xmlns:appv="https://schemas.microsoft.com/appv/2010/virtualapplicationconnectiongroup"
    AppConnectionGroupId="61BE9B14-D2B4-41CE-A6E3-A1B658DE7000"
    VersionId="E6B6AA57-F2A7-49C9-ADF8-F2B5B3C8A42F"
    Priority="0"
diff --git a/mdop/appv-v5/about-the-connection-group-file51.md b/mdop/appv-v5/about-the-connection-group-file51.md
index 4b7274562f..c135acab7f 100644
--- a/mdop/appv-v5/about-the-connection-group-file51.md
+++ b/mdop/appv-v5/about-the-connection-group-file51.md
@@ -87,7 +87,7 @@ The following table describes the parameters in the XML file that define the con
 <td align="left"><p>Schema name</p></td>
 <td align="left"><p>Name of the schema.</p>
 <p><strong>Applicable starting in App-V 5.0 SP3</strong>: If you want to use the new “optional packages” and “use any version” features that are described in this table, you must specify the following schema in the XML file:</p>
-<p><code>xmlns=&quot;<a href="http://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup&amp;quot" data-raw-source="http://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup&amp;quot">http://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup&quot</a>;</code></p></td>
+<p><code>xmlns=&quot;<a href="https://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup&amp;quot" data-raw-source="https://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup&amp;quot">https://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup&quot</a>;</code></p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>AppConnectionGroupId</p></td>
@@ -160,8 +160,8 @@ The following example connection group XML file shows examples of the fields in
 ```XML
 <?xml version="1.0" encoding="UTF-16">
 <appv:AppConnectionGroup 
-  xmlns="http://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup"
-  xmlns:appv="http://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup"  
+  xmlns="https://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup"
+  xmlns:appv="https://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup"  
   AppConnectionGroupId="61BE9B14-D2B4-41CE-A6E3-A1B658DE7000"
   VersionId="E6B6AA57-F2A7-49C9-ADF8-F2B5B3C8A42F"
   Priority="0"  
@@ -188,8 +188,8 @@ The following example connection group XML file applies to App-V 5.0 through App
 ```XML
 <?xml version="1.0" encoding="UTF-16">
 <appv:AppConnectionGroup
-  xmlns="http://schemas.microsoft.com/appv/2010/virtualapplicationconnectiongroup"
-  xmlns:appv="http://schemas.microsoft.com/appv/2010/virtualapplicationconnectiongroup"
+  xmlns="https://schemas.microsoft.com/appv/2010/virtualapplicationconnectiongroup"
+  xmlns:appv="https://schemas.microsoft.com/appv/2010/virtualapplicationconnectiongroup"
   AppConnectionGroupId="61BE9B14-D2B4-41CE-A6E3-A1B658DE7000"
   VersionId="E6B6AA57-F2A7-49C9-ADF8-F2B5B3C8A42F"
   Priority="0"
diff --git a/mdop/appv-v5/app-v-51-planning-checklist.md b/mdop/appv-v5/app-v-51-planning-checklist.md
index 52ac3984ce..e1f8ef66b6 100644
--- a/mdop/appv-v5/app-v-51-planning-checklist.md
+++ b/mdop/appv-v5/app-v-51-planning-checklist.md
@@ -16,86 +16,21 @@ ms.date: 06/16/2016
 
 # App-V 5.1 Planning Checklist
 
-
 This checklist can be used to help you plan for preparing your computing environment for Microsoft Application Virtualization (App-V) 5.1 deployment.
 
-**Note**  
-This checklist outlines the recommended steps and a high-level list of items to consider when planning for an App-V 5.1 deployment. It is recommended that you copy this checklist into a spreadsheet program and customize it for your use.
-
- 
-
-<table>
-<colgroup>
-<col width="25%" />
-<col width="25%" />
-<col width="25%" />
-<col width="25%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left"></th>
-<th align="left">Task</th>
-<th align="left">References</th>
-<th align="left">Notes</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><img src="images/checklistbox.gif" alt="Checklist box" /></td>
-<td align="left"><p>Review the getting started information about App-V 5.1 to gain a basic understanding of the product before beginning deployment planning.</p></td>
-<td align="left"><p><a href="getting-started-with-app-v-51.md" data-raw-source="[Getting Started with App-V 5.1](getting-started-with-app-v-51.md)">Getting Started with App-V 5.1</a></p></td>
-<td align="left"><p></p></td>
-</tr>
-<tr class="even">
-<td align="left"><img src="images/checklistbox.gif" alt="Checklist box" /></td>
-<td align="left"><p>Plan for App-V 5.1 1.0 Deployment Prerequisites and prepare your computing environment.</p></td>
-<td align="left"><p><a href="app-v-51-prerequisites.md" data-raw-source="[App-V 5.1 Prerequisites](app-v-51-prerequisites.md)">App-V 5.1 Prerequisites</a></p></td>
-<td align="left"><p></p></td>
-</tr>
-<tr class="odd">
-<td align="left"><img src="images/checklistbox.gif" alt="Checklist box" /></td>
-<td align="left"><p>If you plan to use the App-V 5.1 management server, plan for the required roles.</p></td>
-<td align="left"><p><a href="planning-for-the-app-v-51-server-deployment.md" data-raw-source="[Planning for the App-V 5.1 Server Deployment](planning-for-the-app-v-51-server-deployment.md)">Planning for the App-V 5.1 Server Deployment</a></p></td>
-<td align="left"><p></p></td>
-</tr>
-<tr class="even">
-<td align="left"><img src="images/checklistbox.gif" alt="Checklist box" /></td>
-<td align="left"><p>Plan for the App-V 5.1 sequencer and client so you to create and run virtualized applications.</p></td>
-<td align="left"><p><a href="planning-for-the-app-v-51-sequencer-and-client-deployment.md" data-raw-source="[Planning for the App-V 5.1 Sequencer and Client Deployment](planning-for-the-app-v-51-sequencer-and-client-deployment.md)">Planning for the App-V 5.1 Sequencer and Client Deployment</a></p></td>
-<td align="left"><p></p></td>
-</tr>
-<tr class="odd">
-<td align="left"><img src="images/checklistbox.gif" alt="Checklist box" /></td>
-<td align="left"><p>If applicable, review the options and steps for migrating from a previous version of App-V.</p></td>
-<td align="left"><p><a href="planning-for-migrating-from-a-previous-version-of-app-v51.md" data-raw-source="[Planning for Migrating from a Previous Version of App-V](planning-for-migrating-from-a-previous-version-of-app-v51.md)">Planning for Migrating from a Previous Version of App-V</a></p></td>
-<td align="left"><p></p></td>
-</tr>
-<tr class="even">
-<td align="left"><img src="images/checklistbox.gif" alt="Checklist box" /></td>
-<td align="left"><p>Plan for running App-V 5.1 clients using in shared content store mode.</p></td>
-<td align="left"><p><a href="how-to-install-the-app-v-51-client-for-shared-content-store-mode.md" data-raw-source="[How to Install the App-V 5.1 Client for Shared Content Store Mode](how-to-install-the-app-v-51-client-for-shared-content-store-mode.md)">How to Install the App-V 5.1 Client for Shared Content Store Mode</a></p></td>
-<td align="left"><p></p></td>
-</tr>
-</tbody>
-</table>
-
- 
-
-
-
-
+> [!NOTE]
+> This checklist outlines the recommended steps and a high-level list of items to consider when planning for an App-V 5.1 deployment. It is recommended that you copy this checklist into a spreadsheet program and customize it for your use.
 
+| |Task |References |
+|-|-|-|
+|![Checklist box](images/checklistbox.gif) |Review the getting started information about App-V 5.1 to gain a basic understanding of the product before beginning deployment planning.|[Getting Started with App-V 5.1](getting-started-with-app-v-51.md)|
+|![Checklist box](images/checklistbox.gif) |Plan for App-V 5.1 1.0 Deployment Prerequisites and prepare your computing environment.|[App-V 5.1 Prerequisites](app-v-51-prerequisites.md)|
+|![Checklist box](images/checklistbox.gif) |If you plan to use the App-V 5.1 management server, plan for the required roles.|[Planning for the App-V 5.1 Server Deployment](planning-for-the-app-v-51-server-deployment.md)|
+|![Checklist box](images/checklistbox.gif) |Plan for the App-V 5.1 sequencer and client so you to create and run virtualized applications.|[Planning for the App-V 5.1 Sequencer and Client Deployment](planning-for-the-app-v-51-sequencer-and-client-deployment.md)|
+|![Checklist box](images/checklistbox.gif) |If applicable, review the options and steps for migrating from a previous version of App-V.|[Planning for Migrating from a Previous Version of App-V](planning-for-migrating-from-a-previous-version-of-app-v51.md)|
+|![Checklist box](images/checklistbox.gif) |Plan for running App-V 5.1 clients using in shared content store mode.|[How to Install the App-V 5.1 Client for Shared Content Store Mode](how-to-install-the-app-v-51-client-for-shared-content-store-mode.md)|
+|![Checklist box](images/checklistbox.gif) |         |         |
 
 ## Related topics
 
-
 [Planning for App-V 5.1](planning-for-app-v-51.md)
-
- 
-
- 
-
-
-
-
-
diff --git a/mdop/appv-v5/app-v-51-supported-configurations.md b/mdop/appv-v5/app-v-51-supported-configurations.md
index aa2a35a202..7785be89ee 100644
--- a/mdop/appv-v5/app-v-51-supported-configurations.md
+++ b/mdop/appv-v5/app-v-51-supported-configurations.md
@@ -10,18 +10,16 @@ ms.pagetype: mdop, appcompat, virtualization
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.prod: w10
-ms.date: 09/27/2016
+ms.date: 04/02/2020
 ---
 
 
 # App-V 5.1 Supported Configurations
 
-
 This topic specifies the requirements to install and run Microsoft Application Virtualization (App-V) 5.1 in your environment.
 
 ## App-V Server system requirements
 
-
 This section lists the operating system and hardware requirements for all of the App-V Server components.
 
 ### Unsupported App-V 5.1 Server scenarios
@@ -117,6 +115,12 @@ The following table lists the SQL Server versions that are supported for the App
 </tr>
 </thead>
 <tbody>
+<tr class="even">
+<td align="left"><p>Microsoft SQL Server 2019</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>32-bit or 64-bit</p></td>
+</tr>
+
 <tr class="odd">
 <td align="left"><p>Microsoft SQL Server 2017</p></td>
 <td align="left"><p></p></td>
@@ -145,7 +149,7 @@ The following table lists the SQL Server versions that are supported for the App
 </tbody>
 </table>
 
- 
+For more information on user configuration files with SQL server 2016 or later, see the [support article](https://support.microsoft.com/help/4548751/app-v-server-publishing-might-fail-when-you-apply-user-configuration-f).
 
 ### Publishing server operating system requirements
 
@@ -303,7 +307,6 @@ The following table lists the SQL Server versions that are supported for the App
 
 ## <a href="" id="bkmk-client-supp-cfgs"></a>App-V client system requirements
 
-
 The following table lists the operating systems that are supported for the App-V 5.1 client installation.
 
 **Note:** With the Windows 10 Anniversary release (aka 1607 version), the App-V client is in-box and will block installation of any previous version of the App-V client
@@ -416,7 +419,6 @@ App-V adds no additional requirements beyond those of Windows Server.
 
 ## Sequencer system requirements
 
-
 The following table lists the operating systems that are supported for the App-V 5.1 Sequencer installation.
 
 <table>
@@ -479,7 +481,6 @@ See the Windows or Windows Server documentation for the hardware requirements. A
 
 ## <a href="" id="bkmk-supp-ver-sccm"></a>Supported versions of System Center Configuration Manager
 
-
 The App-V client supports the following versions of System Center Configuration Manager:
 
 -   Microsoft System Center 2012 Configuration Manager
@@ -543,23 +544,8 @@ The following App-V and System Center Configuration Manager version matrix shows
 
 For more information about how Configuration Manager integrates with App-V, see [Planning for App-V Integration with Configuration Manager](https://technet.microsoft.com/library/jj822982.aspx).
 
-
-
-
-
-
 ## Related topics
 
-
 [Planning to Deploy App-V](planning-to-deploy-app-v51.md)
 
 [App-V 5.1 Prerequisites](app-v-51-prerequisites.md)
-
- 
-
- 
-
-
-
-
-
diff --git a/mdop/appv-v5/how-to-install-the-reporting-server-on-a-standalone-computer-and-connect-it-to-the-database51.md b/mdop/appv-v5/how-to-install-the-reporting-server-on-a-standalone-computer-and-connect-it-to-the-database51.md
index 4d6223aabf..b74f0be3c2 100644
--- a/mdop/appv-v5/how-to-install-the-reporting-server-on-a-standalone-computer-and-connect-it-to-the-database51.md
+++ b/mdop/appv-v5/how-to-install-the-reporting-server-on-a-standalone-computer-and-connect-it-to-the-database51.md
@@ -16,63 +16,46 @@ ms.date: 06/16/2016
 
 # How to install the Reporting Server on a Standalone Computer and Connect it to the Database
 
-
 Use the following procedure to install the reporting server on a standalone computer and connect it to the database.
 
-**Important**  
+**Important**
 Before performing the following procedure you should read and understand [About App-V 5.1 Reporting](about-app-v-51-reporting.md).
 
+## To install the reporting server on a standalone computer and connect it to the database
 
+1. Copy the App-V 5.1 server installation files to the computer on which you want to install it on. To start the App-V 5.1 server installation right-click and run **appv\_server\_setup.exe** as an administrator. Click **Install**.
 
-**To install the reporting server on a standalone computer and connect it to the database**
+2. On the **Getting Started** page, review and accept the license terms, and click **Next**.
 
-1.  Copy the App-V 5.1 server installation files to the computer on which you want to install it on. To start the App-V 5.1 server installation right-click and run **appv\_server\_setup.exe** as an administrator. Click **Install**.
+3. On the **Use Microsoft Update to help keep your computer secure and up-to-date** page, to enable Microsoft updates, select **Use Microsoft Update when I check for updates (recommended).** To disable Microsoft updates, select **I don't want to use Microsoft Update**. Click **Next**.
 
-2.  On the **Getting Started** page, review and accept the license terms, and click **Next**.
+4. On the **Feature Selection** page, select the **Reporting Server** checkbox and click **Next**.
 
-3.  On the **Use Microsoft Update to help keep your computer secure and up-to-date** page, to enable Microsoft updates, select **Use Microsoft Update when I check for updates (recommended).** To disable Microsoft updates, select **I don’t want to use Microsoft Update**. Click **Next**.
+5. On the **Installation Location** page, accept the default location and click **Next**.
 
-4.  On the **Feature Selection** page, select the **Reporting Server** checkbox and click **Next**.
+6. On the **Configure Existing Reporting Database** page, select **Use a remote SQL Server**, and type the machine name of the computer running Microsoft SQL Server, for example **SqlServerMachine**.
 
-5.  On the **Installation Location** page, accept the default location and click **Next**.
+    > [!NOTE]
+    > If the Microsoft SQL Server is deployed on the same server, select **Use local SQL Server**.
 
-6.  On the **Configure Existing Reporting Database** page, select **Use a remote SQL Server**, and type the machine name of the computer running Microsoft SQL Server, for example **SqlServerMachine**.
+    For the SQL Server Instance, select **Use the default instance**. If you are using a custom Microsoft SQL Server instance, you must select **Use a custom instance** and then type the name of the instance.
 
-    **Note**  
-    If the Microsoft SQL Server is deployed on the same server, select **Use local SQL Server**.
-
-
-
-~~~
-For the SQL Server Instance, select **Use the default instance**. If you are using a custom Microsoft SQL Server instance, you must select **Use a custom instance** and then type the name of the instance.
-
-Specify the **SQL Server Database name** that this reporting server will use, for example **AppvReporting**.
-~~~
+    Specify the **SQL Server Database name** that this reporting server will use, for example **AppvReporting**.
 
 7. On the **Configure Reporting Server Configuration** page.
 
-   -   Specify the Website Name that you want to use for the Reporting Service. Leave the default unchanged if you do not have a custom name.
+   - Specify the Website Name that you want to use for the Reporting Service. Leave the default unchanged if you do not have a custom name.
 
-   -   For the **Port binding**, specify a unique port number that will be used by App-V 5.1, for example **55555**. You should also ensure that the port specified is not being used by another website.
+   - For the **Port binding**, specify a unique port number that will be used by App-V 5.1, for example **55555**. You should also ensure that the port specified is not being used by another website.
 
 8. Click **Install**.
 
-   **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+**Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
 
 ## Related topics
 
-
 [About App-V 5.1 Reporting](about-app-v-51-reporting.md)
 
 [Deploying App-V 5.1](deploying-app-v-51.md)
 
 [How to Enable Reporting on the App-V 5.1 Client by Using PowerShell](how-to-enable-reporting-on-the-app-v-51-client-by-using-powershell.md)
-
-
-
-
-
-
-
-
-
diff --git a/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-package-to-a-converted-app-v-50-package-for-all-users-on-a-specific-computer.md b/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-package-to-a-converted-app-v-50-package-for-all-users-on-a-specific-computer.md
index 02c3ed99ef..08be8a6ee4 100644
--- a/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-package-to-a-converted-app-v-50-package-for-all-users-on-a-specific-computer.md
+++ b/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-package-to-a-converted-app-v-50-package-for-all-users-on-a-specific-computer.md
@@ -36,7 +36,7 @@ The following procedure does not require an App-V 5.0 management server.
 
    &lt;DeploymentConfiguration
 
-   xmlns="<http://schemas.microsoft.com/appv/2010/deploymentconfiguration>" PackageId=&lt;Package ID&gt; DisplayName=&lt;Display Name&gt;
+   xmlns="<https://schemas.microsoft.com/appv/2010/deploymentconfiguration>" PackageId=&lt;Package ID&gt; DisplayName=&lt;Display Name&gt;
 
    &lt;MachineConfiguration/&gt;
 
diff --git a/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-package-to-a-converted-app-v-51-package-for-all-users-on-a-specific-computer.md b/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-package-to-a-converted-app-v-51-package-for-all-users-on-a-specific-computer.md
index 19ee17d2ed..3a18c1b154 100644
--- a/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-package-to-a-converted-app-v-51-package-for-all-users-on-a-specific-computer.md
+++ b/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-package-to-a-converted-app-v-51-package-for-all-users-on-a-specific-computer.md
@@ -37,7 +37,7 @@ The following procedure does not require an App-V 5.1 management server.
 
    &lt;DeploymentConfiguration
 
-   xmlns="<http://schemas.microsoft.com/appv/2010/deploymentconfiguration>" PackageId=&lt;Package ID&gt; DisplayName=&lt;Display Name&gt;
+   xmlns="<https://schemas.microsoft.com/appv/2010/deploymentconfiguration>" PackageId=&lt;Package ID&gt; DisplayName=&lt;Display Name&gt;
 
    &lt;MachineConfiguration/&gt;
 
diff --git a/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-package-to-app-v-50-for-a-specific-user.md b/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-package-to-app-v-50-for-a-specific-user.md
index 5221f2f8c7..6e636ec80a 100644
--- a/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-package-to-app-v-50-for-a-specific-user.md
+++ b/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-package-to-app-v-50-for-a-specific-user.md
@@ -29,7 +29,7 @@ Use the following procedure to migrate packages created with App-V using the use
 
    &lt;UserConfiguration PackageId=&lt;Package ID&gt; DisplayName=&lt;Name of the Package&gt;
 
-   xmlns="<http://schemas.microsoft.com/appv/2010/userconfiguration"&gt>; &lt;ManagingAuthority TakeoverExtensionPointsFrom46="true"
+   xmlns="<https://schemas.microsoft.com/appv/2010/userconfiguration"&gt>; &lt;ManagingAuthority TakeoverExtensionPointsFrom46="true"
 
    PackageName=&lt;Package ID&gt;
 
diff --git a/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-package-to-app-v-51-for-a-specific-user.md b/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-package-to-app-v-51-for-a-specific-user.md
index ddcc67a299..cbec1bdbe6 100644
--- a/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-package-to-app-v-51-for-a-specific-user.md
+++ b/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-package-to-app-v-51-for-a-specific-user.md
@@ -32,7 +32,7 @@ This procedure assumes that you are running the latest version of App-V 4.6.
 
    &lt;UserConfiguration PackageId=&lt;Package ID&gt; DisplayName=&lt;Name of the Package&gt;
 
-   xmlns="<http://schemas.microsoft.com/appv/2010/userconfiguration"&gt>; &lt;ManagingAuthority TakeoverExtensionPointsFrom46="true"
+   xmlns="<https://schemas.microsoft.com/appv/2010/userconfiguration"&gt>; &lt;ManagingAuthority TakeoverExtensionPointsFrom46="true"
 
    PackageName=&lt;Package ID&gt;
 
diff --git a/mdop/appv-v5/how-to-use-optional-packages-in-connection-groups.md b/mdop/appv-v5/how-to-use-optional-packages-in-connection-groups.md
index d8239f46ed..8c95c046c5 100644
--- a/mdop/appv-v5/how-to-use-optional-packages-in-connection-groups.md
+++ b/mdop/appv-v5/how-to-use-optional-packages-in-connection-groups.md
@@ -119,7 +119,7 @@ Before using optional packages, see [Requirements for using optional packages in
 <p><strong>Example connection group XML document with optional packages:</strong></p>
 <pre class="syntax" space="preserve"><code>&lt;?xml version=&quot;1.0&quot; ?&gt;
 &lt;AppConnectionGroup
-   xmlns=&quot;<a href="http://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup&amp;quot" data-raw-source="http://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup&amp;quot">http://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup&quot</a>;
+   xmlns=&quot;<a href="https://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup&amp;quot" data-raw-source="https://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup&amp;quot">https://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup&quot</a>;
    AppConnectionGroupId=&quot;8105CCD5-244B-4BA1-8888-E321E688D2CB&quot;
    VersionId=&quot;84CE3797-F1CB-4475-A223-757918929EB4&quot;
    DisplayName=&quot;Contoso Software Connection Group&quot; &gt;
diff --git a/mdop/appv-v5/how-to-use-optional-packages-in-connection-groups51.md b/mdop/appv-v5/how-to-use-optional-packages-in-connection-groups51.md
index 8a87b7ff92..b29a4ff7a9 100644
--- a/mdop/appv-v5/how-to-use-optional-packages-in-connection-groups51.md
+++ b/mdop/appv-v5/how-to-use-optional-packages-in-connection-groups51.md
@@ -118,7 +118,7 @@ Before using optional packages, see [Requirements for using optional packages in
 <p><strong>Example connection group XML document with optional packages:</strong></p>
 <pre class="syntax" space="preserve"><code>&lt;?xml version=&quot;1.0&quot; ?&gt;
 &lt;AppConnectionGroup
-   xmlns=&quot;<a href="http://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup&amp;quot" data-raw-source="http://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup&amp;quot">http://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup&quot</a>;
+   xmlns=&quot;<a href="https://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup&amp;quot" data-raw-source="https://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup&amp;quot">https://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup&quot</a>;
    AppConnectionGroupId=&quot;8105CCD5-244B-4BA1-8888-E321E688D2CB&quot;
    VersionId=&quot;84CE3797-F1CB-4475-A223-757918929EB4&quot;
    DisplayName=&quot;Contoso Software Connection Group&quot; &gt;
diff --git a/mdop/appv-v5/index.md b/mdop/appv-v5/index.md
index c51ad7bc30..8f3c652084 100644
--- a/mdop/appv-v5/index.md
+++ b/mdop/appv-v5/index.md
@@ -21,8 +21,14 @@ Microsoft Application Virtualization (App-V) 5 lets administrators make applicat
 
 [Microsoft Application Virtualization 5.1 Administrator's Guide](microsoft-application-virtualization-51-administrators-guide.md)
 
+> [!NOTE]
+> Application Virtualization 5.1 for Remote Desktop Services will be end of life on January 10, 2023. Please upgrade to a supported version, such as App-V 5.0 with Service Pack 3 prior to this date.
+
 [Microsoft Application Virtualization 5.0 Administrator's Guide](microsoft-application-virtualization-50-administrators-guide.md)
 
+> [!NOTE] 
+> Application Virtualization 5.0 for Windows Desktops will be end of life on January 10, 2023. Please upgrade to a supported version, such as App-V 5.0 with Service Pack 3 prior to this date.
+
 ## More Information
 
 
diff --git a/mdop/appv-v5/performance-guidance-for-application-virtualization-50.md b/mdop/appv-v5/performance-guidance-for-application-virtualization-50.md
index d8aa6ae42a..d18673c97f 100644
--- a/mdop/appv-v5/performance-guidance-for-application-virtualization-50.md
+++ b/mdop/appv-v5/performance-guidance-for-application-virtualization-50.md
@@ -476,11 +476,11 @@ Server Performance Tuning Guidelines for
 
 -   [Microsoft Windows 7](https://download.microsoft.com/download/E/5/7/E5783D68-160B-4366-8387-114FC3E45EB4/Performance Tuning Guidelines for Windows 7 Desktop Virtualization v1.9.docx)
 
--   [Optimization Script: (Provided by Microsoft Support)](http://blogs.technet.com/b/jeff_stokes/archive/2012/10/15/the-microsoft-premier-field-engineer-pfe-view-on-virtual-desktop-vdi-density.aspx)
+-   [Optimization Script: (Provided by Microsoft Support)](https://blogs.technet.com/b/jeff_stokes/archive/2012/10/15/the-microsoft-premier-field-engineer-pfe-view-on-virtual-desktop-vdi-density.aspx)
 
 -   [Microsoft Windows 8](https://download.microsoft.com/download/6/0/1/601D7797-A063-4FA7-A2E5-74519B57C2B4/Windows_8_VDI_Image_Client_Tuning_Guide.pdf)
 
--   [Optimization Script: (Provided by Microsoft Support)](http://blogs.technet.com/b/jeff_stokes/archive/2013/04/09/hot-off-the-presses-get-it-now-the-windows-8-vdi-optimization-script-courtesy-of-pfe.aspx)
+-   [Optimization Script: (Provided by Microsoft Support)](https://blogs.technet.com/b/jeff_stokes/archive/2013/04/09/hot-off-the-presses-get-it-now-the-windows-8-vdi-optimization-script-courtesy-of-pfe.aspx)
 
 ## Sequencing Steps to Optimize Packages for Publishing Performance
 
diff --git a/mdop/appv-v5/performance-guidance-for-application-virtualization-51.md b/mdop/appv-v5/performance-guidance-for-application-virtualization-51.md
index 936a78123f..c6309edacb 100644
--- a/mdop/appv-v5/performance-guidance-for-application-virtualization-51.md
+++ b/mdop/appv-v5/performance-guidance-for-application-virtualization-51.md
@@ -483,11 +483,11 @@ Server Performance Tuning Guidelines for
 
 -   [Microsoft Windows 7](https://download.microsoft.com/download/E/5/7/E5783D68-160B-4366-8387-114FC3E45EB4/Performance Tuning Guidelines for Windows 7 Desktop Virtualization v1.9.docx)
 
--   [Optimization Script: (Provided by Microsoft Support)](http://blogs.technet.com/b/jeff_stokes/archive/2012/10/15/the-microsoft-premier-field-engineer-pfe-view-on-virtual-desktop-vdi-density.aspx)
+-   [Optimization Script: (Provided by Microsoft Support)](https://blogs.technet.com/b/jeff_stokes/archive/2012/10/15/the-microsoft-premier-field-engineer-pfe-view-on-virtual-desktop-vdi-density.aspx)
 
 -   [Microsoft Windows 8](https://download.microsoft.com/download/6/0/1/601D7797-A063-4FA7-A2E5-74519B57C2B4/Windows_8_VDI_Image_Client_Tuning_Guide.pdf)
 
--   [Optimization Script: (Provided by Microsoft Support)](http://blogs.technet.com/b/jeff_stokes/archive/2013/04/09/hot-off-the-presses-get-it-now-the-windows-8-vdi-optimization-script-courtesy-of-pfe.aspx)
+-   [Optimization Script: (Provided by Microsoft Support)](https://blogs.technet.com/b/jeff_stokes/archive/2013/04/09/hot-off-the-presses-get-it-now-the-windows-8-vdi-optimization-script-courtesy-of-pfe.aspx)
 
 ## Sequencing Steps to Optimize Packages for Publishing Performance
 
diff --git a/mdop/uev-v2/application-template-schema-reference-for-ue-v-2x-both-uevv2.md b/mdop/uev-v2/application-template-schema-reference-for-ue-v-2x-both-uevv2.md
index b821b00937..f230087d93 100644
--- a/mdop/uev-v2/application-template-schema-reference-for-ue-v-2x-both-uevv2.md
+++ b/mdop/uev-v2/application-template-schema-reference-for-ue-v-2x-both-uevv2.md
@@ -68,9 +68,9 @@ The XML declaration must specify the XML version 1.0 attribute (&lt;?xml version
 
 **Type: String**
 
-UE-V uses the http://schemas.microsoft.com/UserExperienceVirtualization/2012/SettingsLocationTemplate namespace for all applications. SettingsLocationTemplate is the root element and contains all other elements. Reference SettingsLocationTemplate in all templates using this tag:
+UE-V uses the https://schemas.microsoft.com/UserExperienceVirtualization/2012/SettingsLocationTemplate namespace for all applications. SettingsLocationTemplate is the root element and contains all other elements. Reference SettingsLocationTemplate in all templates using this tag:
 
-`<SettingsLocationTemplate xmlns='http://schemas.microsoft.com/UserExperienceVirtualization/2012/SettingsLocationTemplate'>`
+`<SettingsLocationTemplate xmlns='https://schemas.microsoft.com/UserExperienceVirtualization/2012/SettingsLocationTemplate'>`
 
 ### <a href="" id="data21"></a>Data types
 
@@ -644,10 +644,10 @@ Here is the SettingsLocationTemplate.xsd file showing its elements, child elemen
 ```xml
 <?xml version="1.0" encoding="utf-8"?>
 <xs:schema id="UevSettingsLocationTemplate"
-  targetNamespace="http://schemas.microsoft.com/UserExperienceVirtualization/2013A/SettingsLocationTemplate"
+  targetNamespace="https://schemas.microsoft.com/UserExperienceVirtualization/2013A/SettingsLocationTemplate"
   elementFormDefault="qualified"
-  xmlns="http://schemas.microsoft.com/UserExperienceVirtualization/2013A/SettingsLocationTemplate"
-  xmlns:mstns="http://schemas.microsoft.com/UserExperienceVirtualization/2013A/SettingsLocationTemplate"
+  xmlns="https://schemas.microsoft.com/UserExperienceVirtualization/2013A/SettingsLocationTemplate"
+  xmlns:mstns="https://schemas.microsoft.com/UserExperienceVirtualization/2013A/SettingsLocationTemplate"
   xmlns:xs="http://www.w3.org/2001/XMLSchema">
 
     <xs:simpleType name="Guid">
@@ -1005,9 +1005,9 @@ The XML declaration must specify the XML version 1.0 attribute (&lt;?xml version
 
 **Type: String**
 
-UE-V uses the http://schemas.microsoft.com/UserExperienceVirtualization/2012/SettingsLocationTemplate namespace for all applications. SettingsLocationTemplate is the root element and contains all other elements. Reference SettingsLocationTemplate in all templates using this tag:
+UE-V uses the https://schemas.microsoft.com/UserExperienceVirtualization/2012/SettingsLocationTemplate namespace for all applications. SettingsLocationTemplate is the root element and contains all other elements. Reference SettingsLocationTemplate in all templates using this tag:
 
-`<SettingsLocationTemplate xmlns='http://schemas.microsoft.com/UserExperienceVirtualization/2012/SettingsLocationTemplate'>`
+`<SettingsLocationTemplate xmlns='https://schemas.microsoft.com/UserExperienceVirtualization/2012/SettingsLocationTemplate'>`
 
 ### <a href="" id="data"></a>Data types
 
@@ -1578,10 +1578,10 @@ Here is the SettingsLocationTemplate.xsd file showing its elements, child elemen
 ```xml
 <?xml version="1.0" encoding="utf-8"?>
 <xs:schema id="UevSettingsLocationTemplate"
-  targetNamespace="http://schemas.microsoft.com/UserExperienceVirtualization/2013/SettingsLocationTemplate"
+  targetNamespace="https://schemas.microsoft.com/UserExperienceVirtualization/2013/SettingsLocationTemplate"
   elementFormDefault="qualified"
-  xmlns="http://schemas.microsoft.com/UserExperienceVirtualization/2013/SettingsLocationTemplate"
-  xmlns:mstns="http://schemas.microsoft.com/UserExperienceVirtualization/2013/SettingsLocationTemplate"
+  xmlns="https://schemas.microsoft.com/UserExperienceVirtualization/2013/SettingsLocationTemplate"
+  xmlns:mstns="https://schemas.microsoft.com/UserExperienceVirtualization/2013/SettingsLocationTemplate"
   xmlns:xs="http://www.w3.org/2001/XMLSchema">
 
   <xs:simpleType name="Guid">
diff --git a/store-for-business/acquire-apps-microsoft-store-for-business.md b/store-for-business/acquire-apps-microsoft-store-for-business.md
index cfbb3dcb99..3989e6d860 100644
--- a/store-for-business/acquire-apps-microsoft-store-for-business.md
+++ b/store-for-business/acquire-apps-microsoft-store-for-business.md
@@ -61,7 +61,7 @@ People in your org can request license for apps that they need, or that others n
 
 ## Acquire apps
 **To acquire an app**  
-1. Sign in to http://businessstore.microsoft.com
+1. Sign in to https://businessstore.microsoft.com
 2. Select **Shop for my group**, or use Search to find an app. 
 3. Select the app you want to purchase. 
 4. On the product description page, choose your license type - either online or offline. 
diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md
index 7b5828d9c2..1eb4d1d50b 100644
--- a/windows/application-management/apps-in-windows-10.md
+++ b/windows/application-management/apps-in-windows-10.md
@@ -44,51 +44,51 @@ Here are the provisioned Windows apps in Windows 10 versions 1703, 1709, 1803 an
 
 <br>
 
-| Package name                           | App name                                                                                                           | 1703 | 1709 | 1803 | 1809 | Uninstall through UI? |
-|----------------------------------------|--------------------------------------------------------------------------------------------------------------------|:----:|:----:|:----:|:----:|:---------------------:|
-| Microsoft.3DBuilder                    | [3D Builder](ms-windows-store://pdp/?PFN=Microsoft.3DBuilder_8wekyb3d8bbwe)                                        | x    |      |      |      | Yes                   |
-| Microsoft.BingWeather                  | [MSN Weather](ms-windows-store://pdp/?PFN=Microsoft.BingWeather_8wekyb3d8bbwe)                                     | x    | x    | x    | x    | Yes                   |
-| Microsoft.DesktopAppInstaller          | [App Installer](ms-windows-store://pdp/?PFN=Microsoft.DesktopAppInstaller_8wekyb3d8bbwe)                           | x    | x    | x    | x    | Via Settings App      |
-| Microsoft.GetHelp                      | [Get Help](ms-windows-store://pdp/?PFN=Microsoft.Gethelp_8wekyb3d8bbwe)                                            |      | x    | x    | x    | No                    |
-| Microsoft.Getstarted                   | [Microsoft Tips](ms-windows-store://pdp/?PFN=Microsoft.Getstarted_8wekyb3d8bbwe)                                   | x    | x    | x    | x    | No                    |
-| Microsoft.HEIFImageExtension           | [HEIF Image Extensions](ms-windows-store://pdp/?PFN=Microsoft.HEIFImageExtension_8wekyb3d8bbwe)                    |      |      |      | x    | No                    |
-| Microsoft.Messaging                    | [Microsoft Messaging](ms-windows-store://pdp/?PFN=Microsoft.Messaging_8wekyb3d8bbwe)                               | x    | x    | x    | x    | No                    |
-| Microsoft.Microsoft3DViewer            | [Mixed Reality Viewer](ms-windows-store://pdp/?PFN=Microsoft.Microsoft3DViewer_8wekyb3d8bbwe)                      | x    | x    | x    | x    | No                    |
-| Microsoft.MicrosoftOfficeHub           | [My Office](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe)                                | x    | x    | x    | x    | Yes                   |
-| Microsoft.MicrosoftSolitaireCollection | [Microsoft Solitaire Collection](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) | x    | x    | x    | x    | Yes                   |
-| Microsoft.MicrosoftStickyNotes         | [Microsoft Sticky Notes](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe)                 | x    | x    | x    | x    | No                    |
-| Microsoft.MixedReality.Portal          | [Mixed Reality Portal](ms-windows-store://pdp/?PFN=Microsoft.MixedReality.Portal_8wekyb3d8bbwe)                    |      |      |      | x    | No                    |
-| Microsoft.MSPaint                      | [Paint 3D](ms-windows-store://pdp/?PFN=Microsoft.MSPaint_8wekyb3d8bbwe)                                            | x    | x    | x    | x    | No                    |
-| Microsoft.Office.OneNote               | [OneNote](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe)                                      | x    | x    | x    | x    | Yes                   |
-| Microsoft.OneConnect                   | [Paid Wi-Fi & Cellular](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe)                            | x    | x    | x    | x    | No                    |
-| Microsoft.People                       | [Microsoft People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe)                                     | x    | x    | x    | x    | No                    |
-| Microsoft.Print3D                      | [Print 3D](ms-windows-store://pdp/?PFN=Microsoft.Print3D_8wekyb3d8bbwe)                                            |      | x    | x    | x    | No                    |
-| Microsoft.ScreenSketch                 | [Snip & Sketch](ms-windows-store://pdp/?PFN=Microsoft.ScreenSketch_8wekyb3d8bbwe)                                  |      |      |      | x    | No                    |
-| Microsoft.SkypeApp                     | [Skype](ms-windows-store://pdp/?PFN=Microsoft.SkypeApp_kzf8qxf38zg5c)                                              | x    | x    | x    | x    | No                    |
-| Microsoft.StorePurchaseApp             | [Store Purchase App](ms-windows-store://pdp/?PFN=Microsoft.StorePurchaseApp_8wekyb3d8bbwe)                         | x    | x    | x    | x    | No                    |
-| Microsoft.VP9VideoExtensions           |                                                                                                                    |      |      |      | x    | No                    |
-| Microsoft.Wallet                       | [Microsoft Pay](ms-windows-store://pdp/?PFN=Microsoft.Wallet_8wekyb3d8bbwe)                                        | x    | x    | x    | x    | No                    |
-| Microsoft.WebMediaExtensions           | [Web Media Extensions](ms-windows-store://pdp/?PFN=Microsoft.WebMediaExtensions_8wekyb3d8bbwe)                     |      |      | x    | x    | No                    |
-| Microsoft.WebpImageExtension           | [Webp Image Extension](ms-windows-store://pdp/?PFN=Microsoft.WebpImageExtension_8wekyb3d8bbwe)                     |      |      |      | x    | No                    |
-| Microsoft.Windows.Photos               | [Microsoft Photos](ms-windows-store://pdp/?PFN=Microsoft.Windows.Photos_8wekyb3d8bbwe)                             | x    | x    | x    | x    | No                    |
-| Microsoft.WindowsAlarms                | [Windows Alarms & Clock](ms-windows-store://pdp/?PFN=Microsoft.WindowsAlarms_8wekyb3d8bbwe)                        | x    | x    | x    | x    | No                    |
-| Microsoft.WindowsCalculator            | [Windows Calculator](ms-windows-store://pdp/?PFN=Microsoft.WindowsCalculator_8wekyb3d8bbwe)                        | x    | x    | x    | x    | No                    |
-| Microsoft.WindowsCamera                | [Windows Camera](ms-windows-store://pdp/?PFN=Microsoft.WindowsCamera_8wekyb3d8bbwe)                                | x    | x    | x    | x    | No                    |
-| microsoft.windowscommunicationsapps    | [Mail and Calendar](ms-windows-store://pdp/?PFN=microsoft.windowscommunicationsapps_8wekyb3d8bbwe)                 | x    | x    | x    | x    | No                    |
-| Microsoft.WindowsFeedbackHub           | [Feedback Hub](ms-windows-store://pdp/?PFN=Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe)                             | x    | x    | x    | x    | No                    |
-| Microsoft.WindowsMaps                  | [Windows Maps](ms-windows-store://pdp/?PFN=Microsoft.WindowsMaps_8wekyb3d8bbwe)                                    | x    | x    | x    | x    | No                    |
-| Microsoft.WindowsSoundRecorder         | [Windows Voice Recorder](ms-windows-store://pdp/?PFN=Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe)                 | x    | x    | x    | x    | No                    |
-| Microsoft.WindowsStore                 | [Microsoft Store](ms-windows-store://pdp/?PFN=Microsoft.WindowsStore_8wekyb3d8bbwe)                                | x    | x    | x    | x    | No                    |
-| Microsoft.Xbox.TCUI                    | [Xbox TCUI](ms-windows-store://pdp/?PFN=Microsoft.Xbox.TCUI_8wekyb3d8bbwe)                                         |      | x    | x    | x    | No                    |
-| Microsoft.XboxApp                      | [Xbox](ms-windows-store://pdp/?PFN=Microsoft.XboxApp_8wekyb3d8bbwe)                                                | x    | x    | x    | x    | No                    |
-| Microsoft.XboxGameOverlay              | [Xbox Game Bar](ms-windows-store://pdp/?PFN=Microsoft.XboxGameOverlay_8wekyb3d8bbwe)                               | x    | x    | x    | x    | No                    |
-| Microsoft.XboxGamingOverlay            | [Xbox Gaming Overlay](ms-windows-store://pdp/?PFN=Microsoft.XboxGamingOverlay_8wekyb3d8bbwe)                       |      |      | x    | x    | No                    |
-| Microsoft.XboxIdentityProvider         | [Xbox Identity Provider](ms-windows-store://pdp/?PFN=Microsoft.XboxIdentityProvider_8wekyb3d8bbwe)                 | x    | x    | x    | x    | No                    |
-| Microsoft.XboxSpeechToTextOverlay      |                                                                                                                    | x    | x    | x    | x    | No                    |
-| Microsoft.YourPhone                    | [Your Phone](ms-windows-store://pdp/?PFN=Microsoft.YourPhone_8wekyb3d8bbwe)                                        |      |      |      | x    | No                    |
-| Microsoft.ZuneMusic                    | [Groove Music](ms-windows-store://pdp/?PFN=Microsoft.ZuneMusic_8wekyb3d8bbwe)                                      | x    | x    | x    | x    | No                    |
-| Microsoft.ZuneVideo                    | [Movies & TV](ms-windows-store://pdp/?PFN=Microsoft.ZuneVideo_8wekyb3d8bbwe)                                       | x    | x    | x    | x    | No                    |
-
+| Package name                                 | App name                                                                                                                       | 1709 | 1803 | 1809 | 1909 | Uninstall through UI? |
+|----------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------|:----:|:----:|:----:|:----:|:---------------------:|
+| Microsoft.3DBuilder                          | [3D Builder](ms-windows-store://pdp/?PFN=Microsoft.3DBuilder_8wekyb3d8bbwe)                                                    |      |      |      |      |          Yes          |
+| Microsoft.BingWeather                        | [MSN Weather](ms-windows-store://pdp/?PFN=Microsoft.BingWeather_8wekyb3d8bbwe)                                                 |   x  |   x  |   x  |   x  |          Yes          |
+| Microsoft.DesktopAppInstaller                | [App Installer](ms-windows-store://pdp/?PFN=Microsoft.DesktopAppInstaller_8wekyb3d8bbwe)                                       |   x  |   x  |   x  |   x  |    Via Settings App   |
+| Microsoft.GetHelp                            | [Get Help](ms-windows-store://pdp/?PFN=Microsoft.Gethelp_8wekyb3d8bbwe)                                                        |   x  |   x  |   x  |   x  |           No          |
+| Microsoft.Getstarted                         | [Microsoft Tips](ms-windows-store://pdp/?PFN=Microsoft.Getstarted_8wekyb3d8bbwe)                                               |   x  |   x  |   x  |   x  |           No          |
+| Microsoft.HEIFImageExtension                 | [HEIF Image Extensions](ms-windows-store://pdp/?PFN=Microsoft.HEIFImageExtension_8wekyb3d8bbwe)                                |      |      |   x  |   x  |           No          |
+| Microsoft.Messaging                          | [Microsoft Messaging](ms-windows-store://pdp/?PFN=Microsoft.Messaging_8wekyb3d8bbwe)                                           |   x  |   x  |   x  |   x  |           No          |
+| Microsoft.Microsoft3DViewer                  | [Mixed Reality Viewer](ms-windows-store://pdp/?PFN=Microsoft.Microsoft3DViewer_8wekyb3d8bbwe)                                  |   x  |   x  |   x  |   x  |           No          |
+| Microsoft.MicrosoftOfficeHub                 | [My Office](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe)                                            |   x  |   x  |   x  |   x  |          Yes          |
+| Microsoft.MicrosoftSolitaireCollection       | [Microsoft Solitaire Collection](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe)             |   x  |   x  |   x  |   x  |          Yes          |
+| Microsoft.MicrosoftStickyNotes               | [Microsoft Sticky Notes](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe)                             |   x  |   x  |   x  |   x  |           No          |
+| Microsoft.MixedReality.Portal                | [Mixed Reality Portal](ms-windows-store://pdp/?PFN=Microsoft.MixedReality.Portal_8wekyb3d8bbwe)                                |      |      |   x  |   x  |           No          |
+| Microsoft.MSPaint                            | [Paint 3D](ms-windows-store://pdp/?PFN=Microsoft.MSPaint_8wekyb3d8bbwe)                                                        |   x  |   x  |   x  |   x  |           No          |
+| Microsoft.Office.OneNote                     | [OneNote](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe)                                                  |   x  |   x  |   x  |   x  |          Yes          |
+| Microsoft.OneConnect                         | [Paid Wi-Fi & Cellular](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe)                                        |   x  |   x  |   x  |   x  |           No          |
+| Microsoft.Outlook.DesktopIntegrationServices | |      |      |      |   x  |                       |
+| Microsoft.People                             | [Microsoft People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe)                                                 |   x  |   x  |   x  |   x  |           No          |
+| Microsoft.Print3D                            | [Print 3D](ms-windows-store://pdp/?PFN=Microsoft.Print3D_8wekyb3d8bbwe)                                                        |   x  |   x  |   x  |   x  |           No          |
+| Microsoft.ScreenSketch                       | [Snip & Sketch](ms-windows-store://pdp/?PFN=Microsoft.ScreenSketch_8wekyb3d8bbwe)                                              |      |      |   x  |   x  |           No          |
+| Microsoft.SkypeApp                           | [Skype](ms-windows-store://pdp/?PFN=Microsoft.SkypeApp_kzf8qxf38zg5c)                                                          |   x  |   x  |   x  |   x  |           No          |
+| Microsoft.StorePurchaseApp                   | [Store Purchase App](ms-windows-store://pdp/?PFN=Microsoft.StorePurchaseApp_8wekyb3d8bbwe)                                     |   x  |   x  |   x  |   x  |           No          |
+| Microsoft.VP9VideoExtensions                 |                                                                                                                                |      |      |   x  |   x  |           No          |
+| Microsoft.Wallet                             | [Microsoft Pay](ms-windows-store://pdp/?PFN=Microsoft.Wallet_8wekyb3d8bbwe)                                                    |   x  |   x  |   x  |   x  |           No          |
+| Microsoft.WebMediaExtensions                 | [Web Media Extensions](ms-windows-store://pdp/?PFN=Microsoft.WebMediaExtensions_8wekyb3d8bbwe)                                 |      |   x  |   x  |   x  |           No          |
+| Microsoft.WebpImageExtension                 | [Webp Image Extension](ms-windows-store://pdp/?PFN=Microsoft.WebpImageExtension_8wekyb3d8bbwe)                                 |      |      |   x  |   x  |           No          |
+| Microsoft.Windows.Photos                     | [Microsoft Photos](ms-windows-store://pdp/?PFN=Microsoft.Windows.Photos_8wekyb3d8bbwe)                                         |   x  |   x  |   x  |   x  |           No          |
+| Microsoft.WindowsAlarms                      | [Windows Alarms & Clock](ms-windows-store://pdp/?PFN=Microsoft.WindowsAlarms_8wekyb3d8bbwe)                                    |   x  |   x  |   x  |   x  |           No          |
+| Microsoft.WindowsCalculator                  | [Windows Calculator](ms-windows-store://pdp/?PFN=Microsoft.WindowsCalculator_8wekyb3d8bbwe)                                    |   x  |   x  |   x  |   x  |           No          |
+| Microsoft.WindowsCamera                      | [Windows Camera](ms-windows-store://pdp/?PFN=Microsoft.WindowsCamera_8wekyb3d8bbwe)                                            |   x  |   x  |   x  |   x  |           No          |
+| microsoft.windowscommunicationsapps          | [Mail and Calendar](ms-windows-store://pdp/?PFN=microsoft.windowscommunicationsapps_8wekyb3d8bbwe)                             |   x  |   x  |   x  |   x  |           No          |
+| Microsoft.WindowsFeedbackHub                 | [Feedback Hub](ms-windows-store://pdp/?PFN=Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe)                                         |   x  |   x  |   x  |   x  |           No          |
+| Microsoft.WindowsMaps                        | [Windows Maps](ms-windows-store://pdp/?PFN=Microsoft.WindowsMaps_8wekyb3d8bbwe)                                                |   x  |   x  |   x  |   x  |           No          |
+| Microsoft.WindowsSoundRecorder               | [Windows Voice Recorder](ms-windows-store://pdp/?PFN=Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe)                             |   x  |   x  |   x  |   x  |           No          |
+| Microsoft.WindowsStore                       | [Microsoft Store](ms-windows-store://pdp/?PFN=Microsoft.WindowsStore_8wekyb3d8bbwe)                                            |   x  |   x  |   x  |   x  |           No          |
+| Microsoft.Xbox.TCUI                          | [Xbox TCUI](ms-windows-store://pdp/?PFN=Microsoft.Xbox.TCUI_8wekyb3d8bbwe)                                                     |   x  |   x  |   x  |   x  |           No          |
+| Microsoft.XboxApp                            | [Xbox](ms-windows-store://pdp/?PFN=Microsoft.XboxApp_8wekyb3d8bbwe)                                                            |   x  |   x  |   x  |   x  |           No          |
+| Microsoft.XboxGameOverlay                    | [Xbox Game Bar](ms-windows-store://pdp/?PFN=Microsoft.XboxGameOverlay_8wekyb3d8bbwe)                                           |   x  |   x  |   x  |   x  |           No          |
+| Microsoft.XboxGamingOverlay                  | [Xbox Gaming Overlay](ms-windows-store://pdp/?PFN=Microsoft.XboxGamingOverlay_8wekyb3d8bbwe)                                   |      |   x  |   x  |   x  |           No          |
+| Microsoft.XboxIdentityProvider               | [Xbox Identity Provider](ms-windows-store://pdp/?PFN=Microsoft.XboxIdentityProvider_8wekyb3d8bbwe)                             |   x  |   x  |   x  |   x  |           No          |
+| Microsoft.XboxSpeechToTextOverlay            |                                                                                                                                |   x  |   x  |   x  |   x  |           No          |
+| Microsoft.YourPhone                          | [Your Phone](ms-windows-store://pdp/?PFN=Microsoft.YourPhone_8wekyb3d8bbwe)                                                    |      |      |   x  |   x  |           No          |
+| Microsoft.ZuneMusic                          | [Groove Music](ms-windows-store://pdp/?PFN=Microsoft.ZuneMusic_8wekyb3d8bbwe)                                                  |   x  |   x  |   x  |   x  |           No          |
+| Microsoft.ZuneVideo                          | [Movies & TV](ms-windows-store://pdp/?PFN=Microsoft.ZuneVideo_8wekyb3d8bbwe)                                                   |   x  |   x  |   x  |   x  |           No          |
 
 >[!NOTE]
 >The Store app can't be removed. If you want to remove and reinstall the Store app, you can only bring Store back by either restoring your system from a backup or resetting your system. Instead of removing the Store app, you should use group policies to hide or disable it.
@@ -149,7 +149,7 @@ System apps are integral to the operating system. Here are the typical system ap
 
 
 > [!NOTE]
-> - The Contact Support app changed to Get Help in version 1709. Get Help is a provisioned app (instead of system app like Contact Support).
+> The Contact Support app changed to Get Help in version 1709. Get Help is a provisioned app (instead of system app like Contact Support).
 
 ## Installed Windows apps
 
diff --git a/windows/client-management/generate-kernel-or-complete-crash-dump.md b/windows/client-management/generate-kernel-or-complete-crash-dump.md
index 6601e238eb..52a10357c5 100644
--- a/windows/client-management/generate-kernel-or-complete-crash-dump.md
+++ b/windows/client-management/generate-kernel-or-complete-crash-dump.md
@@ -9,7 +9,7 @@ ms.localizationpriority: medium
 ms.author: delhan
 ms.date: 8/28/2019
 ms.reviewer: 
-manager: dcscontentpm
+manager: willchen
 ---
 
 # Generate a kernel or complete crash dump 
@@ -61,7 +61,7 @@ If you can log on while the problem is occurring, you can use the Microsoft Sysi
 2. Select **Start**, and then select **Command Prompt**.
 3. At the command line, run the following command:
 
-   ```cmd
+   ```console
    notMyfault.exe /crash
    ```
 
@@ -80,6 +80,7 @@ To do this, follow these steps:
 > Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, [back up the registry for restoration](https://support.microsoft.com/help/322756) in case problems occur.
 
 1. In Registry Editor, locate the following registry subkey:
+
    **HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl**
 
 2. Right-click **CrashControl**, point to **New**, and then click **DWORD Value**.
@@ -101,6 +102,8 @@ To do this, follow these steps:
 
 9. Test this method on the server by using the NMI switch to generate a dump file. You will see a STOP 0x00000080 hardware malfunction.
 
+If you want to run NMI in Microsoft Azure using Serial Console, see [Use Serial Console for SysRq and NMI calls](https://docs.microsoft.com/azure/virtual-machines/linux/serial-console-nmi-sysrq).
+
 ### Use the keyboard
 
 [Forcing a System Crash from the Keyboard](https://docs.microsoft.com/windows-hardware/drivers/debugger/forcing-a-system-crash-from-the-keyboard)
@@ -108,4 +111,3 @@ To do this, follow these steps:
 ### Use Debugger
 
 [Forcing a System Crash from the Debugger](https://docs.microsoft.com/windows-hardware/drivers/debugger/forcing-a-system-crash-from-the-debugger)
-
diff --git a/windows/client-management/mdm/accounts-csp.md b/windows/client-management/mdm/accounts-csp.md
index d6d6a9fc16..40de22d2b3 100644
--- a/windows/client-management/mdm/accounts-csp.md
+++ b/windows/client-management/mdm/accounts-csp.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: lomayor
-ms.date: 04/17/2018
+ms.date: 03/27/2020
 ms.reviewer: 
 manager: dansimp
 ---
@@ -39,6 +39,9 @@ Available naming macros:
 
 Supported operation is Add.
 
+> [!Note]
+> For desktop PCs on the next major release of Windows 10 or later, use the **Ext/Microsoft/DNSComputerName** node in [DevDetail CSP](devdetail-csp.md).
+
 <a href="" id="users"></a>**Users**  
 Interior node for the user account information.
 
diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
index 24d475d6e4..413f6d9c1e 100644
--- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
+++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
@@ -9,7 +9,6 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: lomayor
-ms.date: 09/05/2017
 ---
 
 # Azure Active Directory integration with MDM
@@ -37,7 +36,8 @@ Windows 10 introduces a new way to configure and deploy corporate owned Windows
 
 Azure AD Join also enables company owned devices to be automatically enrolled in, and managed by an MDM. Furthermore, Azure AD Join can be performed on a store-bought PC, in the out-of-box experience (OOBE), which helps organizations streamline their device deployment. An administrator can require that users belonging to one or more groups enroll their devices for management with an MDM. If a user is configured to require automatic enrollment during Azure AD Join, this enrollment becomes a mandatory step to configure Windows. If the MDM enrollment fails, then the device will not be joined to Azure AD.
 
-> **Important**  Every user enabled for automatic MDM enrollment with Azure AD Join must be assigned a valid [Azure Active Directory Premium](https://msdn.microsoft.com/library/azure/dn499825.aspx) license.
+> [!IMPORTANT]
+> Every user enabled for automatic MDM enrollment with Azure AD Join must be assigned a valid [Azure Active Directory Premium](https://msdn.microsoft.com/library/azure/dn499825.aspx) license.
 
  
 ### BYOD scenario
@@ -60,7 +60,8 @@ For Azure AD enrollment to work for an Active Directory Federated Services (AD F
 
 Once a user has an Azure AD account added to Windows 10 and enrolled in MDM, the enrollment can be manages through **Settings** > **Accounts** > **Work access**. Device management of either Azure AD Join for corporate scenarios or BYOD scenarios are similar.
 
-> **Note**  Users cannot remove the device enrollment through the **Work access** user interface because management is tied to the Azure AD or work account.
+> [!NOTE]
+> Users cannot remove the device enrollment through the **Work access** user interface because management is tied to the Azure AD or work account.
 
  
 ### MDM endpoints involved in Azure AD integrated enrollment
@@ -80,7 +81,7 @@ To support Azure AD enrollment, MDM vendors must host and expose a Terms of Use
 <a href="" id="terms-of-use-endpoint-"></a>**Terms of Use endpoint**
 Use this endpoint to inform users of the ways in which their device can be controlled by their organization. The Terms of Use page is responsible for collecting user’s consent before the actual enrollment phase begins.
 
-It’s important to understand that the Terms of Use flow is a "black box" to Windows and Azure AD. The whole web view is redirected to the Terms of Use URL, and the user is expected to be redirected back after approving (or in some cases rejecting) the Terms. This design allows the MDM vendor to customize their Terms of Use for different scenarios (e.g., different levels of control are applied on BYOD vs. company-owned devices) or implement user/group based targeting (e.g. users in certain geographies may be subject to stricter device management policies).
+It’s important to understand that the Terms of Use flow is a "black box" to Windows and Azure AD. The whole web view is redirected to the Terms of Use URL, and the user is expected to be redirected back after approving (or in some cases rejecting) the Terms. This design allows the MDM vendor to customize their Terms of Use for different scenarios (e.g., different levels of control are applied on BYOD vs. company-owned devices) or implement user/group based targeting (e.g., users in certain geographies may be subject to stricter device management policies).
 
 The Terms of Use endpoint can be used to implement additional business logic, such as collecting a one-time PIN provided by IT to control device enrollment. However, MDM vendors must not use the Terms of Use flow to collect user credentials, which could lead to a highly degraded user experience. It’s not needed, since part of the MDM integration ensures that the MDM service can understand tokens issued by Azure AD.
 
@@ -103,7 +104,8 @@ A cloud-based MDM is a SaaS application that provides device management capabili
 
 The MDM vendor must first register the application in their home tenant and mark it as a multi-tenant application. Here a code sample from GitHub that explains how to add multi-tenant applications to Azure AD, [WepApp-WebAPI-MultiTenant-OpenIdConnect-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613661).
 
-> **Note**  For the MDM provider, if you don't have an existing Azure AD tentant with an Azure AD subscription that you manage, follow the step-by-step guide in [Add an Azure AD tenant and Azure AD subscription](add-an-azure-ad-tenant-and-azure-ad-subscription.md) to set up a tenant, add a subscription, and manage it via the Azure Portal.
+> [!NOTE]
+> For the MDM provider, if you don't have an existing Azure AD tentant with an Azure AD subscription that you manage, follow the step-by-step guide in [Add an Azure AD tenant and Azure AD subscription](add-an-azure-ad-tenant-and-azure-ad-subscription.md) to set up a tenant, add a subscription, and manage it via the Azure Portal.
 
  
 The keys used by the MDM application to request access tokens from Azure AD are managed within the tenant of the MDM vendor and not visible to individual customers. The same key is used by the multi-tenant MDM application to authenticate itself with Azure AD, regardless of the customer tenent to which the device being managed belongs.
@@ -136,7 +138,7 @@ For more information about how to register a sample application with Azure AD, s
 
 An on-premises MDM application is inherently different that a cloud MDM. It is a single-tenant application that is present uniquely within the tenant of the customer. Therefore, customers must add the application directly within their own tenant. Additionally, each instance of an on-premises MDM application must be registered separately and has a separate key for authentication with Azure AD.
 
-The customer experience for adding an on-premises MDM to their tenant is similar to that as the cloud-based MDM. There is an entry in the Azure AD app gallery to add an on-premises MDN to the tenant and administrators can configure the required URLs for enrollment and Terms of Use.
+To add an on-premises MDM application to the tenant, there is an entry under the Azure AD service, specifically under **Mobility (MDM and MAM)** > **Add application**. Administrators can configure the required URLs for enrollment and Terms of Use.
 
 Your on-premises MDM product must expose a configuration experience where administrators can provide the client ID, app ID, and the key configured in their directory for that MDM application. You can use this client ID and key to request tokens from Azure AD when reporting device compliance.
 
@@ -236,7 +238,7 @@ An MDM page must adhere to a predefined theme depending on the scenario that is
 <thead>
 <tr class="header">
 <th>CXH-HOST (HTTP HEADER)</th>
-<th>Senario</th>
+<th>Scenario</th>
 <th>Background Theme</th>
 <th>WinJS</th>
 <th>Scenario CSS</th>
@@ -343,14 +345,14 @@ The following claims are expected in the access token passed by Windows to the T
 </tbody>
 </table>
  
-&gt; <strong>Note</strong>  There is no device ID claim in the access token because the device may not yet be enrolled at this time.
+> [!NOTE]
+> There is no device ID claim in the access token because the device may not yet be enrolled at this time.
 
- 
 To retrieve the list of group memberships for the user, you can use the [Azure AD Graph API](https://go.microsoft.com/fwlink/p/?LinkID=613654).
 
 Here's an example URL.
 
-``` syntax
+```console
 https://fabrikam.contosomdm.com/TermsOfUse?redirect_uri=ms-appx-web://ContosoMdm/ToUResponse&client-request-id=34be581c-6ebd-49d6-a4e1-150eff4b7213&api-version=1.0
 Authorization: Bearer eyJ0eXAiOi
 ```
@@ -390,7 +392,7 @@ If an error was encountered during the terms of use processing, the MDM can retu
 
 Here is the URL format:
 
-``` syntax
+```console
 HTTP/1.1 302
 Location:
 <redirect_uri>?error=access_denied&error_description=Access%20is%20denied%2E
@@ -426,7 +428,7 @@ The following table shows the error codes.
 <td style="vertical-align:top"><p>unsupported version</p></td>
 </tr>
 <tr class="even">
-<td style="vertical-align:top"><p>Tenant or user data are missingor other required prerequisites for device enrollment are not met</p></td>
+<td style="vertical-align:top"><p>Tenant or user data are missing or other required prerequisites for device enrollment are not met</p></td>
 <td style="vertical-align:top"><p>302</p></td>
 <td style="vertical-align:top"><p>unauthorized_client</p></td>
 <td style="vertical-align:top"><p>unauthorized user or tenant</p></td>
@@ -601,7 +603,7 @@ In this scenario, the MDM enrollment applies to a single user who initially adde
 <a href="" id="evaluating-azure-ad-user-tokens"></a>**Evaluating Azure AD user tokens**
 The Azure AD token is in the HTTP Authorization header in the following format:
 
-``` syntax
+```console
 Authorization:Bearer <Azure AD User Token Inserted here>
 ```
 
@@ -621,7 +623,7 @@ Access token issued by Azure AD are JSON web tokens (JWTs). A valid JWT token is
 
 An alert is sent when the DM session starts and there is an Azure AD user logged in. The alert is sent in OMA DM pkg\#1. Here's an example:
 
-``` syntax
+```xml
 Alert Type: com.microsoft/MDM/AADUserToken
 
 Alert sample:
@@ -636,7 +638,7 @@ Alert sample:
    <Data>UserToken inserted here</Data>
   </Item>
  </Alert>
- … other xml tags …
+ … other XML tags …
 </SyncBody>
 ```
 
@@ -665,7 +667,7 @@ Here's an example.
    <Data>user</Data>
   </Item>
  </Alert>
- … other xml tags …
+ … other XML tags …
 </SyncBody>
 ```
 
@@ -682,9 +684,10 @@ For a sample that illustrates how an MDM can obtain an access token using OAuth
 
 The following sample REST API call illustrates how an MDM can use the Azure AD Graph API to report compliance status of a device currently being managed by it.
 
-> **Note**  This is only applicable for approved MDM apps on Windows 10 devices.
+> [!NOTE]
+> This is only applicable for approved MDM apps on Windows 10 devices.
 
-``` syntax
+```console
 Sample Graph API Request:
 
 PATCH https://graph.windows.net/contoso.com/devices/db7ab579-3759-4492-a03f-655ca7f52ae1?api-version=beta HTTP/1.1
@@ -713,7 +716,7 @@ Response:
 
 When a user is enrolled into MDM through Azure Active Directory Join and then disconnects the enrollment, there is no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message does not indicate the loss of WIP data.
 
-![aadj unenerollment](images/azure-ad-unenrollment.png)
+![aadj unenrollment](images/azure-ad-unenrollment.png)
 
 ## Error codes
 
@@ -921,4 +924,3 @@ When a user is enrolled into MDM through Azure Active Directory Join and then di
 
 
 
-
diff --git a/windows/client-management/mdm/devdetail-csp.md b/windows/client-management/mdm/devdetail-csp.md
index 9292eb002c..859ffd1672 100644
--- a/windows/client-management/mdm/devdetail-csp.md
+++ b/windows/client-management/mdm/devdetail-csp.md
@@ -9,7 +9,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: manikadhiman
-ms.date: 07/11/2018
+ms.date: 03/27/2020
 ---
 
 # DevDetail CSP
@@ -29,121 +29,136 @@ The following diagram shows the DevDetail configuration service provider managem
 ![devdetail csp (dm)](images/provisioning-csp-devdetail-dm.png)
 
 <a href="" id="devtyp"></a>**DevTyp**  
-<p style="margin-left: 20px"><p style="margin-left: 20px">Required. Returns the device model name /SystemProductName as a string.
+Required. Returns the device model name /SystemProductName as a string.
 
-<p style="margin-left: 20px">Supported operation is Get.
+Supported operation is Get.
 
 <a href="" id="oem"></a>**OEM**  
-<p style="margin-left: 20px">Required. Returns the name of the Original Equipment Manufacturer (OEM) as a string, as defined in the specification SyncML Device Information, version 1.1.2.
+Required. Returns the name of the Original Equipment Manufacturer (OEM) as a string, as defined in the specification SyncML Device Information, version 1.1.2.
 
-<p style="margin-left: 20px">Supported operation is Get.
+Supported operation is Get.
 
 <a href="" id="fwv"></a>**FwV**  
-<p style="margin-left: 20px">Required. Returns the firmware version, as defined in the registry key HKEY_LOCAL_MACHINE\System\Platform\DeviceTargetingInfo\PhoneFirmwareRevision.
+Required. Returns the firmware version, as defined in the registry key HKEY_LOCAL_MACHINE\System\Platform\DeviceTargetingInfo\PhoneFirmwareRevision.
 
-<p style="margin-left: 20px">For Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), it returns the BIOS version as defined in the registry key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion.
+For Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), it returns the BIOS version as defined in the registry key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion.
 
-<p style="margin-left: 20px">Supported operation is Get.
+Supported operation is Get.
 
 <a href="" id="swv"></a>**SwV**  
-<p style="margin-left: 20px">Required. Returns the Windows 10 OS software version in the format MajorVersion.MinorVersion.BuildNumber.QFEnumber. Currently the BuildNumber returns the build number on the desktop and mobile build number on the phone. In the future, the build numbers may converge.
+Required. Returns the Windows 10 OS software version in the format MajorVersion.MinorVersion.BuildNumber.QFEnumber. Currently the BuildNumber returns the build number on the desktop and mobile build number on the phone. In the future, the build numbers may converge.
 
-<p style="margin-left: 20px">Supported operation is Get.
+Supported operation is Get.
 
 <a href="" id="hwv"></a>**HwV**  
-<p style="margin-left: 20px">Required. Returns the hardware version, as defined in the registry key HKEY_LOCAL_MACHINE\System\Platform\DeviceTargetingInfo\PhoneRadioHardwareRevision.
+Required. Returns the hardware version, as defined in the registry key HKEY_LOCAL_MACHINE\System\Platform\DeviceTargetingInfo\PhoneRadioHardwareRevision.
 
-<p style="margin-left: 20px">For Windows 10 for desktop editions, it returns the BIOS version as defined in the registry key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion.
+For Windows 10 for desktop editions, it returns the BIOS version as defined in the registry key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion.
 
-<p style="margin-left: 20px">Supported operation is Get.
+Supported operation is Get.
 
 <a href="" id="lrgobj"></a>**LrgObj**  
-<p style="margin-left: 20px">Required. Returns whether the device uses OMA DM Large Object Handling, as defined in the specification SyncML Device Information, version 1.1.2.
+Required. Returns whether the device uses OMA DM Large Object Handling, as defined in the specification SyncML Device Information, version 1.1.2.
 
-<p style="margin-left: 20px">Supported operation is Get.
+Supported operation is Get.
 
 <a href="" id="uri-maxdepth"></a>**URI/MaxDepth**  
-<p style="margin-left: 20px">Required. Returns the maximum depth of the management tree that the device supports. The default is zero (0).
+Required. Returns the maximum depth of the management tree that the device supports. The default is zero (0).
 
-<p style="margin-left: 20px">Supported operation is Get.
+Supported operation is Get.
 
-<p style="margin-left: 20px">This is the maximum number of URI segments that the device supports. The default value zero (0) indicates that the device supports a URI of unlimited depth.
+This is the maximum number of URI segments that the device supports. The default value zero (0) indicates that the device supports a URI of unlimited depth.
 
 <a href="" id="uri-maxtotlen"></a>**URI/MaxTotLen**  
-<p style="margin-left: 20px">Required. Returns the maximum total length of any URI used to address a node or node property. The default is zero (0).
+Required. Returns the maximum total length of any URI used to address a node or node property. The default is zero (0).
 
-<p style="margin-left: 20px">Supported operation is Get.
+Supported operation is Get.
 
-<p style="margin-left: 20px">This is the largest number of characters in the URI that the device supports. The default value zero (0) indicates that the device supports a URI of unlimited length.
+This is the largest number of characters in the URI that the device supports. The default value zero (0) indicates that the device supports a URI of unlimited length.
 
 <a href="" id="uri-maxseglen"></a>**URI/MaxSegLen**  
-<p style="margin-left: 20px">Required. Returns the total length of any URI segment in a URI that addresses a node or node property. The default is zero (0).
+Required. Returns the total length of any URI segment in a URI that addresses a node or node property. The default is zero (0).
 
-<p style="margin-left: 20px">Supported operation is Get.
+Supported operation is Get.
 
-<p style="margin-left: 20px">This is the largest number of characters that the device can support in a single URI segment. The default value zero (0) indicates that the device supports URI segment of unlimited length.
+This is the largest number of characters that the device can support in a single URI segment. The default value zero (0) indicates that the device supports URI segment of unlimited length.
 
 <a href="" id="ext-microsoft-mobileid"></a>**Ext/Microsoft/MobileID**  
-<p style="margin-left: 20px">Required. Returns the mobile device ID associated with the cellular network. Returns 404 for devices that do not have a cellular network support.
+Required. Returns the mobile device ID associated with the cellular network. Returns 404 for devices that do not have a cellular network support.
 
-<p style="margin-left: 20px">Supported operation is Get.
+Supported operation is Get.
 
-<p style="margin-left: 20px">The IMSI value is returned for GSM and UMTS networks. CDMA and worldwide phones will return a 404 Not Found status code error if queried for this element.
-
-<a href="" id="ext-microsoft-localtime"></a>**Ext/Microsoft/LocalTime**  
-<p style="margin-left: 20px">Required. Returns the client local time in ISO 8601 format.
-
-<p style="margin-left: 20px">Supported operation is Get.
-
-<a href="" id="ext-microsoft-osplatform"></a>**Ext/Microsoft/OSPlatform**  
-<p style="margin-left: 20px">Required. Returns the OS platform of the device. For Windows 10 for desktop editions, it returns the ProductName as defined in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName.
-
-<p style="margin-left: 20px">Supported operation is Get.
-
-<a href="" id="ext-microsoft-processortype"></a>**Ext/Microsoft/ProcessorType**  
-<p style="margin-left: 20px">Required. Returns the processor type of the device as documented in SYSTEM_INFO.
-
-<p style="margin-left: 20px">Supported operation is Get.
+The IMSI value is returned for GSM and UMTS networks. CDMA and worldwide phones will return a 404 Not Found status code error if queried for this element.
 
 <a href="" id="ext-microsoft-radioswv"></a>**Ext/Microsoft/RadioSwV**  
-<p style="margin-left: 20px">Required. Returns the radio stack software version number.
+Required. Returns the radio stack software version number.
 
-<p style="margin-left: 20px">Supported operation is Get.
+Supported operation is Get.
 
 <a href="" id="ext-microsoft-resolution"></a>**Ext/Microsoft/Resolution**  
-<p style="margin-left: 20px">Required. Returns the UI screen resolution of the device (example: &quot;480x800&quot;).
+Required. Returns the UI screen resolution of the device (example: &quot;480x800&quot;).
 
-<p style="margin-left: 20px">Supported operation is Get.
+Supported operation is Get.
 
 <a href="" id="ext-microsoft-commercializationoperator"></a>**Ext/Microsoft/CommercializationOperator**  
-<p style="margin-left: 20px">Required. Returns the name of the mobile operator if it exists; otherwise it returns 404..
+Required. Returns the name of the mobile operator if it exists; otherwise it returns 404..
 
-<p style="margin-left: 20px">Supported operation is Get.
+Supported operation is Get.
 
 <a href="" id="ext-microsoft-processorarchitecture"></a>**Ext/Microsoft/ProcessorArchitecture**  
-<p style="margin-left: 20px">Required. Returns the processor architecture of the device as &quot;arm&quot; or &quot;x86&quot;.
+Required. Returns the processor architecture of the device as &quot;arm&quot; or &quot;x86&quot;.
 
-<p style="margin-left: 20px">Supported operation is Get.
+Supported operation is Get.
+
+<a href="" id="ext-microsoft-processortype"></a>**Ext/Microsoft/ProcessorType**  
+Required. Returns the processor type of the device as documented in SYSTEM_INFO.
+
+Supported operation is Get.
+
+<a href="" id="ext-microsoft-osplatform"></a>**Ext/Microsoft/OSPlatform**  
+Required. Returns the OS platform of the device. For Windows 10 for desktop editions, it returns the ProductName as defined in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName.
+
+Supported operation is Get.
+
+<a href="" id="ext-microsoft-localtime"></a>**Ext/Microsoft/LocalTime**  
+Required. Returns the client local time in ISO 8601 format.
+
+Supported operation is Get.
 
 <a href="" id="ext-microsoft-devicename"></a>**Ext/Microsoft/DeviceName**  
-<p style="margin-left: 20px">Required. Contains the user-specified device name.
+Required. Contains the user-specified device name.
 
-<p style="margin-left: 20px">Support for Replace operation for Windows 10 Mobile was added in Windows 10, version 1511. Replace operation is not supported in the desktop or IoT Core. When you change the device name using this node, it triggers a dialog on the device asking the user to reboot. The new device name does not take effect until the device is restarted. If the user cancels the dialog, it will show again until a reboot occurs.
+Support for Replace operation for Windows 10 Mobile was added in Windows 10, version 1511. Replace operation is not supported in the desktop or IoT Core. When you change the device name using this node, it triggers a dialog on the device asking the user to reboot. The new device name does not take effect until the device is restarted. If the user cancels the dialog, it will show again until a reboot occurs.
 
-<p style="margin-left: 20px">Value type is string.
+Value type is string.
 
-<p style="margin-left: 20px">Supported operations are Get and Replace.
+Supported operations are Get and Replace.
+
+<a href="" id="ext-microsoft-dnscomputername "></a>**Ext/Microsoft/DNSComputerName**  
+Added in the next major release of Windows 10. This node specifies the DNS computer name for a device. The server must explicitly reboot the device for this value to take effect. A couple of macros can be embedded within the value for dynamic substitution. Using any of these macros will limit the new name to 63 characters. This node replaces the **Domain/ComputerName** node in [Accounts CSP](accounts-csp.md).
+
+The following are the available naming macros:  
+
+| Macro | Description | Example | Generated Name |
+| -------| -------| -------| -------|
+| %RAND:<# of digits> | Generates the specified number of random digits. | Test%RAND:6% | Test123456|
+| %SERIAL% | Generates the serial number derived from the device. If the serial number causes the new name to exceed the 63 character limit, the serial number will be truncated from the beginning of the sequence.| Test-Device-%SERIAL% | Test-Device-456|
+
+Value type is string. Supported operations are Get and Replace.
+
+> [!Note]  
+> On desktop PCs, this setting specifies the DNS hostname of the computer (Computer Name) up to 63 characters. Use `%RAND:x%` to generate x number of random digits in the name, where x must be a number less than 63. For domain joined computers, the unique name must use `%RAND:x%`. Use `%SERIAL%` to generate the name with the `computer&quot;s` serial number embedded. If the serial number exceeds the character limit, it will be truncated from the beginning of the sequence. The character restriction limit does not count the length of the macros, `%RAND:x%` and `%SERIAL%`. This setting is supported only in Windows 10, version 1803 and later. To change this setting in Windows 10, version 1709 and earlier releases, use the **ComputerName** setting under **Accounts** > **ComputerAccount**.
 
 <a href="" id="ext-microsoft-totalstorage"></a>**Ext/Microsoft/TotalStorage**  
-<p style="margin-left: 20px">Added in Windows 10, version 1511. Integer that specifies the total available storage in MB from first internal drive on the device (may be less than total physical storage).
+Added in Windows 10, version 1511. Integer that specifies the total available storage in MB from first internal drive on the device (may be less than total physical storage).
 
-<p style="margin-left: 20px">Supported operation is Get.
+Supported operation is Get.
 
 > [!NOTE]
 > This is only supported in Windows 10 Mobile.
 
 <a href="" id="ext-microsoft-totalram"></a>**Ext/Microsoft/TotalRAM**  
-<p style="margin-left: 20px">Added in Windows 10, version 1511. Integer that specifies the total available memory in MB on the device (may be less than total physical memory).
+Added in Windows 10, version 1511. Integer that specifies the total available memory in MB on the device (may be less than total physical memory).
 
 Supported operation is Get.
 
@@ -153,45 +168,45 @@ Added in Windows 10, version 1809. SMBIOS Serial Number of the device.
 Value type is string. Supported operation is Get.
 
 <a href="" id="ext-wlanmacaddress"></a>**Ext/WLANMACAddress**  
-<p style="margin-left: 20px">The MAC address of the active WLAN connection, as a 12-digit hexadecimal number.
+The MAC address of the active WLAN connection, as a 12-digit hexadecimal number.
 
-<p style="margin-left: 20px">Supported operation is Get.
+Supported operation is Get.
 
 > [!NOTE]
 > This is not supported in Windows 10 for desktop editions.
 
 <a href="" id="volteservicesetting"></a>**Ext/VoLTEServiceSetting**  
-<p style="margin-left: 20px">Returns the VoLTE service to on or off. This is only exposed to mobile operator OMA-DM servers.
+Returns the VoLTE service to on or off. This is only exposed to mobile operator OMA-DM servers.
 
-<p style="margin-left: 20px">Supported operation is Get.
+Supported operation is Get.
 
 <a href="" id="wlanipv4address"></a>**Ext/WlanIPv4Address**  
-<p style="margin-left: 20px">Returns the IPv4 address of the active Wi-Fi connection. This is only exposed to enterprise OMA DM servers.
+Returns the IPv4 address of the active Wi-Fi connection. This is only exposed to enterprise OMA DM servers.
 
-<p style="margin-left: 20px">Supported operation is Get.
+Supported operation is Get.
 
 <a href="" id="wlanipv6address"></a>**Ext/WlanIPv6Address**  
-<p style="margin-left: 20px">Returns the IPv6 address of the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers.
+Returns the IPv6 address of the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers.
 
-<p style="margin-left: 20px">Supported operation is Get.
+Supported operation is Get.
 
 <a href="" id="wlandnssuffix"></a>**Ext/WlanDnsSuffix**  
-<p style="margin-left: 20px">Returns the DNS suffix of the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers.
+Returns the DNS suffix of the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers.
 
-<p style="margin-left: 20px">Supported operation is Get.
+Supported operation is Get.
 
 <a href="" id="wlansubnetmask"></a>**Ext/WlanSubnetMask**  
-<p style="margin-left: 20px">Returns the subnet mask for the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers.
+Returns the subnet mask for the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers.
 
-<p style="margin-left: 20px">Supported operation is Get.
+Supported operation is Get.
 
 <a href="" id="devicehardwaredata"></a>**Ext/DeviceHardwareData**  
-<p style="margin-left: 20px">Added in Windows 10 version 1703. Returns a base64-encoded string of the hardware parameters of a device.
+Added in Windows 10 version 1703. Returns a base64-encoded string of the hardware parameters of a device.
 
 > [!NOTE]
 > This node contains a raw blob used to identify a device in the cloud. It's not meant to be human readable by design and you cannot parse the content to get any meaningful hardware information.
 
-<p style="margin-left: 20px">Supported operation is Get.
+Supported operation is Get.
 
 ## Related topics
 
diff --git a/windows/client-management/mdm/devdetail-ddf-file.md b/windows/client-management/mdm/devdetail-ddf-file.md
index b313ad3605..47df0219d5 100644
--- a/windows/client-management/mdm/devdetail-ddf-file.md
+++ b/windows/client-management/mdm/devdetail-ddf-file.md
@@ -21,7 +21,7 @@ This topic shows the OMA DM device description framework (DDF) for the **DevDeta
 
 Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
 
-The XML below is for Windows 10, version 1809.
+The XML below is the current version for this CSP.
 
 ```xml
 <?xml version="1.0" encoding="UTF-8"?>
@@ -488,6 +488,28 @@ The XML below is for Windows 10, version 1809.
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>DNSComputerName</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>This node specifies the DNS name for a device. This setting can be managed remotely. A couple of macros can be embedded within the value for dynamic substitution: %RAND:&lt;# of digits&gt;% and %SERIAL%. Examples: (a) "Test%RAND:6%" will generate a name "Test" followed by 6 random digits (e.g., "Test123456").  (b) "Foo%SERIAL%", will generate a name "Foo" followed by the serial number derived from device's ID. If both macros are in the string, the RANDOM macro will take priority over the SERIAL macro (SERIAL will be ignored). The server must explicitly reboot the device for this value to take effect. This value has a maximum allowed length of 63 characters as per DNS standards.</Description>
+            <DFFormat>
+              <chr />
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>TotalStorage</NodeName>
           <DFProperties>
diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
index 36ba902151..dcc548afd6 100644
--- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
+++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
@@ -245,6 +245,7 @@ To collect Event Viewer logs:
 
 ### Useful Links
 
+- [Windows 10 Administrative Templates for Windows 10 November 2019 Update 1909](https://www.microsoft.com/download/details.aspx?id=100591)
 - [Windows 10 Administrative Templates for Windows 10 May 2019 Update 1903](https://www.microsoft.com/download/details.aspx?id=58495)
 - [Windows 10 Administrative Templates for Windows 10 October 2018 Update 1809](https://www.microsoft.com/download/details.aspx?id=57576)
 - [Windows 10 Administrative Templates for Windows 10 April 2018 Update 1803](https://www.microsoft.com/download/details.aspx?id=56880)
diff --git a/windows/client-management/mdm/images/provisioning-csp-devdetail-dm.png b/windows/client-management/mdm/images/provisioning-csp-devdetail-dm.png
index 6926801241..6ece851369 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-devdetail-dm.png and b/windows/client-management/mdm/images/provisioning-csp-devdetail-dm.png differ
diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md
index 1539c913c4..d691487aa2 100644
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@@ -1725,9 +1725,9 @@ Valid values: 0–90
 <!--Description-->
 This policy setting allows you to configure catch-up scans for scheduled full scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed.  Usually these scheduled scans are missed because the computer was turned off at the scheduled time. 
 
-If you enable this setting, catch-up scans for scheduled full scans will be turned on.  If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer.  If there is no scheduled scan configured, there will be no catch-up scan run. 
+If you disable or do not configure this setting, catch-up scans for scheduled full scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer.  If there is no scheduled scan configured, there will be no catch-up scan run. 
 
-If you disable or do not configure this setting, catch-up scans for scheduled full scans will be turned off.
+If you enable this setting, catch-up scans for scheduled full scans will be disabled.
 
 Supported values:
 
diff --git a/windows/client-management/mdm/policy-csp-exploitguard.md b/windows/client-management/mdm/policy-csp-exploitguard.md
index f32917cdbc..adf4eb44d5 100644
--- a/windows/client-management/mdm/policy-csp-exploitguard.md
+++ b/windows/client-management/mdm/policy-csp-exploitguard.md
@@ -74,7 +74,7 @@ manager: dansimp
 
 <!--/Scope-->
 <!--Description-->
-Enables the IT admin to push out a configuration representing the desired system and application mitigation options to all the devices in the organization. The configuration is represented by an XML. For more information Exploit Protection, see [Protect devices from exploits](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/exploit-protection) and [Import, export, and deploy Exploit Protection configurations](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml).
+Enables the IT admin to push out a configuration representing the desired system and application mitigation options to all the devices in the organization. The configuration is represented by an XML. For more information Exploit Protection, see [Enable Exploit Protection on Devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection) and [Import, export, and deploy Exploit Protection configurations](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml).
 
 The system settings require a reboot; the application settings do not require a reboot.
 
diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md
index 4de4f71bdc..959f35a071 100644
--- a/windows/client-management/mdm/policy-csp-restrictedgroups.md
+++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md
@@ -7,7 +7,8 @@ ms.prod: w10
 ms.technology: windows
 author: manikadhiman
 ms.localizationpriority: medium
-ms.date: 09/27/2019
+ms.date: 03/24/2020
+
 ms.reviewer: 
 manager: dansimp
 ---
@@ -74,13 +75,16 @@ manager: dansimp
 
 <!--/Scope-->
 <!--Description-->
-This security setting allows an administrator to define the members of a security-sensitive (restricted) group. When a Restricted Groups Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list who is not currently a member of the restricted group is added. You can use Restricted Groups policy to control group membership. Using the policy, you can specify what members are part of a group. Any members that are not specified in the policy are removed during configuration or refresh. For example, you can create a Restricted Groups policy to only allow specified users (for example, Alice and John) to be members of the Administrators group. When policy is refreshed, only Alice and John will remain as members of the Administrators group.  
+This security setting allows an administrator to define the members that are part of a security-sensitive (restricted) group. When a Restricted Groups policy is enforced, any current member of a restricted group that is not on the Members list is removed, except for the built-in administrator in the built-in Administrators group. Any user on the Members list who is not currently a member of the restricted group is added. An empty Members list means that the restricted group has no members. The membership configuration is based on SIDS, therefore renaming these built-in groups does not affect retention of this special membership.
 
-> [!NOTE]
-> DeviceEnroller.exe will not elevate the user if a pre-configured local admin group already exists on the device. This is a security measure in the executable where it checks for other non-disabled Administrators' membership(s). If at least one already exists, the tool will exit without elevating.
+For example, you can create a Restricted Groups policy to allow only specified users, Alice and John, to be members of the Backup Operators group. When this policy is refreshed, only Alice and John will remain as members of the Backup Operators group and all other members will be removed.  
 
 > [!CAUTION]
-> If a Restricted Groups policy is applied, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators. Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers. An empty Members list means that the restricted group has no members.
+> Attempting to remove the built-in administrator from the Administrators group will result in failure with the following error:  
+>
+> | Error Code  | Symbolic Name | Error Description | Header |
+> |----------|----------|----------|----------|
+> |  0x55b (Hex)  <br>  1371 (Dec)  |ERROR_SPECIAL_ACCOUNT|Cannot perform this operation on built-in accounts.|  winerror.h  |
 
 Starting in Windows 10, version 1809, you can use this schema for retrieval and application of the RestrictedGroups/ConfigureGroupMembership policy. A minimum occurrence of 0 members when applying the policy implies clearing the access group and should be used with caution.
 
@@ -125,24 +129,26 @@ Starting in Windows 10, version 1809, you can use this schema for retrieval and
 
 <!--/SupportedValues-->
 <!--Example-->
-Here is an example:
 
+Here's an example:
 ```
 <groupmembership>
-    <accessgroup desc = "Administrators">
-        <member name = "AzureAD\CSPTest@contoso.com" />
-        <member name = "AzureAD\patlewis@contoso.com" />
-        <member name = "S-1-15-1233433-23423432423-234234324"/>
+    <accessgroup desc = "Group1">
+        <member name = "S-1-15-6666767-76767676767-666666777"/>
+        <member name = "contoso\Alice"/>
     </accessgroup>
-    <accessgroup desc = "testcsplocal">
-        <member name = "AzureAD\CSPTest@contoso.com" />
+    <accessgroup desc = "Group2">
+        <member name = "S-1-15-1233433-23423432423-234234324"/>
+        <member name = "Group1"/>
     </accessgroup>
 </groupmembership>
 ```
+where:
+- `<accessgroup desc>` contains the local group SID or group name to configure. If an SID is specified here, the policy uses the [LookupAccountName](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea) API to get the local group name. For best results, use names for `<accessgroup desc>`.
+- `<member name>` contains the members to add to the group in `<accessgroup desc>`. If a name is specified here, the policy will try to get the corresponding SID using the [LookupAccountSID](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API. (**Note:** This doesn't query Azure AD). For best results, use SID for `<member name>`. As groups can be renamed and account name lookups are limited to AD/local machine, hence SID is the best and most deterministic way to configure.
+The member SID can be a user account or a group in AD, Azure AD, or on the local machine. Membership is configured using the [NetLocalGroupSetMembers](https://docs.microsoft.com/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupsetmembers) API.
+- In this example, `Group1` and `Group2` are local groups on the device being configured.
 
-> [!Note]
-> * You should include the local administrator while modifying the administrators group to prevent accidental loss of access
-> * Include the entire UPN after AzureAD
 <!--/Example-->
 <!--Validation-->
 
diff --git a/windows/client-management/mdm/policy-csp-smartscreen.md b/windows/client-management/mdm/policy-csp-smartscreen.md
index 205d51bff6..83b2b4ee01 100644
--- a/windows/client-management/mdm/policy-csp-smartscreen.md
+++ b/windows/client-management/mdm/policy-csp-smartscreen.md
@@ -83,7 +83,7 @@ manager: dansimp
 Added in Windows 10, version 1703. Allows IT Admins to control whether users are allowed to install apps from places other than the Store.
 
 > [!Note]
-> This policy will block installation only while the device is online. To block offline installation too, **SmartScreen/PreventOverrideForFilesInShell** and **SmartScreen/EnableSmartScreenInShell** policies should also be enabled.
+> This policy will block installation only while the device is online. To block offline installation too, **SmartScreen/PreventOverrideForFilesInShell** and **SmartScreen/EnableSmartScreenInShell** policies should also be enabled.<p>This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.
 
 <!--/Description-->
 <!--ADMXMapped-->
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index 26f73d572e..52098ee14c 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -1204,19 +1204,19 @@ The following list shows the supported values:
 </tr>
 <tr>
     <td>Pro</td>
-    <td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
 </tr>
 <tr>
     <td>Business</td>
-    <td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
 </tr>
 <tr>
     <td>Enterprise</td>
-    <td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
 </tr>
 <tr>
     <td>Education</td>
-    <td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
 </tr>
 </table>
 
@@ -1234,7 +1234,7 @@ The following list shows the supported values:
 <!--/Scope-->
 <!--Description-->
 
-Added in Windows 10, version 1709. Allows IT admins to specify the number of days a user has before feature updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule.
+Added in Windows 10, version 1903. Also available in Windows 10, versions 1809, 1803, and 1709. Allows IT admins to specify the number of days a user has before feature updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule.
 <!--/Description-->
 <!--ADMXMapped-->
 ADMX Info:  
@@ -1275,19 +1275,19 @@ Default value is 7.
 </tr>
 <tr>
     <td>Pro</td>
-    <td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
 </tr>
 <tr>
     <td>Business</td>
-    <td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
 </tr>
 <tr>
     <td>Enterprise</td>
-    <td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
 </tr>
 <tr>
     <td>Education</td>
-    <td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
 </tr>
 </table>
 
@@ -1305,7 +1305,7 @@ Default value is 7.
 <!--/Scope-->
 <!--Description-->
 
-Added in Windows 10, version 1709. Allows IT admins to specify the number of days a user has before quality updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule.
+Added in Windows 10, version 1903. Also available in Windows 10, versions 1809, 1803, and 1709. Allows IT admins to specify the number of days a user has before quality updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule.
 <!--/Description-->
 <!--ADMXMapped-->
 ADMX Info:  
@@ -1346,19 +1346,19 @@ Default value is 7.
 </tr>
 <tr>
     <td>Pro</td>
-    <td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
 </tr>
 <tr>
     <td>Business</td>
-    <td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
 </tr>
 <tr>
     <td>Enterprise</td>
-    <td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
 </tr>
 <tr>
     <td>Education</td>
-    <td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
 </tr>
 </table>
 
@@ -1376,7 +1376,7 @@ Default value is 7.
 <!--/Scope-->
 <!--Description-->
 
-Added in Windows 10, version 1709. Allows the IT admin (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)) to specify a minimum number of days until restarts occur automatically. Setting the grace period may extend the effective deadline set by the deadline policies.
+Added in Windows 10, version 1903. Also available in Windows 10, versions 1809, 1803, and 1709. Allows the IT admin (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)) to specify a minimum number of days until restarts occur automatically. Setting the grace period may extend the effective deadline set by the deadline policies.
 
 <!--/Description-->
 <!--ADMXMapped-->
@@ -1418,19 +1418,19 @@ Default value is 2.
 </tr>
 <tr>
     <td>Pro</td>
-    <td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
 </tr>
 <tr>
     <td>Business</td>
-    <td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
 </tr>
 <tr>
     <td>Enterprise</td>
-    <td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
 </tr>
 <tr>
     <td>Education</td>
-    <td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
 </tr>
 </table>
 
@@ -1448,7 +1448,7 @@ Default value is 2.
 <!--/Scope-->
 <!--Description-->
 
-Added in Windows 10, version 1709. If enabled (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)), devices will not automatically restart outside of active hours until the deadline is reached, even if applicable updates are already installed and pending a restart.
+Added in Windows 10, version 1903. Also available in Windows 10, versions 1809, 1803, and 1709. If enabled (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)), devices will not automatically restart outside of active hours until the deadline is reached, even if applicable updates are already installed and pending a restart.
 
 When disabled, if the device has installed the required updates and is outside of active hours, it may attempt an automatic restart before the deadline.
 <!--/Description-->
diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md
index c485382b9e..25159c3271 100644
--- a/windows/client-management/mdm/policy-csp-userrights.md
+++ b/windows/client-management/mdm/policy-csp-userrights.md
@@ -53,17 +53,17 @@ Here are examples of data fields. The encoded 0xF000 is the standard delimiter/s
  
 - Grant an user right to multiple groups (Administrators, Authenticated Users) via SID
    ```
-   <Data>*S-1-5-32-544&#61440;*S-1-5-11</Data>
+   <Data>*S-1-5-32-544&#xF000;*S-1-5-11</Data>
    ```
 
 - Grant an user right to multiple groups (Administrators, Authenticated Users) via a mix of SID and Strings
    ```
-   <Data>*S-1-5-32-544&#61440;Authenticated Users</Data>
+   <Data>*S-1-5-32-544&#xF000;Authenticated Users</Data>
    ```
  
 - Grant an user right to multiple groups (Authenticated Users, Administrators) via strings
    ```
-   <Data>Authenticated Users&#61440;Administrators</Data>
+   <Data>Authenticated Users&#xF000;Administrators</Data>
    ```
 
 - Empty input indicates that there are no users configured to have that user right
diff --git a/windows/client-management/mdm/understanding-admx-backed-policies.md b/windows/client-management/mdm/understanding-admx-backed-policies.md
index 33001ff094..ab3a46a409 100644
--- a/windows/client-management/mdm/understanding-admx-backed-policies.md
+++ b/windows/client-management/mdm/understanding-admx-backed-policies.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: manikadhiman
-ms.date: 03/02/2018
+ms.date: 03/23/2020
 ms.reviewer: 
 manager: dansimp
 ---
@@ -28,7 +28,7 @@ Depending on the specific category of the settings that they control (OS or appl
 
 In a domain controller/Group Policy ecosystem, Group Policies are automatically added to the registry of the client computer or user profile by the Administrative Templates Client Side Extension (CSE) whenever the client computer processes a Group Policy. Conversely, in an MDM-managed client, ADMX files are leveraged to define policies independent of Group Policies. Therefore, in an MDM-managed client, a Group Policy infrastructure, including the Group Policy Service (gpsvc.exe), is not required.
 
-An ADMX file can either be shipped with Windows (located at `%SystemRoot%\policydefinitions`) or it can be ingested to a device through the Policy CSP URI (`./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`). Inbox ADMX files are processed into MDM policies at OS-build time. ADMX files that are ingested are processed into MDM policies post-OS shipment through the Policy CSP. Because the Policy CSP does not rely upon any aspect of the Group Policy client stack, including the PC’s Group Policy Service (GPSvc), the policy handlers that are ingested to the device are able to react to policies that are set by the MDM.
+An ADMX file can either be shipped with Windows (located at `%SystemRoot%\policydefinitions`) or it can be ingested to a device through the Policy CSP URI (`./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`). Inbox ADMX files are processed into MDM policies at OS-build time. ADMX files that are ingested are processed into MDM policies post-OS shipment through the Policy CSP. Because the Policy CSP does not rely upon any aspect of the Group Policy client stack, including the PC's Group Policy Service (GPSvc), the policy handlers that are ingested to the device are able to react to policies that are set by the MDM.
 
 Windows maps the name and category path of a Group Policy to a MDM policy area and policy name by parsing the associated ADMX file, finding the specified Group Policy, and storing the definition (metadata) in the MDM Policy CSP client store. When the MDM policy is referenced by a SyncML command and the Policy CSP URI, `.\[device|user]\vendor\msft\policy\[config|result]\<area>\<policy>`, this metadata is referenced and determines which registry keys are set or removed. For a list of ADMX-backed policies supported by MDM, see [Policy CSP - ADMX-backed policies](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#admx-backed-policies).
 
@@ -37,22 +37,22 @@ Windows maps the name and category path of a Group Policy to a MDM policy area a
 
 ## <a href="" id="admx-files-and-the-group-policy-editor"></a>ADMX files and the Group Policy Editor
 
-To capture the end-to-end MDM handling of ADMX Group Policies, an IT administrator must use a UI, such as the Group Policy Editor (gpedit.msc), to gather the necessary data. The MDM ISV console UI determines how to gather the needed Group Policy data from the IT administrator. ADMX-backed Group Policies are organized in a hierarchy and can have a scope of machine, user, or both. The Group Policy example in the next section uses a machine-wide Group Policy named “Publishing Server 2 Settings.” When this Group Policy is selected, its available states are **Not Configured**, **Enabled**, and **Disabled**. 
+To capture the end-to-end MDM handling of ADMX Group Policies, an IT administrator must use a UI, such as the Group Policy Editor (gpedit.msc), to gather the necessary data. The MDM ISV console UI determines how to gather the needed Group Policy data from the IT administrator. ADMX-backed Group Policies are organized in a hierarchy and can have a scope of machine, user, or both. The Group Policy example in the next section uses a machine-wide Group Policy named "Publishing Server 2 Settings." When this Group Policy is selected, its available states are **Not Configured**, **Enabled**, and **Disabled**. 
 
-The ADMX file that the MDM ISV uses to determine what UI to display to the IT administrator is the same ADMX file that the client uses for the policy definition. The ADMX file is processed either by the OS at build time or set by the client at OS runtime. In either case, the client and the MDM ISV must be synchronized with the ADMX policy definitions. Each ADMX file corresponds to a Group Policy category and typically contains several policy definitions, each of which represents a single Group Policy. For example, the policy definition for the “Publishing Server 2 Settings” is contained in the appv.admx file, which holds the policy definitions for the Microsoft Application Virtualization (App-V) Group Policy category. 
+The ADMX file that the MDM ISV uses to determine what UI to display to the IT administrator is the same ADMX file that the client uses for the policy definition. The ADMX file is processed either by the OS at build time or set by the client at OS runtime. In either case, the client and the MDM ISV must be synchronized with the ADMX policy definitions. Each ADMX file corresponds to a Group Policy category and typically contains several policy definitions, each of which represents a single Group Policy. For example, the policy definition for the "Publishing Server 2 Settings" is contained in the appv.admx file, which holds the policy definitions for the Microsoft Application Virtualization (App-V) Group Policy category. 
 
 Group Policy option button setting:
 - If **Enabled** is selected, the necessary data entry controls are displayed for the user in the UI. When IT administrator enters the data and clicks **Apply**, the following events occur:
     - The MDM ISV server sets up a Replace SyncML command with a payload that contains the user-entered data.  
-    - The MDM client stack receives this data, which causes the Policy CSP to update the device’s registry per the ADMX-backed policy definition.
+    - The MDM client stack receives this data, which causes the Policy CSP to update the device's registry per the ADMX-backed policy definition.
 
 - If **Disabled** is selected and you click **Apply**, the following events occur:
     - The MDM ISV server sets up a Replace SyncML command with a payload set to `<disabled\>`. 
-    - The MDM client stack receives this command, which causes the Policy CSP to either delete the device’s registry settings, set the registry keys, or both, per the state change directed by the ADMX-backed policy definition.
+    - The MDM client stack receives this command, which causes the Policy CSP to either delete the device's registry settings, set the registry keys, or both, per the state change directed by the ADMX-backed policy definition.
 
 - If **Not Configured** is selected and you click **Apply**, the following events occur:
     - MDM ISV server sets up a Delete SyncML command. 
-    - The MDM client stack receives this command, which causes the Policy CSP to delete the device’s registry settings per the ADMX-backed policy definition.
+    - The MDM client stack receives this command, which causes the Policy CSP to delete the device's registry settings per the ADMX-backed policy definition.
 
 The following diagram shows the main display for the Group Policy Editor.
 
@@ -62,7 +62,7 @@ The following diagram shows the settings for the "Publishing Server 2 Settings"
 
 ![Group Policy publisher server 2 settings](images/group-policy-publisher-server-2-settings.png)
 
-Note that most Group Policies are a simple Boolean type. For a Boolean Group Policy, if you select **Enabled**, the options panel contains no data input fields and the payload of the SyncML is simply `<enabled/>`. However, if there are data input fields in the options panel, the MDM server must supply this data. The following *Enabling a Group Policy* example illustrates this complexity. In this example, 10 name-value pairs are described by `<data />` tags in the payload, which correspond to the 10 data input fields in the Group Policy Editor options panel for the "Publishing Server 2 Settings" Group Policy. The ADMX file, which defines the Group Policies, is consumed by the MDM server, similarly to how the Group Policy Editor consumes it. The Group Policy Editor displays a UI to receive the complete Group Policy instance data, which the MDM server’s IT administrator console must also do. For every `<text>` element and id attribute in the ADMX policy definition, there must be a corresponding `<data />` element and id attribute in the payload. The ADMX file drives the policy definition and is required by the MDM server via the SyncML protocol.
+Note that most Group Policies are a simple Boolean type. For a Boolean Group Policy, if you select **Enabled**, the options panel contains no data input fields and the payload of the SyncML is simply `<enabled/>`. However, if there are data input fields in the options panel, the MDM server must supply this data. The following *Enabling a Group Policy* example illustrates this complexity. In this example, 10 name-value pairs are described by `<data />` tags in the payload, which correspond to the 10 data input fields in the Group Policy Editor options panel for the "Publishing Server 2 Settings" Group Policy. The ADMX file, which defines the Group Policies, is consumed by the MDM server, similarly to how the Group Policy Editor consumes it. The Group Policy Editor displays a UI to receive the complete Group Policy instance data, which the MDM server's IT administrator console must also do. For every `<text>` element and id attribute in the ADMX policy definition, there must be a corresponding `<data />` element and id attribute in the payload. The ADMX file drives the policy definition and is required by the MDM server via the SyncML protocol.
 
 > [!IMPORTANT]
 > Any data entry field that is displayed in the Group Policy page of the Group Policy Editor must be supplied in the encoded XML of the SyncML payload. The SyncML data payload is equivalent to the user-supplied Group Policy data through GPEdit.msc. 
@@ -171,7 +171,7 @@ The following SyncML examples describe how to set a MDM policy that is defined b
         <Target>
           <LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer2</LocURI>
         </Target>
-        <Data><disabled/></Data>
+        <Data><![CDATA[<disabled/>]]></Data>
       </Item>
     </Replace>
     <Final/>
@@ -249,10 +249,10 @@ Note that the data payload of the SyncML needs to be encoded so that it does not
 .
 .
 .
-		 <stringPolicy name="PublishingAllowServer2" notSupportedOnPlatform="phone" admxbacked="appv.admx" scope="machine">
-			<ADMXPolicy area="appv~AT~System~CAT_AppV~CAT_Publishing" name="Publishing_Server2_Policy" scope="machine" />
-		   <registryKeyRedirect path="SOFTWARE\Policies\Microsoft\AppV\Client\Publishing\Servers\2" />
-		 </stringPolicy >
+         <stringPolicy name="PublishingAllowServer2" notSupportedOnPlatform="phone" admxbacked="appv.admx" scope="machine">
+            <ADMXPolicy area="appv~AT~System~CAT_AppV~CAT_Publishing" name="Publishing_Server2_Policy" scope="machine" />
+           <registryKeyRedirect path="SOFTWARE\Policies\Microsoft\AppV\Client\Publishing\Servers\2" />
+         </stringPolicy >
 .
 .
 .
@@ -275,7 +275,7 @@ The `text` element simply corresponds to a string and correspondingly to an edit
   <parentCategory ref="InternetExplorer" />
   <supportedOn ref="SUPPORTED_IE5" />
   <elements>
-	<text id="EnterHomePagePrompt" key="Software\Policies\Microsoft\Internet Explorer\Main" valueName="Start Page" required="true" />
+    <text id="EnterHomePagePrompt" key="Software\Policies\Microsoft\Internet Explorer\Main" valueName="Start Page" required="true" />
   </elements>
 </policy>
 ```
@@ -310,14 +310,14 @@ The `multiText` element simply corresponds to a REG_MULTISZ registry string and
 
 ```XML
 <policy name="Virtualization_JITVAllowList" class="Machine" displayName="$(string.Virtualization_JITVAllowList)"
-		explainText="$(string.Virtualization_JITVAllowList_Help)" presentation="$(presentation.Virtualization_JITVAllowList)"
-		  key="SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization"
-		  valueName="ProcessesUsingVirtualComponents">
-	<parentCategory ref="CAT_Virtualization" />
-	<supportedOn ref="windows:SUPPORTED_Windows7" />
-	<elements>
-	<multiText id="Virtualization_JITVAllowList_Prompt" valueName="ProcessesUsingVirtualComponents" />
-	</elements>
+        explainText="$(string.Virtualization_JITVAllowList_Help)" presentation="$(presentation.Virtualization_JITVAllowList)"
+          key="SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization"
+          valueName="ProcessesUsingVirtualComponents">
+    <parentCategory ref="CAT_Virtualization" />
+    <supportedOn ref="windows:SUPPORTED_Windows7" />
+    <elements>
+    <multiText id="Virtualization_JITVAllowList_Prompt" valueName="ProcessesUsingVirtualComponents" />
+    </elements>
 </policy>
 ```
 
@@ -337,7 +337,7 @@ The `multiText` element simply corresponds to a REG_MULTISZ registry string and
         <Target>
           <LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/VirtualComponentsAllowList</LocURI>
         </Target>
-        <Data><enabled/><data id="Virtualization_JITVAllowList_Prompt" value="C:\QuickPatch\TEST\snot.exe&#xF000;C:\QuickPatch\TEST\foo.exe&#xF000;C:\QuickPatch\TEST\bar.exe"/></Data>
+        <Data><![CDATA[<enabled/><data id="Virtualization_JITVAllowList_Prompt" value="C:\QuickPatch\TEST\snot.exe&#xF000;C:\QuickPatch\TEST\foo.exe&#xF000;C:\QuickPatch\TEST\bar.exe"/>]]></Data>
       </Item>
     </Replace>
     <Final/>
@@ -352,7 +352,7 @@ The `list` element simply corresponds to a hive of REG_SZ registry strings and c
 > [!NOTE]
 > It is expected that each string in the SyncML is to be separated by the Unicode character 0xF000 (encoded version: `&#xF000;`).
 
-Variations of the `list` element are dictated by attributes. These attributes are ignored by the Policy Manager runtime. It is expected that the MDM server manages the name/value pairs. See below for a simple writeup of Group Policy List.
+Variations of the `list` element are dictated by attributes. These attributes are ignored by the Policy Manager runtime. It is expected that the MDM server manages the name/value pairs. See below for a simple write up of Group Policy List.
 
 **ADMX file: inetres.admx**
 
@@ -361,7 +361,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar
   <parentCategory ref="InternetExplorer" />
   <supportedOn ref="SUPPORTED_IE8" />
   <elements>
-	<list id="SecondaryHomePagesList" additive="true" />
+    <list id="SecondaryHomePagesList" additive="true" />
   </elements>
 </policy>
 ```
@@ -381,7 +381,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar
         <Target>
           <LocURI>./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableSecondaryHomePageChange</LocURI>
         </Target>
-        <Data><Enabled/><Data id="SecondaryHomePagesList" value="http://name1&#xF000;http://name1&#xF000;http://name2&#xF000;http://name2"/></Data>
+        <Data><![CDATA[<Enabled/><Data id="SecondaryHomePagesList" value="http://name1&#xF000;http://name1&#xF000;http://name2&#xF000;http://name2"/>]]></Data>
       </Item>
     </Replace>
     <Final/>
@@ -413,7 +413,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar
         <Target>
           <LocURI>./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableUpdateCheck</LocURI>
         </Target>
-        <Data><Enabled/></Data>
+        <Data><![CDATA[<Enabled/>]]></Data>
       </Item>
     </Replace>
     <Final/>
@@ -425,32 +425,32 @@ Variations of the `list` element are dictated by attributes. These attributes ar
 
 ```XML
 <policy name="EncryptionMethodWithXts_Name" class="Machine" displayName="$(string.EncryptionMethodWithXts_Name)" explainText="$(string.EncryptionMethodWithXts_Help)" presentation="$(presentation.EncryptionMethodWithXts_Name)" key="SOFTWARE\Policies\Microsoft\FVE">
-	<parentCategory ref="FVECategory" />
-	<!--Bug OS:4242178 -->
-	<supportedOn ref="windows:SUPPORTED_Windows_10_0" />
-	<elements>
-		<enum id="EncryptionMethodWithXtsOsDropDown_Name" valueName="EncryptionMethodWithXtsOs" required="true">
-			<item displayName="$(string.EncryptionMethodDropDown_AES128_Name2)">
-				<value>
-					<decimal value="3" />
-				</value>
-			</item>
-			<item displayName="$(string.EncryptionMethodDropDown_AES256_Name2)">
-				<value>
-					<decimal value="4" />
-				</value>
-			</item>
-			<item displayName="$(string.EncryptionMethodDropDown_XTS_AES128_Name)">
-				<value>
-					<decimal value="6" />
-				</value>
-			</item>
-			<item displayName="$(string.EncryptionMethodDropDown_XTS_AES256_Name)">
-				<value>
-					<decimal value="7" />
-				</value>
-			</item>
-		</enum>
+    <parentCategory ref="FVECategory" />
+    <!--Bug OS:4242178 -->
+    <supportedOn ref="windows:SUPPORTED_Windows_10_0" />
+    <elements>
+        <enum id="EncryptionMethodWithXtsOsDropDown_Name" valueName="EncryptionMethodWithXtsOs" required="true">
+            <item displayName="$(string.EncryptionMethodDropDown_AES128_Name2)">
+                <value>
+                    <decimal value="3" />
+                </value>
+            </item>
+            <item displayName="$(string.EncryptionMethodDropDown_AES256_Name2)">
+                <value>
+                    <decimal value="4" />
+                </value>
+            </item>
+            <item displayName="$(string.EncryptionMethodDropDown_XTS_AES128_Name)">
+                <value>
+                    <decimal value="6" />
+                </value>
+            </item>
+            <item displayName="$(string.EncryptionMethodDropDown_XTS_AES256_Name)">
+                <value>
+                    <decimal value="7" />
+                </value>
+            </item>
+        </enum>
    </elements>
 </policy>
 ```
@@ -467,8 +467,8 @@ Variations of the `list` element are dictated by attributes. These attributes ar
           <LocURI>./Device/Vendor/MSFT/Policy/Config/BitLocker/EncryptionMethodByDriveType</LocURI>
         </Target>
         <Data>
-          <enabled/>
-          <data id="EncryptionMethodWithXtsOsDropDown_Name" value="4"/>
+          <![CDATA[<enabled/>
+          <data id="EncryptionMethodWithXtsOsDropDown_Name" value="4"/>]]>
         </Data>
       </Item>
     </Replace>
@@ -482,13 +482,13 @@ Variations of the `list` element are dictated by attributes. These attributes ar
 ```XML
 <policy name="Streaming_Reestablishment_Interval" class="Machine" displayName="$(string.Streaming_Reestablishment_Interval)" 
             explainText="$(string.Streaming_Reestablishment_Interval_Help)"
-			presentation="$(presentation.Streaming_Reestablishment_Interval)"
+            presentation="$(presentation.Streaming_Reestablishment_Interval)"
             key="SOFTWARE\Policies\Microsoft\AppV\Client\Streaming">
-	<parentCategory ref="CAT_Streaming" />
-	<supportedOn ref="windows:SUPPORTED_Windows7" />
-	<elements>
-		<decimal id="Streaming_Reestablishment_Interval_Prompt" valueName="ReestablishmentInterval" minValue="0" maxValue="3600"/>
-	</elements>
+    <parentCategory ref="CAT_Streaming" />
+    <supportedOn ref="windows:SUPPORTED_Windows7" />
+    <elements>
+        <decimal id="Streaming_Reestablishment_Interval_Prompt" valueName="ReestablishmentInterval" minValue="0" maxValue="3600"/>
+    </elements>
 </policy>
 ```
 
@@ -504,8 +504,8 @@ Variations of the `list` element are dictated by attributes. These attributes ar
           <LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/StreamingAllowReestablishmentInterval</LocURI>
         </Target>
         <Data>
-          <enabled/>
-          <data id="Streaming_Reestablishment_Interval_Prompt" value="4"/>
+          <![CDATA[<enabled/>
+          <data id="Streaming_Reestablishment_Interval_Prompt" value="4"/>]]>
         </Data>
       </Item>
     </Replace>
@@ -518,25 +518,25 @@ Variations of the `list` element are dictated by attributes. These attributes ar
 
 ```XML
 <policy name="DeviceInstall_Classes_Deny" class="Machine" displayName="$(string.DeviceInstall_Classes_Deny)" explainText="$(string.DeviceInstall_Classes_Deny_Help)" presentation="$(presentation.DeviceInstall_Classes_Deny)" key="Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions" valueName="DenyDeviceClasses">
-	<parentCategory ref="DeviceInstall_Restrictions_Category" />
-	<supportedOn ref="windows:SUPPORTED_WindowsVista" />
-	<enabledValue>
-	<decimal value="1" />
-	</enabledValue>
-	<disabledValue>
-	<decimal value="0" />
-	</disabledValue>
-	<elements>
-		<list id="DeviceInstall_Classes_Deny_List" key="Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses" valuePrefix="" />
-		<boolean id="DeviceInstall_Classes_Deny_Retroactive" valueName="DenyDeviceClassesRetroactive" >
-			<trueValue>
-				<decimal value="1" />
-			</trueValue>
-			<falseValue>
-				<decimal value="0" />
-			</falseValue>
-		</boolean>
-	</elements>
+    <parentCategory ref="DeviceInstall_Restrictions_Category" />
+    <supportedOn ref="windows:SUPPORTED_WindowsVista" />
+    <enabledValue>
+    <decimal value="1" />
+    </enabledValue>
+    <disabledValue>
+    <decimal value="0" />
+    </disabledValue>
+    <elements>
+        <list id="DeviceInstall_Classes_Deny_List" key="Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses" valuePrefix="" />
+        <boolean id="DeviceInstall_Classes_Deny_Retroactive" valueName="DenyDeviceClassesRetroactive" >
+            <trueValue>
+                <decimal value="1" />
+            </trueValue>
+            <falseValue>
+                <decimal value="0" />
+            </falseValue>
+        </boolean>
+    </elements>
 </policy>
 ```
 
@@ -557,8 +557,8 @@ Variations of the `list` element are dictated by attributes. These attributes ar
           <LocURI>./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses</LocURI>
         </Target>
         <Data>
-          <enabled/><data id="DeviceInstall_Classes_Deny_Retroactive" value="true"/>
-          <Data id="DeviceInstall_Classes_Deny_List" value="1&#xF000;deviceId1&#xF000;2&#xF000;deviceId2"/>
+          <![CDATA[<enabled/><data id="DeviceInstall_Classes_Deny_Retroactive" value="true"/>
+          <Data id="DeviceInstall_Classes_Deny_List" value="1&#xF000;deviceId1&#xF000;2&#xF000;deviceId2"/>]]>
         </Data>
       </Item>
     </Replace>
diff --git a/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md b/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md
index 7b4f4424be..3d2584ee4e 100644
--- a/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md
+++ b/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: manikadhiman
-ms.date: 06/26/2017
+ms.date: 03/23/2020
 ms.reviewer: 
 manager: dansimp
 ---
@@ -221,7 +221,8 @@ The following example shows an ADMX file in SyncML format:
         <Target>
           <LocURI>./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/ContosoCompanyApp/Policy/AppAdmxFile01</LocURI>
         </Target>
-        <Data><policyDefinitions revision="1.0" schemaVersion="1.0">
+        <Data>
+        <![CDATA[<policyDefinitions revision="1.0" schemaVersion="1.0">
           <categories>
           <category name="ParentCategoryArea"/>
           <category name="Category1">
@@ -350,7 +351,8 @@ The following example shows an ADMX file in SyncML format:
           </elements>
           </policy>
           </policies>
-          </policyDefinitions></Data>
+          </policyDefinitions>]]>
+        </Data>
       </Item>
     </Add>
     <Final/>
@@ -439,7 +441,7 @@ The following examples describe how to set an ADMX-ingested app policy.
         <Target>
           <LocURI>./Device/Vendor/MSFT/Policy/Config/ContosoCompanyApp~ Policy~ParentCategoryArea~Category1/L_PolicyConfigurationMode</LocURI>
         </Target>
-        <Data><enabled/><data id="L_ServerAddressInternal_VALUE" value="TextValue1"/><data id="L_ServerAddressExternal_VALUE" value="TextValue2"/></Data>
+        <Data><![CDATA[<enabled/><data id="L_ServerAddressInternal_VALUE" value="TextValue1"/><data id="L_ServerAddressExternal_VALUE" value="TextValue2"/>]]></Data>
       </Item>
     </Replace>
     <Final/>
@@ -473,7 +475,7 @@ The following examples describe how to set an ADMX-ingested app policy.
         <Target>
           <LocURI>./Device/Vendor/MSFT/Policy/Config/ContosoCompanyApp~ Policy~ParentCategoryArea~Category1/L_PolicyConfigurationMode</LocURI>
         </Target>
-        <Data><disabled/></Data>
+        <Data><![CDATA[<disabled/>]]></Data>
       </Item>
     </Replace>
     <Final/>
diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md
index f13d6f81c8..ad794f7530 100644
--- a/windows/configuration/customize-and-export-start-layout.md
+++ b/windows/configuration/customize-and-export-start-layout.md
@@ -117,11 +117,11 @@ When you have the Start layout that you want your users to see, use the [Export-
     </thead>
     <tbody>
     <tr class="odd">
-    <td align="left"><pre><code>&lt;LayoutModificationTemplate Version=&quot;1&quot; xmlns=&quot;http://schemas.microsoft.com/Start/2014/LayoutModification&quot;&gt;
+    <td align="left"><pre><code>&lt;LayoutModificationTemplate Version=&quot;1&quot; xmlns=&quot;https://schemas.microsoft.com/Start/2014/LayoutModification&quot;&gt;
       &lt;DefaultLayoutOverride&gt;
         &lt;StartLayoutCollection&gt;
-          &lt;defaultlayout:StartLayout GroupCellWidth=&quot;6&quot; xmlns:defaultlayout=&quot;http://schemas.microsoft.com/Start/2014/FullDefaultLayout&quot;&gt;
-            &lt;start:Group Name=&quot;Life at a glance&quot; xmlns:start=&quot;http://schemas.microsoft.com/Start/2014/StartLayout&quot;&gt;
+          &lt;defaultlayout:StartLayout GroupCellWidth=&quot;6&quot; xmlns:defaultlayout=&quot;https://schemas.microsoft.com/Start/2014/FullDefaultLayout&quot;&gt;
+            &lt;start:Group Name=&quot;Life at a glance&quot; xmlns:start=&quot;https://schemas.microsoft.com/Start/2014/StartLayout&quot;&gt;
               &lt;start:Tile Size=&quot;2x2&quot; Column=&quot;0&quot; Row=&quot;0&quot; AppUserModelID=&quot;Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge&quot; /&gt;
               &lt;start:Tile Size=&quot;2x2&quot; Column=&quot;4&quot; Row=&quot;0&quot; AppUserModelID=&quot;Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI&quot; /&gt;
               &lt;start:Tile Size=&quot;2x2&quot; Column=&quot;2&quot; Row=&quot;0&quot; AppUserModelID=&quot;Microsoft.BingWeather_8wekyb3d8bbwe!App&quot; /&gt;
diff --git a/windows/configuration/images/sccm-asset.PNG b/windows/configuration/images/configmgr-asset.PNG
similarity index 100%
rename from windows/configuration/images/sccm-asset.PNG
rename to windows/configuration/images/configmgr-asset.PNG
diff --git a/windows/configuration/images/sccm-client.PNG b/windows/configuration/images/configmgr-client.PNG
similarity index 100%
rename from windows/configuration/images/sccm-client.PNG
rename to windows/configuration/images/configmgr-client.PNG
diff --git a/windows/configuration/images/sccm-collection.PNG b/windows/configuration/images/configmgr-collection.PNG
similarity index 100%
rename from windows/configuration/images/sccm-collection.PNG
rename to windows/configuration/images/configmgr-collection.PNG
diff --git a/windows/configuration/images/sccm-install-os.PNG b/windows/configuration/images/configmgr-install-os.PNG
similarity index 100%
rename from windows/configuration/images/sccm-install-os.PNG
rename to windows/configuration/images/configmgr-install-os.PNG
diff --git a/windows/configuration/images/sccm-post-refresh.PNG b/windows/configuration/images/configmgr-post-refresh.PNG
similarity index 100%
rename from windows/configuration/images/sccm-post-refresh.PNG
rename to windows/configuration/images/configmgr-post-refresh.PNG
diff --git a/windows/configuration/images/sccm-pxe.PNG b/windows/configuration/images/configmgr-pxe.PNG
similarity index 100%
rename from windows/configuration/images/sccm-pxe.PNG
rename to windows/configuration/images/configmgr-pxe.PNG
diff --git a/windows/configuration/images/sccm-site.PNG b/windows/configuration/images/configmgr-site.PNG
similarity index 100%
rename from windows/configuration/images/sccm-site.PNG
rename to windows/configuration/images/configmgr-site.PNG
diff --git a/windows/configuration/images/sccm-software-cntr.PNG b/windows/configuration/images/configmgr-software-cntr.PNG
similarity index 100%
rename from windows/configuration/images/sccm-software-cntr.PNG
rename to windows/configuration/images/configmgr-software-cntr.PNG
diff --git a/windows/configuration/kiosk-policies.md b/windows/configuration/kiosk-policies.md
index a523b64e83..0f99ece694 100644
--- a/windows/configuration/kiosk-policies.md
+++ b/windows/configuration/kiosk-policies.md
@@ -40,7 +40,6 @@ Remove access to the context menus for the task bar	| Enabled
 Clear history of recently opened documents on exit |	Enabled
 Prevent users from customizing their Start Screen |	Enabled
 Prevent users from uninstalling applications from Start |		Enabled
-Remove All Programs list from the Start menu |		Enabled
 Remove Run menu from Start Menu	 |	Enabled
 Disable showing balloon notifications as toast |		Enabled
 Do not allow pinning items in Jump Lists |		Enabled
diff --git a/windows/configuration/ue-v/uev-application-template-schema-reference.md b/windows/configuration/ue-v/uev-application-template-schema-reference.md
index 2a219ab6bc..f9fb4b255a 100644
--- a/windows/configuration/ue-v/uev-application-template-schema-reference.md
+++ b/windows/configuration/ue-v/uev-application-template-schema-reference.md
@@ -70,9 +70,9 @@ The XML declaration must specify the XML version 1.0 attribute (&lt;?xml version
 
 **Type: String**
 
-UE-V uses the http://schemas.microsoft.com/UserExperienceVirtualization/2012/SettingsLocationTemplate namespace for all applications. SettingsLocationTemplate is the root element and contains all other elements. Reference SettingsLocationTemplate in all templates using this tag:
+UE-V uses the https://schemas.microsoft.com/UserExperienceVirtualization/2012/SettingsLocationTemplate namespace for all applications. SettingsLocationTemplate is the root element and contains all other elements. Reference SettingsLocationTemplate in all templates using this tag:
 
-`<SettingsLocationTemplate xmlns='http://schemas.microsoft.com/UserExperienceVirtualization/2012/SettingsLocationTemplate'>`
+`<SettingsLocationTemplate xmlns='https://schemas.microsoft.com/UserExperienceVirtualization/2012/SettingsLocationTemplate'>`
 
 ### <a href="" id="data21"></a>Data types
 
@@ -646,10 +646,10 @@ Here is the SettingsLocationTemplate.xsd file showing its elements, child elemen
 ```xml
 <?xml version="1.0" encoding="utf-8"?>
 <xs:schema id="UevSettingsLocationTemplate"
-  targetNamespace="http://schemas.microsoft.com/UserExperienceVirtualization/2013A/SettingsLocationTemplate"
+  targetNamespace="https://schemas.microsoft.com/UserExperienceVirtualization/2013A/SettingsLocationTemplate"
   elementFormDefault="qualified"
-  xmlns="http://schemas.microsoft.com/UserExperienceVirtualization/2013A/SettingsLocationTemplate"
-  xmlns:mstns="http://schemas.microsoft.com/UserExperienceVirtualization/2013A/SettingsLocationTemplate"
+  xmlns="https://schemas.microsoft.com/UserExperienceVirtualization/2013A/SettingsLocationTemplate"
+  xmlns:mstns="https://schemas.microsoft.com/UserExperienceVirtualization/2013A/SettingsLocationTemplate"
   xmlns:xs="http://www.w3.org/2001/XMLSchema">
 
     <xs:simpleType name="Guid">
diff --git a/windows/configuration/ue-v/uev-release-notes-1607.md b/windows/configuration/ue-v/uev-release-notes-1607.md
index 70054cae5a..f3d37601d0 100644
--- a/windows/configuration/ue-v/uev-release-notes-1607.md
+++ b/windows/configuration/ue-v/uev-release-notes-1607.md
@@ -67,7 +67,7 @@ WORKAROUND: None.
 
 ### UE-V does not support roaming settings between 32-bit and 64-bit versions of Microsoft Office
 
-We recommend that you install the 32-bit version of Microsoft Office for both 32-bit and 64-bit operating systems. To choose the Microsoft Office version that you need, click [here](<http://office.microsoft.com/word-help/choose-the-32-bit-or-64-bit-version-of-microsoft-office-HA010369476.aspx>). UE-V supports roaming settings between identical architecture versions of Office. For example, 32-bit Office settings will roam between all 32-bit Office instances. UE-V does not support roaming settings between 32-bit and 64-bit versions of Office.
+We recommend that you install the 32-bit version of Microsoft Office for both 32-bit and 64-bit operating systems. To choose the Microsoft Office version that you need, click [here](<https://office.microsoft.com/word-help/choose-the-32-bit-or-64-bit-version-of-microsoft-office-HA010369476.aspx>). UE-V supports roaming settings between identical architecture versions of Office. For example, 32-bit Office settings will roam between all 32-bit Office instances. UE-V does not support roaming settings between 32-bit and 64-bit versions of Office.
 
 WORKAROUND: None
 
diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md
index 8b61799ddc..d4e56af1b7 100644
--- a/windows/deployment/TOC.md
+++ b/windows/deployment/TOC.md
@@ -102,20 +102,21 @@
 ##### [Use web services in MDT](deploy-windows-mdt/use-web-services-in-mdt.md)
 ##### [Use Orchestrator runbooks with MDT](deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md)
 
-### [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md)
-#### [Integrate Configuration Manager with MDT](deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
-#### [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-#### [Create a custom Windows PE boot image with Configuration Manager](deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-#### [Add a Windows 10 operating system image using Configuration Manager](deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md)
-#### [Create an application to deploy with Windows 10 using Configuration Manager](deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-#### [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-#### [Create a task sequence with Configuration Manager and MDT](deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-#### [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md)
-#### [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md)
-#### [Monitor the Windows 10 deployment with Configuration Manager](deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md)
-#### [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-#### [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-#### [Perform an in-place upgrade to Windows 10 using Configuration Manager](upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md)
+### Deploy Windows 10 with Microsoft Endpoint Configuration Manager
+#### Prepare for Windows 10 deployment with Configuration Manager
+##### [Prepare for Zero Touch Installation with Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+##### [Create a custom Windows PE boot image with Configuration Manager](deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+##### [Add a Windows 10 operating system image using Configuration Manager](deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md)
+##### [Create an application to deploy with Windows 10 using Configuration Manager](deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+##### [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+##### [Create a task sequence with Configuration Manager and MDT](deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md)
+##### [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md)
+
+#### Deploy Windows 10 with Configuration Manager
+##### [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md)
+##### [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+##### [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+##### [Perform an in-place upgrade to Windows 10 using Configuration Manager](deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md)
 
 ### [Windows 10 deployment tools](windows-10-deployment-tools.md)
 
@@ -245,13 +246,20 @@
 ### Monitor Windows Updates
 #### [Monitor Windows Updates with Update Compliance](update/update-compliance-monitor.md)
 #### [Get started with Update Compliance](update/update-compliance-get-started.md)
+##### [Update Compliance Configuration Script](update/update-compliance-configuration-script.md)
+##### [Manually Configuring Devices for Update Compliance](update/update-compliance-configuration-manual.md)
 #### [Use Update Compliance](update/update-compliance-using.md)
 ##### [Need Attention! report](update/update-compliance-need-attention.md)
 ##### [Security Update Status report](update/update-compliance-security-update-status.md)
 ##### [Feature Update Status report](update/update-compliance-feature-update-status.md)
-##### [Windows Defender AV Status report](update/update-compliance-wd-av-status.md)
 ##### [Delivery Optimization in Update Compliance](update/update-compliance-delivery-optimization.md)
-##### [Update Compliance Perspectives](update/update-compliance-perspectives.md)
+##### [Data Handling and Privacy in Update Compliance](update/update-compliance-privacy.md)
+##### [Update Compliance Schema Reference](update/update-compliance-schema.md)
+###### [WaaSUpdateStatus](update/update-compliance-schema-waasupdatestatus.md)
+###### [WaaSInsiderStatus](update/update-compliance-schema-waasinsiderstatus.md)
+###### [WaaSDeploymentStatus](update/update-compliance-schema-waasdeploymentstatus.md)
+###### [WUDOStatus](update/update-compliance-schema-wudostatus.md)
+###### [WUDOAggregatedStatus](update/update-compliance-schema-wudoaggregatedstatus.md)
 ### Best practices
 #### [Best practices for feature updates on mission-critical devices](update/feature-update-mission-critical.md)
 #### [Update Windows 10 media with Dynamic Update](update/media-dynamic-update.md)
diff --git a/windows/deployment/add-store-apps-to-image.md b/windows/deployment/add-store-apps-to-image.md
index a6b6ad9da6..b51e38cfae 100644
--- a/windows/deployment/add-store-apps-to-image.md
+++ b/windows/deployment/add-store-apps-to-image.md
@@ -1,85 +1,86 @@
----
-title: Add Microsoft Store for Business applications to a Windows 10 image
-description: This topic describes how to add Microsoft Store for Business applications to a Windows 10 image.
-keywords: upgrade, update, windows, windows 10, deploy, store, image, wim
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
author: greg-lindsay
-ms.author: greglin
-ms.reviewer: 
-manager: laurawi
-ms.topic: article
----
-
-# Add Microsoft Store for Business applications to a Windows 10 image
-
-**Applies to**
-
--   Windows 10
-
-This topic describes the correct way to add Microsoft Store for Business applications to a Windows 10 image. This will enable you to deploy Windows 10 with pre-installed Microsoft Store for Business apps.
-
->[!IMPORTANT]
->In order for Microsoft Store for Business applications to persist after image deployment, these applications need to be pinned to Start prior to image deployment.
-
-## Prerequisites
-
-* [Windows Assessment and Deployment Kit (Windows ADK)](windows-adk-scenarios-for-it-pros.md) for the tools required to mount and edit Windows images.
-
-* Download an offline signed app package and license of the application you would like to add through [Microsoft Store for Business](/store-for-business/distribute-offline-apps#download-an-offline-licensed-app).
-
-* A Windows Image. For instructions on image creation, see [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) or [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
->[!NOTE]
-> If you'd like to add an internal LOB Microsoft Store application, please follow the instructions on **[Sideload LOB apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10)**.
-
-## Adding a Store application to your image
-
-On a machine where your image file is accessible:
-1. Open Windows PowerShell with administrator privileges.
-2. Mount the image. At the Windows PowerShell prompt, type:
-`Mount-WindowsImage -ImagePath c:\images\myimage.wim -Index 1 -Path C:\test`
-3. Use the Add-AppxProvisionedPackage cmdlet in Windows PowerShell to preinstall the app. Use the /PackagePath option to specify the location of the Store package and /LicensePath to specify the location of the license .xml file. In Windows PowerShell, type:
-`Add-AppxProvisionedPackage -Path C:\test -PackagePath C:\downloads\appxpackage -LicensePath C:\downloads\appxpackage\license.xml`
-
->[!NOTE]
->Paths and file names are examples. Use your paths and file names where appropriate.
->
->Do not dismount the image, as you will return to it later.
-
-## Editing the Start Layout
-
-In order for Microsoft Store for Business applications to persist after image deployment, these applications need to be pinned to Start prior to image deployment.
-
-On a test machine:
-1. **Install the Microsoft Store for Business application you previously added** to your image.
-2. **Pin these apps to the Start screen**, by typing the name of the app, right-clicking and selecting **Pin to Start**.
-3. Open Windows PowerShell with administrator privileges.
-4. Use `Export-StartLayout -path <path><file name>.xml` where *\<path>\<file name>* is the path and name of the xml file your will later import into your Windows Image.
-5. Copy the XML file you created to a location accessible by the machine you previously used to add Store applications to your image.
-
-Now, on the machine where your image file is accessible:
-1. Import the Start layout. At the Windows PowerShell prompt, type: 
-`Import-StartLayout -LayoutPath "<path><file name>.xml" -MountPath "C:\test\"`
-2. Save changes and dismount the image. At the Windows PowerShell prompt, type:
-`Dismount-WindowsImage -Path c:\test -Save`
-
->[!NOTE]
->Paths and file names are examples. Use your paths and file names where appropriate.
->
->For more information on Start customization see [Windows 10 Start Layout Customization](https://blogs.technet.microsoft.com/deploymentguys/2016/03/07/windows-10-start-layout-customization/)
-
-
-## Related topics
-* [Customize and export Start layout](/windows/configuration/customize-and-export-start-layout)
-* [Export-StartLayout](https://technet.microsoft.com/itpro/powershell/windows/startlayout/export-startlayout)
-* [Import-StartLayout](https://technet.microsoft.com/itpro/powershell/windows/startlayout/import-startlayout)
-* [Sideload LOB apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10)
-* [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md)
-* [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
-* [Windows Assessment and Deployment Kit (Windows ADK)](windows-adk-scenarios-for-it-pros.md)
-
-
+---
+title: Add Microsoft Store for Business applications to a Windows 10 image
+description: This topic describes how to add Microsoft Store for Business applications to a Windows 10 image.
+keywords: upgrade, update, windows, windows 10, deploy, store, image, wim
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+ms.pagetype: deploy
+audience: itpro
+author: greg-lindsay
+ms.author: greglin
+ms.reviewer: 
+manager: laurawi
+ms.topic: article
+---
+
+# Add Microsoft Store for Business applications to a Windows 10 image
+
+**Applies to**
+
+-   Windows 10
+
+This topic describes the correct way to add Microsoft Store for Business applications to a Windows 10 image. This will enable you to deploy Windows 10 with pre-installed Microsoft Store for Business apps.
+
+>[!IMPORTANT]
+>In order for Microsoft Store for Business applications to persist after image deployment, these applications need to be pinned to Start prior to image deployment.
+
+## Prerequisites
+
+* [Windows Assessment and Deployment Kit (Windows ADK)](windows-adk-scenarios-for-it-pros.md) for the tools required to mount and edit Windows images.
+
+* Download an offline signed app package and license of the application you would like to add through [Microsoft Store for Business](/store-for-business/distribute-offline-apps#download-an-offline-licensed-app).
+deploy-windows-cm
+* A Windows Image. For instructions on image creation, see [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md).
+
+>[!NOTE]
+> If you'd like to add an internal LOB Microsoft Store application, please follow the instructions on **[Sideload LOB apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10)**.
+
+## Adding a Store application to your image
+
+On a machine where your image file is accessible:
+1. Open Windows PowerShell with administrator privileges.
+2. Mount the image. At the Windows PowerShell prompt, type:
+`Mount-WindowsImage -ImagePath c:\images\myimage.wim -Index 1 -Path C:\test`
+3. Use the Add-AppxProvisionedPackage cmdlet in Windows PowerShell to preinstall the app. Use the /PackagePath option to specify the location of the Store package and /LicensePath to specify the location of the license .xml file. In Windows PowerShell, type:
+`Add-AppxProvisionedPackage -Path C:\test -PackagePath C:\downloads\appxpackage -LicensePath C:\downloads\appxpackage\license.xml`
+
+>[!NOTE]
+>Paths and file names are examples. Use your paths and file names where appropriate.
+>
+>Do not dismount the image, as you will return to it later.
+
+## Editing the Start Layout
+
+In order for Microsoft Store for Business applications to persist after image deployment, these applications need to be pinned to Start prior to image deployment.
+
+On a test machine:
+1. **Install the Microsoft Store for Business application you previously added** to your image.
+2. **Pin these apps to the Start screen**, by typing the name of the app, right-clicking and selecting **Pin to Start**.
+3. Open Windows PowerShell with administrator privileges.
+4. Use `Export-StartLayout -path <path><file name>.xml` where *\<path>\<file name>* is the path and name of the xml file your will later import into your Windows Image.
+5. Copy the XML file you created to a location accessible by the machine you previously used to add Store applications to your image.
+
+Now, on the machine where your image file is accessible:
+1. Import the Start layout. At the Windows PowerShell prompt, type: 
+`Import-StartLayout -LayoutPath "<path><file name>.xml" -MountPath "C:\test\"`
+2. Save changes and dismount the image. At the Windows PowerShell prompt, type:
+`Dismount-WindowsImage -Path c:\test -Save`
+
+>[!NOTE]
+>Paths and file names are examples. Use your paths and file names where appropriate.
+>
+>For more information on Start customization see [Windows 10 Start Layout Customization](https://blogs.technet.microsoft.com/deploymentguys/2016/03/07/windows-10-start-layout-customization/)
+
+
+## Related topics
+* [Customize and export Start layout](/windows/configuration/customize-and-export-start-layout)
+* [Export-StartLayout](https://technet.microsoft.com/itpro/powershell/windows/startlayout/export-startlayout)
+* [Import-StartLayout](https://technet.microsoft.com/itpro/powershell/windows/startlayout/import-startlayout)
+* [Sideload LOB apps in Windows 10](/windows/application-management/siddeploy-windows-cmws-10)
+* [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+* [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
+* [Windows Assessment and Deployment Kit (Windows ADK)](windows-adk-scenarios-for-it-pros.md)
+
+
diff --git a/windows/deployment/deploy-old.md b/windows/deployment/deploy-old.md
deleted file mode 100644
index 56697276c6..0000000000
--- a/windows/deployment/deploy-old.md
+++ /dev/null
@@ -1,48 +0,0 @@
----
-title: Deploy Windows 10 (Windows 10)
-description: Deploying Windows 10 for IT professionals.
-ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C
-ms.reviewer: 
-manager: laurawi
-ms.audience: itpro
-author: greg-lindsay
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: medium
-audience: itpro
-author: greg-lindsay
-ms.topic: article
----
-
-# Deploy Windows 10
-
-Windows 10 upgrade options are discussed and information is provided about planning, testing, and managing your production deployment. Procedures are provided to help you with a new deployment of the Windows 10 operating system, or to upgrade from a previous version of Windows to Windows 10. The following sections and topics are available.
-
-
-|Topic |Description |
-|------|------------|
-|[Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md) |This topic provides an overview of Windows Autopilot deployment, a new zero-touch method for deploying Windows 10 in the enterprise. |
-|[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) |This topic provides information about support for upgrading directly to Windows 10 from a previous operating system. |
-|[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) |This topic provides information about support for upgrading from one edition of Windows 10 to another. |
-|[Windows 10 volume license media](windows-10-media.md) |This topic provides information about updates to volume licensing media in the current version of Windows 10. |
-|[Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. | 
-|[Windows 10 deployment test lab](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, additional guides are provided to  deploy Windows 10 in the test lab using [Microsoft Deployment Toolkit](windows-10-poc-mdt.md) or [System Center Configuration Manager](windows-10-poc-sc-config-mgr.md). |
-|[Plan for Windows 10 deployment](planning/index.md) | This section describes Windows 10 deployment considerations and provides information to assist in Windows 10 deployment planning. |
-|[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). |
-|[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or. |
-|[Windows 10 deployment tools](windows-10-deployment-tools-reference.md) |Learn about available tools to deploy Windows 10, such as the Windows ADK, DISM, USMT, WDS, MDT, Windows PE and more. |
-|[How to install fonts that are missing after upgrading to Windows 10](windows-10-missing-fonts.md)|Windows 10 introduced changes to the fonts that are included in the image by default. Learn how to install additional fonts from **Optional features** after you install Windows 10 or upgrade from a previous version.|
-
-## Related topics
-
-[Modern Destop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home)
-
- 
-
- 
-
-
-
-
-
diff --git a/windows/deployment/deploy-windows-sccm/TOC.md b/windows/deployment/deploy-windows-cm/TOC.md
similarity index 65%
rename from windows/deployment/deploy-windows-sccm/TOC.md
rename to windows/deployment/deploy-windows-cm/TOC.md
index 93aadaebcd..b26445c4ab 100644
--- a/windows/deployment/deploy-windows-sccm/TOC.md
+++ b/windows/deployment/deploy-windows-cm/TOC.md
@@ -1,15 +1,15 @@
-# Deploy Windows 10 with Configuration Manager
-## [Configuration Manager components](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md)
-### [Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
-### [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+# Deploy Windows 10 with Microsoft Endpoint Configuration Manager
+## Prepare for Windows 10 deployment with Configuration Manager
+### [Prepare for Zero Touch Installation with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
 ### [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
 ### [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
 ### [Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
 ### [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-### [Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
+### [Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md)
 ### [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md)
+
+## Deploy Windows 10 with Configuration Manager
 ### [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
-### [Monitor the Windows 10 deployment with Configuration Manager](monitor-windows-10-deployment-with-configuration-manager.md)
 ### [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
 ### [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-### [Perform an in-place upgrade to Windows 10 using Configuration Manager](../upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md)
\ No newline at end of file
+### [Perform an in-place upgrade to Windows 10 using Configuration Manager](upgrade-to-windows-10-with-configuraton-manager.md)
\ No newline at end of file
diff --git a/windows/deployment/deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md
similarity index 50%
rename from windows/deployment/deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md
rename to windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md
index 9fdf3cf07d..1fd47c5505 100644
--- a/windows/deployment/deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md
@@ -17,60 +17,54 @@ ms.topic: article
 
 # Add a Windows 10 operating system image using Configuration Manager
 
-
 **Applies to**
 
--   Windows 10 versions 1507, 1511
-
->[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). 
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10).
+-   Windows 10
 
 Operating system images are typically the production image used for deployment throughout the organization. This topic shows you how to add a Windows 10 operating system image created with Microsoft Endpoint Configuration Manager, and how to distribute the image to a distribution point.
 
-For the purposes of this topic, we will use CM01, a machine running Windows Server 2012 R2 Standard, as the distribution point. CM01 is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). Our image is named REFW10-X64-001.wim. For details on building this image, please see [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md).
+## Infrastructure
 
-1.  Using File Explorer, in the **E:\\Sources\\OSD\\OS** folder, create a subfolder named **Windows 10 Enterprise x64 RTM**.
+For the purposes of this guide, we will use one server computer: CM01.
+- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server.
+- CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.  
 
-2.  Copy the REFW10-X64-001.wim file to the **E:\\Sources\\OSD\\OS\\Windows 10 Enterprise x64 RTM** folder.
+An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
 
-    ![figure 17](../images/fig17-win10image.png)
+>[!IMPORTANT]
+>The procedures in this article require a reference image. Our reference images is named **REFW10-X64-001.wim**. If you have not already created a reference image, then perform all the steps in [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md) on CM01, replacing MDT01 with CM01. The final result will be a reference image located in the D:\MDTBuildLab\Captures folder that you can use for the procedure below.
 
-    Figure 17. The Windows 10 image copied to the Sources folder structure.
+ ## Add a Windows 10 operating system image
+
+ On **CM01**:
+
+1.  Using File Explorer, in the **D:\\Sources\\OSD\\OS** folder, create a subfolder named **Windows 10 Enterprise x64 RTM**.
+2.  Copy the REFW10-X64-001.wim file to the **D:\\Sources\\OSD\\OS\\Windows 10 Enterprise x64 RTM** folder.
+
+    ![figure 17](../images/ref-image.png)
+
+    The Windows 10 image being copied to the Sources folder structure.
 
 3.  Using the Configuration Manager Console, in the Software Library workspace, right-click **Operating System Images**, and select **Add Operating System Image**.
-
-4.  On the **Data Source** page, in the **Path:** text box, browse to \\\\CM01\\Sources$\\OSD\\OS\\Windows 10 Enterprise x64 RTM\\REFW10-X64-001.wim and click **Next**.
-
-5.  On the **General** page, assign the name Windows 10 Enterprise x64 RTM and click **Next** twice, and then click **Close**.
-
-6.  Distribute the operating system image to the CM01 distribution point by right-clicking the Windows 10 Enterprise x64 RTM operating system image and selecting **Distribute Content**.
-
-7.  In the Distribute Content Wizard, add the CM01 distribution point.
-
-8.  View the content status for the Windows 10 Enterprise x64 RTM package. Do not continue until the distribution is completed. You also can review the E:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for the **STATMSG: ID=2301** line.
+4.  On the **Data Source** page, in the **Path:** text box, browse to \\\\CM01\\Sources$\\OSD\\OS\\Windows 10 Enterprise x64 RTM\\REFW10-X64-001.wim, select x64 next to Architecture and choose a language, then click **Next**.
+5.  On the **General** page, assign the name Windows 10 Enterprise x64 RTM, click **Next** twice, and then click **Close**.
+6.  Distribute the operating system image to the CM01 distribution point by right-clicking the **Windows 10 Enterprise x64 RTM** operating system image and then clicking **Distribute Content**.
+7.  In the Distribute Content Wizard, add the CM01 distribution point, click **Next** and click **Close**.
+8.  View the content status for the Windows 10 Enterprise x64 RTM package. Do not continue until the distribution is completed (it might take a few minutes). You also can review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for the **STATMSG: ID=2301** line.
 
     ![figure 18](../images/fig18-distwindows.png)
 
-    Figure 18. The distributed Windows 10 Enterprise x64 RTM package.
+    The distributed Windows 10 Enterprise x64 RTM package.
+
+Next, see [Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md). 
 
 ## Related topics
 
-
-[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
-
-[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-
-[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-
-[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-
-[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-
-[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
-
-[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)<br>
+[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)<br>
+[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)<br>
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)<br>
+[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)<br>
+[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)<br>
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)<br>
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)<br>
diff --git a/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
new file mode 100644
index 0000000000..e8896d30de
--- /dev/null
+++ b/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
@@ -0,0 +1,110 @@
+---
+title: Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager (Windows 10)
+description: Learn how to configure the Windows Preinstallation Environment (Windows PE) to include required network and storage drivers.
+ms.assetid: 97b3ea46-28d9-407e-8c42-ded2e45e8d5c
+ms.reviewer: 
+manager: laurawi
+ms.author: greglin
+keywords: deploy, task sequence
+ms.prod: w10
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager
+
+**Applies to**
+
+- Windows 10
+
+In this topic, you will learn how to configure the Windows Preinstallation Environment (Windows PE) to include the network drivers required to connect to the deployment share and the storage drivers required to see the local storage on machines. Even though the Windows PE boot image and the Windows 10 operating system contain many out-of-the-box drivers, it is likely you will have to add new or updated drivers to support all your hardware. In this section, you import drivers for both Windows PE and the full Windows 10 operating system.
+
+For the purposes of this guide, we will use one server computer: CM01.
+- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.  
+
+ An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
+
+## Add drivers for Windows PE
+
+This section will show you how to import some network and storage drivers for Windows PE. 
+
+>[!NOTE]
+>Windows PE usually has a fairly comprehensive set of drivers out of the box, assuming that you are using a recent version of the Windows ADK. This is different than the full Windows OS which will often require drivers. You shouldn't add drivers to Windows PE unless you have an issue or are missing functionality, and in these cases you should only add the driver that you need.  An example of a common driver that is added is the Intel I217 driver. Adding too many drivers can cause conflicts and lead to driver bloat in the Config Mgr database. This section shows you how to add drivers, but typically you can just skip this procedure.
+
+This section assumes you have downloaded some drivers to the **D:\\Sources\\OSD\\DriverSources\\WinPE x64** folder on CM01.
+
+![Drivers](../images/cm01-drivers.png)
+
+Driver folder structure on CM01
+
+On **CM01**:
+
+1. Using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click the **Drivers** node and select **Import Driver**.
+2. In the Import New Driver Wizard, on the **Specify a location to import driver** page, select the **Import all drivers in the following network path (UNC)** option, browse to the **\\\\CM01\\Sources$\\OSD\\DriverSources\\WinPE x64** folder and click **Next**.
+3. On the **Specify the details for the imported driver** page, click **Categories**, create a category named **WinPE x64**, and then click **Next**.
+4. On the **Select the packages to add the imported driver** page, click **Next**.
+5. On the **Select drivers to include in the boot image** page, select the **Zero Touch WinPE x64** boot image and click **Next**.
+6. In the popup window that appears, click **Yes** to automatically update the distribution point.
+7. Click **Next**, wait for the image to be updated, and then click **Close**.
+
+  ![Add drivers to Windows PE](../images/fig21-add-drivers1.png "Add drivers to Windows PE")<br>
+  ![Add drivers to Windows PE](../images/fig21-add-drivers2.png "Add drivers to Windows PE")<br>
+  ![Add drivers to Windows PE](../images/fig21-add-drivers3.png "Add drivers to Windows PE")<br>
+  ![Add drivers to Windows PE](../images/fig21-add-drivers4.png "Add drivers to Windows PE")
+
+  Add drivers to Windows PE
+
+## Add drivers for Windows 10
+
+This section illustrates how to add drivers for Windows 10 using the HP EliteBook 8560w as an example. For the HP EliteBook 8560w, you use HP SoftPaq Download Manager to get the drivers. The HP SoftPaq Download Manager can be accessed on the [HP Support site](https://go.microsoft.com/fwlink/p/?LinkId=619545).
+
+For the purposes of this section, we assume that you have downloaded the Windows 10 drivers for the HP EliteBook 8560w model and copied them to the **D:\Sources$\OSD\DriverSources\Windows 10 x64\Hewlett-Packard\HP EliteBook 8560w** folder on CM01.
+
+![Drivers](../images/cm01-drivers-windows.png)
+
+Driver folder structure on CM01
+
+On **CM01**:
+
+1. Using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click the **Drivers** node and select **Import Driver**.
+2. In the Import New Driver Wizard, on the **Specify a location to import driver** page, select the **Import all drivers in the following network path (UNC)** option, browse to the **\\\\CM01\\Sources$\\OSD\\DriverSources\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w** folder and click **Next**. Wait a minute for driver information to be validated.
+3. On the **Specify the details for the imported driver** page, click **Categories**, create a category named **Windows 10 x64 - HP EliteBook 8560w**, click **OK**, and then click **Next**.
+
+    ![Create driver categories](../images/fig22-createcategories.png "Create driver categories")
+
+    Create driver categories
+
+
+4. On the **Select the packages to add the imported driver** page, click **New Package**, use the following settings for the package, and then click **Next**:
+
+    * Name: Windows 10 x64 - HP EliteBook 8560w
+    * Path: \\\\CM01\\Sources$\\OSD\\DriverPackages\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w
+
+    >[!NOTE]
+    >The package path does not yet exist, so you have to type it in. The wizard will create the new package using the path you specify.
+
+5.  On the **Select drivers to include in the boot image** page, do not select anything, and click **Next** twice. After the package has been created, click **Close**.
+
+    >[!NOTE]
+    >If you want to monitor the driver import process more closely, you can open the SMSProv.log file during driver import.
+  
+    ![Drivers imported and a new driver package created](../images/cm01-drivers-packages.png "Drivers imported and a new driver package created")
+  
+    Drivers imported and a new driver package created
+
+Next, see [Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md).
+
+## Related topics
+
+[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)<br>
+[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)<br>
+[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)<br>
+[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)<br>
+[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)<br>
+[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)<br>
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)<br>
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)<br>
diff --git a/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
new file mode 100644
index 0000000000..091ae48f32
--- /dev/null
+++ b/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
@@ -0,0 +1,101 @@
+---
+title: Create a custom Windows PE boot image with Configuration Manager (Windows 10)
+description: In Microsoft Endpoint Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features.
+ms.assetid: b9e96974-324d-4fa4-b0ce-33cfc49c4809
+ms.reviewer: 
+manager: laurawi
+ms.author: greglin
+keywords: tool, customize, deploy, boot image
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Create a custom Windows PE boot image with Configuration Manager
+
+**Applies to**
+
+- Windows 10
+
+In Microsoft Microsoft Endpoint Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. This topic shows you how to create a custom Windows PE 5.0 boot image with the Microsoft Deployment Toolkit (MDT) wizard. You can also add the Microsoft Diagnostics and Recovery Toolset (DaRT) 10 to the boot image as part of the boot image creation process.
+- The boot image that is created is based on the version of ADK that is installed.
+
+For the purposes of this guide, we will use one server computer: CM01.
+- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.  
+
+ An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
+
+## Add DaRT 10 files and prepare to brand the boot image
+
+The steps below outline the process for adding DaRT 10 installation files to the MDT installation directory. You also copy a custom background image to be used later. These steps are optional. If you do not wish to add DaRT, skip the steps below to copy DaRT tools and later skip adding the DaRT component to the boot image.
+
+We assume you have downloaded [Microsoft Desktop Optimization Pack (MDOP) 2015](https://my.visualstudio.com/Downloads?q=Desktop%20Optimization%20Pack%202015) and copied the x64 version of MSDaRT100.msi to the **C:\\Setup\\DaRT 10** folder on CM01. We also assume you have created a custom background image and saved it in **C:\\Setup\\Branding** on CM01. In this section, we use a custom background image named <a href="../images/ContosoBackground.png">ContosoBackground.bmp</a>.
+
+On **CM01**:
+
+1.  Install DaRT 10 (C:\\Setup\\DaRT 10\\MSDaRT100.msi) using the default settings.
+2.  Using File Explorer, navigate to the **C:\\Program Files\\Microsoft DaRT\\v10** folder.
+3.  Copy the Toolsx64.cab file to the **C:\\Program Files\\Microsoft Deployment Toolkit\\Templates\\Distribution\\Tools\\x64** folder.
+4.  Copy the Toolsx86.cab file to the **C:\\Program Files\\Microsoft Deployment Toolkit\\Templates\\Distribution\\Tools\\x86** folder.
+5.  Using File Explorer, navigate to the **C:\\Setup** folder.
+6.  Copy the **Branding** folder to **D:\\Sources\\OSD**.
+
+## Create a boot image for Configuration Manager using the MDT wizard
+
+By using the MDT wizard to create the boot image in Configuration Manager, you gain additional options for adding components and features to the boot image. In this section, you create a boot image for Configuration Manager using the MDT wizard.
+
+On **CM01**:
+
+1.  Using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Boot Images**, and select **Create Boot Image using MDT**.
+2.  On the **Package Source** page, in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\Boot\\Zero Touch WinPE x64** and click **Next**.
+
+    >[!NOTE]
+    >The Zero Touch WinPE x64 folder does not yet exist. The folder will be created later by the wizard.
+
+3.  On the **General Settings** page, assign the name **Zero Touch WinPE x64** and click **Next**.
+4.  On the **Options** page, select the **x64** platform, and click **Next**.
+5.  On the **Components** page, in addition to the default selected **Microsoft Data Access Components (MDAC/ADO)** support, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box and click **Next**.
+
+    ![Add the DaRT component to the Configuration Manager boot image](../images/mdt-06-fig16.png "Add the DaRT component to the Configuration Manager boot image")
+
+    Add the DaRT component to the Configuration Manager boot image.
+
+    >Note: Another common component to add here is Windows PowerShell to enable PowerShell support within Windows PE.
+
+6.  On the **Customization** page, select the **Use a custom background bitmap file** check box, and in the **UNC path:** text box, browse to **\\\\CM01\\Sources$\\OSD\\Branding\\ContosoBackground.bmp** and then click **Next** twice. Wait a few minutes while the boot image is generated, and then click **Finish**.
+7.  Distribute the boot image to the CM01 distribution point by selecting the **Boot images** node, right-clicking the **Zero Touch WinPE x64** boot image, and selecting **Distribute Content**.
+8.  In the Distribute Content Wizard, add the CM01 distribution point, and complete the wizard.
+9.  Using Configuration Manager Trace, review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Do not continue until you can see that the boot image is distributed. Look for the line that reads **STATMSG: ID=2301**. You also can monitor Content Status in the Configuration Manager Console at **\Monitoring\Overview\Distribution Status\Content Status\Zero Touch WinPE x64**. See the following examples:
+
+    ![Content status for the Zero Touch WinPE x64 boot image](../images/fig16-contentstatus1.png "Content status for the Zero Touch WinPE x64 boot image")<br>
+    ![Content status for the Zero Touch WinPE x64 boot image](../images/fig16-contentstatus2.png "Content status for the Zero Touch WinPE x64 boot image")
+
+    Content status for the Zero Touch WinPE x64 boot image
+
+10. Using the Configuration Manager Console, in the Software Library workspace, under **Boot Images**, right-click the **Zero Touch WinPE x64** boot image and select **Properties**.
+11. On the **Data Source** tab, select the **Deploy this boot image from the PXE-enabled distribution point** check box, and click **OK**.
+12. Using Configuration Manager Trace, review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for this text: **Expanding PS100009 to D:\\RemoteInstall\\SMSImages**.
+13. Review the **D:\\RemoteInstall\\SMSImages** folder. You should see three folders containing boot images. Two are from the default boot images, and the third folder (PS100009) is from your new boot image with DaRT. See the examples below:
+
+    ![PS100009-1](../images/ps100009-1.png)<br>
+    ![PS100009-2](../images/ps100009-2.png)
+
+>Note: Depending on your infrastructure and the number of packages and boot images present, the Image ID might be a different number than PS100009.
+
+Next, see [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md). 
+
+## Related topics
+
+[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)<br>
+[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)<br>
+[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)<br>
+[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)<br>
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)<br>
+[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)<br>
+[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)<br>
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)<br>
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)<br>
diff --git a/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md b/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md
new file mode 100644
index 0000000000..7f539c965d
--- /dev/null
+++ b/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md
@@ -0,0 +1,144 @@
+---
+title: Create a task sequence with Configuration Manager (Windows 10)
+description: Create a Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard.
+ms.assetid: 0b069bec-5be8-47c6-bf64-7a630f41ac98
+ms.reviewer: 
+manager: laurawi
+ms.author: greglin
+keywords: deploy, upgrade, task sequence, install
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.pagetype: mdt
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Create a task sequence with Configuration Manager and MDT
+
+**Applies to**
+
+-   Windows 10
+
+In this article, you will learn how to create a Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard. Creating task sequences in Configuration Manager requires many more steps than creating task sequences for MDT Lite Touch installation. Luckily, the MDT wizard helps you through the process and also guides you through creating the needed packages.
+
+For the purposes of this guide, we will use one server computer: CM01.
+- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.  
+
+ An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). Note: Active Directory [permissions](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md#configure-active-directory-permissions) for the **CM_JD** account are required for the task sequence to work properly.
+
+## Create a task sequence using the MDT Integration Wizard
+
+This section walks you through the process of creating a Configuration Manager task sequence for production use.
+
+On **CM01**:
+
+1.  Using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**.
+2.  On the **Choose Template** page, select the **Client Task Sequence** template and click **Next**.
+3.  On the **General** page, assign the following settings and then click **Next**:
+    * Task sequence name: Windows 10 Enterprise x64 RTM
+    * Task sequence comments: Production image with Office 365 Pro Plus x64
+4.  On the **Details** page, assign the following settings and then click **Next**:
+    * Join a Domain
+    * Domain: contoso.com
+        * Account: contoso\\CM\_JD
+        * Password: pass@word1
+    * Windows Settings
+        * User name: Contoso
+        * Organization name: Contoso
+        * Product key: &lt;blank&gt;
+
+5.  On the **Capture Settings** page, accept the default settings, and click **Next**.
+6.  On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then click **Next**.
+7.  On the **MDT Package** page, select **Create a new Microsoft Deployment Toolkit Files package**, and in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\MDT\\MDT**. Then click **Next**.
+8.  On the **MDT Details** page, assign the name **MDT** and click **Next**.
+9.  On the **OS Image** page, browse and select the **Windows 10 Enterprise x64 RTM** package. Then click **Next**.
+10. On the **Deployment Method** page, accept the default settings (Zero Touch installation) and click **Next**.
+11. On the **Client Package** page, browse and select the **Microsoft Corporation Configuration Manager Client Package** and click **Next**.
+12. On the **USMT Package** page, browse and select the **Microsoft Corporation User State Migration Tool for Windows** package and click **Next**.
+13. On the **Settings Package** page, select the **Create a new settings package** option, and in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\Settings\\Windows 10 x64 Settings** and click **Next**.
+14. On the **Settings Details** page, assign the name **Windows 10 x64 Settings** and click **Next**.
+15. On the **Sysprep Package** page, click **Next** twice.
+16. On the **Confirmation** page, click **Finish**.
+
+## Edit the task sequence
+
+After you create the task sequence, we recommend that you configure the task sequence for an optimal deployment experience. The configurations include enabling support for Unified Extensible Firmware Interface (UEFI), dynamic organizational unit (OU) allocation, computer replace scenarios, and more.
+
+On **CM01**:
+
+1.  Using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click the **Windows 10 Enterprise x64 RTM** task sequence, and click **Edit**.
+2.  In the **Install** group (about halfway down), select the **Set Variable for Drive Letter** action and configure the following:
+    * OSDPreserveDriveLetter: True
+    
+    >[!NOTE]
+    >If you don't change this value, your Windows installation will end up in D:\\Windows.
+
+3.  In the **Post Install** group, select **Apply Network Settings**, and configure the **Domain OU** value to use the **Contoso / Computers / Workstations** OU (browse for values).
+4.  In the **Post Install** group, disable the **Auto Apply Drivers** action. (Disabling is done by selecting the action and, in the **Options** tab, selecting the **Disable this step** check box.)
+5.  After the disabled **Post Install / Auto Apply Drivers** action, add a new group name: **Drivers**.
+6.  After the **Post Install / Drivers** group, add an **Apply Driver Package** action with the following settings:
+    * Name: HP EliteBook 8560w
+    * Driver Package: Windows 10 x64 - HP EliteBook 8560w
+    * Options tab - Add Condition: Task Sequence Variable: Model equals HP EliteBook 8560w
+    
+    >[!NOTE]
+    >You also can add a Query WMI condition with the following query: SELECT \* FROM Win32\_ComputerSystem WHERE Model LIKE '%HP EliteBook 8560w%'
+    
+    ![Driver package options](../images/fig27-driverpackage.png "Driver package options")
+    
+    The driver package options
+
+7.  In the **State Restore / Install Applications** group, select the **Install Application** action.
+8.  Select the **Install the following applications** radio button, and add the OSD / Adobe Reader DC - OSD Install application to the list.
+
+    ![Add an application to the task sequence](../images/fig28-addapp.png "Add an application to the task sequence")
+
+    Add an application to the Configuration Manager task sequence
+
+  >[!NOTE]
+  >In recent versions of Configuration Manager the Request State Store and Release State Store actions described below are present by default. These actions are used for common computer replace scenarios. There is also the additional condition on the options tab: USMTOfflineMigration not equals TRUE.  If these actions are not present, try updating to the Config Mgr current branch release.
+
+9.  In the **State Restore** group, after the **Set Status 5** action, verify there is a **User State \ Request State Store** action with the following settings:
+    * Request state storage location to: Restore state from another computer
+    * If computer account fails to connect to state store, use the Network Access account: selected
+    * Options: Continue on error
+    * Options / Add Condition:
+      * Task Sequence Variable      
+      * USMTLOCAL not equals True
+
+10. In the **State Restore** group, after the **Restore User State** action, verify there is a **Release State Store** action with the following settings:
+    * Options: Continue on error
+    * Options / Condition:
+      * Task Sequence Variable
+      * USMTLOCAL not equals True
+
+11. Click **OK**.
+
+## Organize your packages (optional)
+
+If desired, you can create a folder structure for packages. This is purely for organizational purposes and is useful if you need to manage a large number of packages. 
+
+To create a folder for packages:
+
+On **CM01**:
+
+1.  Using the Configuration Manager Console, in the Software Library workspace, expand **Application Management**, and then select **Packages**.
+2.  Right-click **Packages**, point to **Folder**, click **Create Folder** and create the OSD folder. This will create the Root \ OSD folder structure.
+3.  Select the **MDT**, **User State Migration Tool for Windows**, and **Windows 10 x64 Settings** packages, right-click and select **Move**.
+4.  In the **Move Selected Items** dialog box, select the **OSD** folder, and click **OK**.
+
+Next, see [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md).
+
+## Related topics
+
+[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)<br>
+[Create a custom Windows PE boot image with Configuration Manager](../deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md)<br>
+[Add a Windows 10 operating system image using Configuration Manager](../deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md)<br>
+[Create an application to deploy with Windows 10 using Configuration Manager](../deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)<br>
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](../deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)<br>
+[Deploy Windows 10 using PXE and Configuration Manager](../deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md)<br>
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](../deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)<br>
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](../deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)<br>
diff --git a/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
new file mode 100644
index 0000000000..7e1c6b9819
--- /dev/null
+++ b/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
@@ -0,0 +1,86 @@
+---
+title: Create an app to deploy with Windows 10 using Configuration Manager
+description: Microsoft Microsoft Endpoint Configuration Manager supports deploying applications as part of the Windows 10 deployment process.
+ms.assetid: 2dfb2f39-1597-4999-b4ec-b063e8a8c90c
+ms.reviewer: 
+manager: laurawi
+ms.author: greglin
+keywords: deployment, task sequence, custom, customize
+ms.prod: w10
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Create an application to deploy with Windows 10 using Configuration Manager
+
+
+**Applies to**
+
+-   Windows 10
+
+Microsoft Endpoint Configuration Manager supports deploying applications as part of the Windows 10 deployment process. In this section, you create an application in Microsoft Endpoint Configuration Manager that you later configure the task sequence to use.
+
+For the purposes of this guide, we will use one server computer: CM01.
+- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. 
+
+>[!NOTE]
+>The [reference image](add-a-windows-10-operating-system-image-using-configuration-manager.md) used in this lab already contains some applications, such as Microsoft Office 365 Pro Plus x64. The procedure demonstrated in this article enables you to add some additional custom applications beyond those included in the reference image.
+
+## Example: Create the Adobe Reader application
+
+On **CM01**:
+
+1. Create the **D:\Setup** folder if it does not already exist.
+1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (ex: AcroRdrDC2000620034_en_US.exe) to **D:\\Setup\\Adobe** on CM01. The filename will differ depending on the version of Acrobat Reader.
+2. Extract the .exe file that you downloaded to an .msi. The source folder will differ depending on where you downloaded the file. See the following example:
+
+  ```powershell
+  Set-Location C:\Users\administrator.CONTOSO\Downloads
+  .\AcroRdrDC2000620034_en_US.exe -sfx_o"d:\Setup\Adobe\" -sfx_ne
+  ```
+  >Note: the extraction process will create the "Adobe" folder
+
+3.  Using File Explorer, copy the **D:\\Setup\\Adobe** folder to the **D:\\Sources\\Software\\Adobe** folder.
+4.  In the Configuration Manager Console, in the Software Library workspace, expand **Application Management**.
+5.  Right-click **Applications**, point to **Folder** and then click **Create Folder**. Assign the name **OSD**.
+6.  Right-click the **OSD** folder, and click **Create Application**.
+7.  In the Create Application Wizard, on the **General** page, use the following settings:
+
+    * Automatically detect information about this application from installation files
+    * Type: Windows Installer (\*.msi file)
+    * Location: \\\\CM01\\Sources$\\Software\\Adobe\\AcroRead.msi
+
+    ![The Create Application Wizard](../images/mdt-06-fig20.png "The Create Application Wizard")
+
+    The Create Application Wizard
+
+8.  Click **Next**, and wait while Configuration Manager parses the MSI file.
+9.  On the **Import Information** page, review the information and then click **Next**.
+10.  On the **General Information** page, name the application Adobe Acrobat Reader DC - OSD Install, click **Next** twice, and then click **Close**.
+
+  >[!NOTE]
+  >Because it is not possible to reference an application deployment type in the task sequence, you should have a single deployment type for applications deployed by the task sequence. If you are deploying applications via both the task sequence and normal application deployment, and you have multiple deployment types, you should have two applications of the same software. In this section, you add the "OSD Install" suffix to applications that are deployed via the task sequence. If using packages, you can still reference both package and program in the task sequence.
+  
+  ![Add the OSD Install suffix to the application name](../images/mdt-06-fig21.png "Add the OSD Install suffix to the application name")
+  
+  Add the "OSD Install" suffix to the application name
+
+11.  In the **Applications** node, select the Adobe Reader - OSD Install application, and click **Properties** on the ribbon bar (this is another place to view properties, you can also right-click and select properties).
+12. On the **General Information** tab, select the **Allow this application to be installed from the Install Application task sequence action without being deployed** check box, and click **OK**.
+
+Next, see [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md). 
+
+## Related topics
+
+[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)<br>
+[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)<br>
+[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)<br>
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)<br>
+[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)<br>
+[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)<br>
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)<br>
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)<br>
diff --git a/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md
new file mode 100644
index 0000000000..a5ea3f78c2
--- /dev/null
+++ b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md
@@ -0,0 +1,102 @@
+---
+title: Deploy Windows 10 using PXE and Configuration Manager (Windows 10)
+description: In this topic, you will learn how to deploy Windows 10 using Microsoft Endpoint Configuration Manager deployment packages and task sequences.
+ms.assetid: fb93f514-5b30-4f4b-99dc-58e6860009fa
+ms.reviewer: 
+manager: laurawi
+ms.author: greglin
+keywords: deployment, image, UEFI, task sequence
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Deploy Windows 10 using PXE and Configuration Manager
+
+**Applies to**
+
+-   Windows 10
+
+In this topic, you will learn how to deploy Windows 10 using Microsoft Endpoint Configuration Manager deployment packages and task sequences. This topic will walk you through the process of deploying the Windows 10 Enterprise image to a Unified Extensible Firmware Interface (UEFI) computer named PC0001. An existing Configuration Manager infrastructure that is integrated with MDT is used for the procedures in this topic.
+
+This topic assumes that you have completed the following prerequisite procedures:
+- [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+- [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+- [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
+- [Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+- [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+- [Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md)
+- [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md)
+
+For the purposes of this guide, we will use a minimum of two server computers (DC01 and CM01) and one client computer (PC0001).
+- DC01 is a domain controller and DNS server for the contoso.com domain. DHCP services are also available and optionally installed on DC01 or another server. Note: DHCP services are required for the client (PC0001) to connect to the Windows Deployment Service (WDS).
+- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server.
+  - CM01 is also running WDS which will be required to start PC0001 via PXE. **Note**: Ensure that only CM01 is running WDS.
+- PC0001 is a client computer that is blank, or has an operating system that will be erased and replaced with Windows 10. The device must be configured to boot from the network.
+
+>[!NOTE]
+>If desired, PC0001 can be a VM hosted on the server HV01, which is a Hyper-V host computer that we used previously to build a Windows 10 reference image. However, if PC0001 is a VM then you must ensure it has sufficient resources available to run the Configuration Manager OSD task sequence. 2GB of RAM or more is recommended.  
+
+All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. 
+
+All server and client computers referenced in this guide are on the same subnet. This is not required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates.
+
+>[!NOTE]
+>No WDS console configuration is required for PXE to work. Everything is done with the Configuration Manager console.
+
+## Procedures
+
+1. Start the PC0001 computer. At the Pre-Boot Execution Environment (PXE) boot menu, press **Enter** to allow it to PXE boot.
+2. On the **Welcome to the Task Sequence Wizard** page, type in the password **pass@word1** and click **Next**.
+3. On the **Select a task sequence to run** page, select **Windows 10 Enterprise x64 RTM** and click **Next**.
+4. On the **Edit Task Sequence Variables** page, double-click the **OSDComputerName** variable, and in the **Value** field, type **PC0001** and click **OK**. Then click **Next**.
+5. The operating system deployment will take several minutes to complete. 
+6. You can monitor the deployment on CM01 using the MDT Deployment Workbench. When you see the PC0001 entry, double-click **PC0001**, and then click **DaRT Remote Control** and review the **Remote Control** option. The task sequence will run and do the following:
+
+    * Install the Windows 10 operating system.
+    * Install the Configuration Manager client and the client hotfix.
+    * Join the computer to the domain.
+    * Install the application added to the task sequence.
+    
+    >[!NOTE]
+    >You also can use the built-in reports to get information about ongoing deployments. For example, a task sequence report gives you a quick overview of the task sequence progress.
+
+    ![MDT monitoring](../images/pc0001-monitor.png)
+
+    Monitoring the deployment with MDT.
+
+7. When the deployment is finished you will have a domain-joined Windows 10 computer with the Adobe Reader application installed as well as the applications that were included in the reference image, such as Office 365 Pro Plus.
+
+Examples are provided below of various stages of deployment:
+
+![pc0001a](../images/pc0001a.png)<br>
+![pc0001b](../images/pc0001b.png)<br>
+![pc0001c](../images/pc0001c.png)<br>
+![pc0001d](../images/pc0001d.png)<br>
+![pc0001e](../images/pc0001e.png)<br>
+![pc0001f](../images/pc0001f.png)<br>
+![pc0001g](../images/pc0001g.png)<br>
+![pc0001h](../images/pc0001h.png)<br>
+![pc0001i](../images/pc0001i.png)<br>
+![pc0001j](../images/pc0001j.png)<br>
+![pc0001k](../images/pc0001k.png)<br>
+![pc0001l](../images/pc0001l.png)<br>
+![pc0001m](../images/pc0001m.png)<br>
+![pc0001n](../images/pc0001n.png)
+
+Next, see [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md).
+
+## Related topics
+
+[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)<br>
+[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)<br>
+[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)<br>
+[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)<br>
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)<br>
+[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)<br>
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)<br>
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)<br>
\ No newline at end of file
diff --git a/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
new file mode 100644
index 0000000000..b3c301d048
--- /dev/null
+++ b/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
@@ -0,0 +1,167 @@
+---
+title: Finalize operating system configuration for Windows 10 deployment
+description: Follow this walk-through to finalize the configuration of your Windows 10 operating deployment.
+ms.assetid: 38b55fa8-e717-4689-bd43-8348751d493e
+ms.reviewer: 
+manager: laurawi
+ms.author: greglin
+keywords: configure, deploy, upgrade
+ms.prod: w10
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Finalize the operating system configuration for Windows 10 deployment with Configuration Manager
+
+**Applies to**
+
+-   Windows 10
+
+This topic walks you through the steps to finalize the configuration of your Windows 10 operating deployment, which includes enabling optional MDT monitoring for Configuration Manager, logs folder settings, rules configuration, content distribution, and deployment of the previously created task sequence.
+
+For the purposes of this guide, we will use one server computer: CM01.
+- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.  
+
+ An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
+
+## Enable MDT monitoring
+
+This section will walk you through the process of creating the D:\\MDTProduction deployment share using the MDT Deployment Workbench to enable monitoring for Configuration Manager.
+
+On **CM01**:
+
+1.  Open the Deployment Workbench, right-click **Deployment Shares** and click **New Deployment Share**. Use the following settings for the New Deployment Share Wizard:
+
+    * Deployment share path: D:\\MDTProduction
+    * Share name: MDTProduction$
+    * Deployment share description: MDT Production
+    * Options: &lt;default settings&gt;
+
+2.  Right-click the **MDT Production** deployment share, and click **Properties**. On the **Monitoring** tab, select the **Enable monitoring for this deployment share** check box, and click **OK**.
+
+    ![Enable MDT monitoring for Configuration Manager](../images/mdt-06-fig31.png)
+
+    Enable MDT monitoring for Configuration Manager
+
+## Configure the Logs folder
+
+The D:\Logs folder was [created previously](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md?#review-the-sources-folder-structure) and SMB permissions were added. Next, we will add NTFS folder permissions for the Configuration Manager Network Access Account (CM_NAA), and enable server-side logging by modifying the CustomSettings.ini file used by the Configuration Manager task sequence.
+
+On **CM01**:
+
+1.  To configure NTFS permissions using icacls.exe, type the following at an elevated Windows PowerShell prompt:
+
+    ``` 
+    icacls D:\Logs /grant '"CM_NAA":(OI)(CI)(M)'
+    ```
+
+2. Using File Explorer, navigate to the **D:\\Sources\\OSD\\Settings\\Windows 10 x64 Settings** folder.
+3. To enable server-side logging, edit the CustomSetting.ini file with Notepad.exe and enter the following settings:
+
+   ``` 
+   [Settings]
+   Priority=Default
+   Properties=OSDMigrateConfigFiles,OSDMigrateMode
+
+   [Default]
+   DoCapture=NO
+   ComputerBackupLocation=NONE
+   MachineObjectOU=ou=Workstations,ou=Computers,ou=Contoso,dc=contoso,dc=com
+   OSDMigrateMode=Advanced
+   OSDMigrateAdditionalCaptureOptions=/ue:*\* /ui:CONTOSO\*
+   OSDMigrateConfigFiles=Miguser.xml,Migapp.xml
+   SLSHARE=\\CM01\Logs$
+   EventService=http://CM01:9800
+   ApplyGPOPack=NO
+   ```
+
+   ![Settings package during deployment](../images/fig30-settingspack.png)
+
+   The Settings package, holding the rules and the Unattend.xml template used during deployment
+
+3. In the Configuration Manager console, update the distribution point for the **Windows 10 x64 Settings** package by right-clicking the **Windows 10 x64 Settings** package and selecting **Update Distribution Points**. Click **OK** in the popup dialog box.
+
+   >[!NOTE]
+   >Although you have not yet added a distribution point, you still need to select Update Distribution Points. This process also updates the Configuration Manager content library with changes.
+
+## Distribute content to the CM01 distribution portal
+
+In Configuration Manager, you can distribute all packages needed by a task sequence in a single task. In this section, you distribute packages that have not yet been distributed to the CM01 distribution point.
+
+On **CM01**:
+
+1.  Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems** and select **Task Sequences**. Right-click the **Windows 10 Enterprise x64 RTM** task sequence, and select **Distribute Content**.
+2.  In the Distribute Content Wizard, click **Next** twice then on the **Specify the content destination** page add the Distribution Point: **CM01.CONTOSO.COM**, and then complete the wizard.
+3.  Using the CMTrace tool, verify the distribution to the CM01 distribution point by reviewing the distmgr.log file, or use the Distribution Status / Content Status option in the Monitoring workspace. Do not continue until you see all the new packages being distributed successfully.
+
+   ![Content status](../images/cm01-content-status1.png)
+
+   Content status
+
+## Create a deployment for the task sequence
+
+This sections provides steps to help you create a deployment for the task sequence.
+
+On **CM01**:
+
+1. Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems** and select **Task Sequences**, right-click **Windows 10 Enterprise x64 RTM** and then click **Deploy**.
+2. In the Deploy Software Wizard, on the **General** page, select the **All Unknown Computers** collection and click **Next**.
+3. On the **Deployment Settings** page, use the following settings and then click **Next**:
+
+   * Purpose: Available
+   * Make available to the following: Only media and PXE
+
+   ![Configure the deployment settings](../images/mdt-06-fig33.png)
+    
+   Configure the deployment settings
+
+4. On the **Scheduling** page, accept the default settings and click **Next**.
+5. On the **User Experience** page, accept the default settings and click **Next**.
+6. On the **Alerts** page, accept the default settings and click **Next**.
+7. On the **Distribution Points** page, accept the default settings, click **Next** twice, and then click **Close**.
+
+   ![Task sequence deployed](../images/fig32-deploywiz.png)
+
+   The Windows 10 Enterprise x64 RTM task sequence deployed to the All Unknown Computers collections available for media and PXE
+
+## Configure Configuration Manager to prompt for the computer name during deployment (optional)
+
+You can have Configuration Manager prompt you for a computer name or you can use rules to generate a computer name. For more details on how to do this, see [Configure MDT settings](../deploy-windows-mdt/configure-mdt-settings.md).
+
+This section provides steps to help you configure the All Unknown Computers collection to have Configuration Manager prompt for computer names.
+
+On **CM01**:
+
+1. Using the Configuration Manager console, in the Asset and Compliance workspace, select **Device Collections**, right-click **All Unknown Computers**, and click **Properties**.
+
+2. On the **Collection Variables** tab, create a new variable with the following settings:
+
+   * Name: OSDComputerName
+   * Clear the **Do not display this value in the Configuration Manager console** check box.
+
+3. Click **OK**.
+
+   >[!NOTE]
+   >Configuration Manager can prompt for information in many ways. Using a collection variable with an empty value is just one of them. Another option is the User-Driven Installation (UDI) wizard.
+   
+   ![Configure a collection variable](../images/mdt-06-fig35.png)
+   
+   Configure a collection variable
+
+Next, see [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md).
+
+## Related topics
+
+[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)<br>
+[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)<br>
+[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)<br>
+[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)<br>
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)<br>
+[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)<br>
+[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)<br>
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)<br>
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)<br>
diff --git a/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
new file mode 100644
index 0000000000..ca87d2d6b3
--- /dev/null
+++ b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
@@ -0,0 +1,391 @@
+---
+title: Prepare for Zero Touch Installation of Windows 10 with Configuration Manager (Windows 10)
+description: Learn how to prepare a Zero Touch Installation of Windows 10 with Configuration Manager, by integrating Configuration Manager with Microsoft Deployment Toolkit.
+ms.assetid: 06e3a221-31ef-47a5-b4da-3b927cb50d08
+ms.reviewer: 
+manager: laurawi
+ms.author: greglin
+keywords: install, configure, deploy, deployment
+ms.prod: w10
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Prepare for Zero Touch Installation of Windows 10 with Configuration Manager
+
+**Applies to**
+
+-   Windows 10
+
+This topic will walk you through the Zero Touch Installation process of Windows 10 operating system deployment (OSD) using Microsoft Endpoint Configuration Manager (ConfigMgr) [integrated](#why-integrate-mdt-with-configuration-manager) with Microsoft Deployment Toolkit (MDT). 
+
+## Prerequisites
+
+In this topic, you will use [components](#components-of-configuration-manager-operating-system-deployment) of an existing Configuration Manager infrastructure to prepare for Windows 10 OSD. In addition to the base setup, the following configurations should be made in the Configuration Manager environment:
+
+- Configuration Manager current branch + all security and critical updates are installed.
+  - Note: Procedures in this guide use ConfigMgr 1910. For information about the version of Windows 10 supported by ConfigMgr, see [Support for Windows 10](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10).
+- The [Active Directory Schema has been extended](https://docs.microsoft.com/configmgr/core/plan-design/network/extend-the-active-directory-schema) and System Management container created.
+- Active Directory Forest Discovery and Active Directory System Discovery are [enabled](https://docs.microsoft.com/configmgr/core/servers/deploy/configure/configure-discovery-methods).
+- IP range [boundaries and a boundary group](https://docs.microsoft.com/configmgr/core/servers/deploy/configure/define-site-boundaries-and-boundary-groups) for content and site assignment have been created.
+- The Configuration Manager [reporting services](https://docs.microsoft.com/configmgr/core/servers/manage/configuring-reporting) point role has been added and configured.
+- A file system folder structure and Configuration Manager console folder structure for packages has been created. Steps to verify or create this folder structure are [provided below](#review-the-sources-folder-structure).
+- The [Windows ADK](https://docs.microsoft.com/windows-hardware/get-started/adk-install) (including USMT) version 1903, Windows PE add-on, WSIM 1903 update, [MDT](https://www.microsoft.com/download/details.aspx?id=54259) version 8456, and DaRT 10 (part of [MDOP 2015](https://my.visualstudio.com/Downloads?q=Desktop%20Optimization%20Pack%202015)) are installed.
+- The [CMTrace tool](https://docs.microsoft.com/configmgr/core/support/cmtrace) (cmtrace.exe) is installed on the distribution point.
+  - Note: CMTrace is automatically installed with the current branch of Configuration Manager at **Program Files\Microsoft Configuration Manager\tools\cmtrace.exe**. In previous releases of ConfigMgr it was necessary to install the [Configuration Manager Toolkit](https://www.microsoft.com/download/details.aspx?id=50012) separately to get the CMTrace tool, but this is no longer needed.  Configuraton Manager version 1910 installs version 5.0.8913.1000 of the CMTrace tool.
+
+For the purposes of this guide, we will use three server computers: DC01, CM01 and HV01. 
+- DC01 is a domain controller and DNS server for the contoso.com domain. DHCP services are also available and optionally installed on DC01 or another server.
+- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server.
+- HV01 is a Hyper-V host computer that is used to build a Windows 10 reference image. This computer does not need to be a domain member.
+
+All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. 
+
+All server and client computers referenced in this guide are on the same subnet. This is not required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates.
+
+### Domain credentials
+
+The following generic credentials are used in this guide. You should replace these credentials as they appear in each procedure with your credentials.
+
+**Active Directory domain name**: contoso.com<br>
+**Domain administrator username**: administrator<br>
+**Domain administrator password**: pass@word1
+
+## Create the OU structure
+
+>[!NOTE]
+>If you have already [created the OU structure](../deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md#create-the-ou-structure) that was used in the OSD guide for MDT, the same structure is used here and you can skip this section.
+
+On **DC01**:
+
+To create the OU structure, you can use the Active Directory Users and Computers console (dsa.msc), or you can use Windows PowerShell. The procedure below uses Windows PowerShell.
+
+To use Windows PowerShell, copy the following commands into a text file and save it as <b>C:\Setup\Scripts\ou.ps1</b>. Be sure that you are viewing file extensions and that you save the file with the .ps1 extension.
+
+```powershell
+$oulist = Import-csv -Path c:\oulist.txt
+ForEach($entry in $oulist){
+    $ouname = $entry.ouname
+    $oupath = $entry.oupath
+    New-ADOrganizationalUnit -Name $ouname -Path $oupath -WhatIf
+    Write-Host -ForegroundColor Green "OU $ouname is created in the location $oupath"
+}
+```
+
+Next, copy the following list of OU names and paths into a text file and save it as <b>C:\Setup\Scripts\oulist.txt</b>
+
+```text
+OUName,OUPath
+Contoso,"DC=CONTOSO,DC=COM"
+Accounts,"OU=Contoso,DC=CONTOSO,DC=COM"
+Computers,"OU=Contoso,DC=CONTOSO,DC=COM"
+Groups,"OU=Contoso,DC=CONTOSO,DC=COM"
+Admins,"OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM"
+Service Accounts,"OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM"
+Users,"OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM"
+Servers,"OU=Computers,OU=Contoso,DC=CONTOSO,DC=COM"
+Workstations,"OU=Computers,OU=Contoso,DC=CONTOSO,DC=COM"
+Security Groups,"OU=Groups,OU=Contoso,DC=CONTOSO,DC=COM"
+```
+
+Lastly, open an elevated Windows PowerShell prompt on DC01 and run the ou.ps1 script:
+
+```powershell
+Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
+Set-Location C:\Setup\Scripts
+.\ou.ps1
+```
+
+## Create the Configuration Manager service accounts
+
+A role-based model is used to configure permissions for the service accounts needed for operating system deployment in Configuration Manager. Perform the following steps to create the Configuration Manager **join domain** and **network access** accounts:
+
+On **DC01**:
+
+1.  In the Active Directory Users and Computers console, browse to **contoso.com / Contoso / Service Accounts**.
+2.  Select the Service Accounts OU and create the CM\_JD account using the following settings:
+
+    * Name: CM\_JD
+    * User logon name: CM\_JD
+    * Password: pass@word1
+    * User must change password at next logon: Clear
+    * User cannot change password: Selected
+    * Password never expires: Selected
+
+3.  Repeat the step, but for the CM\_NAA account.
+4.  After creating the accounts, assign the following descriptions:
+
+    * CM\_JD: Configuration Manager Join Domain Account
+    * CM\_NAA: Configuration Manager Network Access Account
+
+## Configure Active Directory permissions
+
+In order for the Configuration Manager Join Domain Account (CM\_JD) to join machines into the contoso.com domain you need to configure permissions in Active Directory. These steps assume you have downloaded the sample [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copied it to C:\\Setup\\Scripts on DC01.
+
+On **DC01**:
+
+1. Sign in as contoso\administrtor and enter the following at an elevated Windows PowerShell prompt:
+
+   ``` 
+   Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
+   Set-Location C:\Setup\Scripts
+   .\Set-OUPermissions.ps1 -Account CM_JD -TargetOU "OU=Workstations,OU=Computers,OU=Contoso"
+   ```
+
+2. The Set-OUPermissions.ps1 script allows the CM\_JD user account permissions to manage computer accounts in the Contoso / Computers / Workstations OU. The following is a list of the permissions being granted:
+
+   * Scope: This object and all descendant objects
+   * Create Computer objects
+   * Delete Computer objects
+   * Scope: Descendant Computer objects
+   * Read All Properties
+   * Write All Properties
+   * Read Permissions
+   * Modify Permissions
+   * Change Password
+   * Reset Password
+   * Validated write to DNS host name
+   * Validated write to service principal name
+
+## Review the Sources folder structure
+
+On **CM01**:
+
+To support the packages you create in this article, the following folder structure should be created on the Configuration Manager primary site server (CM01):
+
+>[!NOTE]
+>In most production environments, the packages are stored on a Distributed File System (DFS) share or a "normal" server share, but in a lab environment you can store them on the site server.
+
+- D:\\Sources
+- D:\\Sources\\OSD
+- D:\\Sources\\OSD\\Boot
+- D:\\Sources\\OSD\\DriverPackages
+- D:\\Sources\\OSD\\DriverSources
+- D:\\Sources\\OSD\\MDT
+- D:\\Sources\\OSD\\OS
+- D:\\Sources\\OSD\\Settings
+- D:\\Sources\\OSD\\Branding
+- D:\\Sources\\Software
+- D:\\Sources\\Software\\Adobe
+- D:\\Sources\\Software\\Microsoft
+
+You can run the following commands from an elevated Windows PowerShell prompt to create this folder structure:
+
+>We will also create the D:\Logs folder here which will be used later to support server-side logging.
+
+```powershell
+New-Item -ItemType Directory -Path "D:\Sources"
+New-Item -ItemType Directory -Path "D:\Sources\OSD"
+New-Item -ItemType Directory -Path "D:\Sources\OSD\Boot"
+New-Item -ItemType Directory -Path "D:\Sources\OSD\DriverPackages"
+New-Item -ItemType Directory -Path "D:\Sources\OSD\DriverSources"
+New-Item -ItemType Directory -Path "D:\Sources\OSD\OS"
+New-Item -ItemType Directory -Path "D:\Sources\OSD\Settings"
+New-Item -ItemType Directory -Path "D:\Sources\OSD\Branding"
+New-Item -ItemType Directory -Path "D:\Sources\OSD\MDT"
+New-Item -ItemType Directory -Path "D:\Sources\Software"
+New-Item -ItemType Directory -Path "D:\Sources\Software\Adobe"
+New-Item -ItemType Directory -Path "D:\Sources\Software\Microsoft"
+New-SmbShare -Name Sources$ -Path D:\Sources -FullAccess "NT AUTHORITY\INTERACTIVE", "BUILTIN\Administrators"
+New-Item -ItemType Directory -Path "D:\Logs"
+New-SmbShare -Name Logs$ -Path D:\Logs -ChangeAccess EVERYONE
+```
+
+## Integrate Configuration Manager with MDT
+
+To extend the Configuration Manager console with MDT wizards and templates, install MDT with the default settings and run the **Configure ConfigManager Integration** desktop app. In these steps, we assume you have already [downloaded MDT](https://www.microsoft.com/download/details.aspx?id=54259) and installed it with default settings.
+
+On **CM01**:
+
+1. Sign in as contoso\administrator.
+2. Ensure the Configuration Manager Console is closed before continuing.
+5. Click Start, type **Configure ConfigManager Integration**, and run the application the following settings:
+
+   * Site Server Name: CM01.contoso.com
+   * Site code: PS1
+
+![figure 8](../images/mdt-06-fig08.png)
+
+MDT integration with Configuration Manager.
+
+## Configure the client settings
+
+Most organizations want to display their name during deployment. In this section, you configure the default Configuration Manager client settings with the Contoso organization name.
+
+On **CM01**:
+
+1.  Open the Configuration Manager Console, select the Administration workspace, then click **Client Settings**.
+2.  In the right pane, right-click **Default Client Settings** and then click **Properties**.
+3.  In the **Computer Agent** node, in the **Organization name displayed in Software Center** text box, type in **Contoso** and click **OK**.
+
+![figure 9](../images/mdt-06-fig10.png)
+
+Configure the organization name in client settings.
+
+![figure 10](../images/fig10-contosoinstall.png)
+
+The Contoso organization name displayed during deployment.
+
+## Configure the Network Access account
+
+Configuration Manager uses the Network Access account during the Windows 10 deployment process to access content on the distribution points. In this section, you configure the Network Access account.
+
+On **CM01**:
+
+1.  Using the Configuration Manager Console, in the Administration workspace, expand **Site Configuration** and select **Sites**.
+2.  Right-click **PS1 - Primary Site 1**, point to **Configure Site Components**, and then select **Software Distribution**.
+3.  On the **Network Access Account** tab, select **Specify the account that accesses network locations** and add the *New Account* **CONTOSO\\CM\_NAA** as the Network Access account (password: pass@word1). Use the new **Verify** option to verify that the account can connect to the **\\\\DC01\\sysvol** network share.
+
+![figure 12](../images/mdt-06-fig12.png)
+
+Test the connection for the Network Access account.
+
+## Enable PXE on the CM01 distribution point
+
+Configuration Manager has many options for starting a deployment, but starting via PXE is certainly the most flexible in a large environment. In this section, you enable PXE on the CM01 distribution point.
+
+On **CM01**:
+
+1.  In the Configuration Manager Console, in the Administration workspace, select **Distribution Points**.
+2.  Right-click the **\\\\CM01.CONTOSO.COM distribution point** and select **Properties**.
+3.  On the **PXE** tab, use the following settings:
+
+    * Enable PXE support for clients
+    * Allow this distribution point to respond to incoming PXE requests
+    * Enable unknown computer
+    * Require a password when computers use PXE
+    * Password and Confirm password: pass@word1
+
+    ![figure 12](../images/mdt-06-fig13.png)
+
+    Configure the CM01 distribution point for PXE.
+
+    >[!NOTE]
+    >If you select **Enable a PXE responder without Windows Deployment Service**, then WDS will not be installed, or if it is already installed it will be suspended, and the **ConfigMgr PXE Responder Service** (SccmPxe) will be used instead of WDS. The ConfigMgr PXE Responder does not support multicast. For more information, see [Install and configure distribution points](https://docs.microsoft.com/configmgr/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_config-pxe).
+
+4.  Using the CMTrace tool, review the C:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Look for ConfigurePXE and CcmInstallPXE lines.
+
+    ![figure 13](../images/mdt-06-fig14.png)
+
+    The distmgr.log displays a successful configuration of PXE on the distribution point.
+
+5.  Verify that you have seven files in each of the folders **D:\\RemoteInstall\\SMSBoot\\x86** and **D:\\RemoteInstall\\SMSBoot\\x64**.
+
+    ![figure 14](../images/mdt-06-fig15.png)
+
+    The contents of the D:\\RemoteInstall\\SMSBoot\\x64 folder after you enable PXE.
+
+    **Note**: These files are used by WDS. They are not used by the ConfigMgr PXE Responder. This article does not use the ConfigMgr PXE Responder.
+
+Next, see [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md).
+
+## Components of Configuration Manager operating system deployment
+
+Operating system deployment with Configuration Manager is part of the normal software distribution infrastructure, but there are additional components. For example, operating system deployment in Configuration Manager may use the State Migration Point role, which is not used by normal application deployment in Configuration Manager. This section describes the Configuration Manager components involved with the deployment of an operating system, such as Windows 10.
+
+-   **State migration point (SMP).** The state migration point is used to store user state migration data during computer replace scenarios.
+-   **Distribution point (DP).** The distribution point is used to store all packages in Configuration Manager, including the operating system deployment-related packages.
+-   **Software update point (SUP).** The software update point, which is normally used to deploy updates to existing machines, also can be used to update an operating system as part of the deployment process. You also can use offline servicing to update the image directly on the Configuration Manager server.
+-   **Reporting services point.** The reporting services point can be used to monitor the operating system deployment process.
+-   **Boot images.** Boot images are the Windows Preinstallation Environment (Windows PE) images Configuration Manager uses to start the deployment.
+-   **Operating system images.** The operating system image package contains only one file, the custom .wim image. This is typically the production deployment image.
+-   **Operating system installers.** The operating system installers were originally added to create reference images using Configuration Manager. Instead, we recommend that you use MDT Lite Touch to create your reference images. For more information on how to create a reference image, see [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md).
+-   **Drivers.** Like MDT Lite Touch, Configuration Manager also provides a repository (catalog) of managed device drivers.
+-   **Task sequences.** The task sequences in Configuration Manager look and feel pretty much like the sequences in MDT Lite Touch, and they are used for the same purpose. However, in Configuration Manager the task sequence is delivered to the clients as a policy via the Management Point (MP). MDT provides additional task sequence templates to Configuration Manager.
+
+    **Note**  The Windows Assessment and Deployment Kit (ADK) for Windows 10 is also required to support management and deployment of Windows 10.
+
+## Why integrate MDT with Configuration Manager
+
+As noted above, MDT adds many enhancements to Configuration Manager. While these enhancements are called Zero Touch, that name does not reflect how deployment is conducted. The following sections provide a few samples of the 280 enhancements that MDT adds to Configuration Manager.
+
+>[!NOTE]
+>MDT installation requires the following:
+>-   The Windows ADK for Windows 10 (installed in the previous procedure)
+>-   Windows PowerShell ([version 5.1](https://www.microsoft.com/download/details.aspx?id=54616) is recommended; type **$host** to check)
+>-   Microsoft .NET Framework
+
+### MDT enables dynamic deployment
+
+When MDT is integrated with Configuration Manager, the task sequence takes additional instructions from the MDT rules. In its most simple form, these settings are stored in a text file, the CustomSettings.ini file, but you can store the settings in Microsoft SQL Server databases, or have Microsoft Visual Basic Scripting Edition (VBScripts) or web services provide the settings used.
+
+The task sequence uses instructions that allow you to reduce the number of task sequences in Configuration Manager and instead store settings outside the task sequence. Here are a few examples:
+-   The following settings instruct the task sequence to install the HP Hotkeys package, but only if the hardware is a HP EliteBook 8570w. Note that you don't have to add the package to the task sequence.
+
+    ``` syntax
+    [Settings] 
+    Priority=Model
+    [HP EliteBook 8570w] 
+    Packages001=PS100010:Install HP Hotkeys
+    ```
+-   The following settings instruct the task sequence to put laptops and desktops in different organizational units (OUs) during deployment, assign different computer names, and finally have the task sequence install the Cisco VPN client, but only if the machine is a laptop.
+
+    ``` syntax
+    [Settings]
+    Priority= ByLaptopType, ByDesktopType
+    [ByLaptopType]
+    Subsection=Laptop-%IsLaptop%
+    [ByDesktopType]
+    Subsection=Desktop-%IsDesktop%
+    [Laptop-True]
+    Packages001=PS100012:Install Cisco VPN Client
+    OSDComputerName=LT-%SerialNumber%
+    MachineObjectOU=ou=laptops,ou=Contoso,dc=contoso,dc=com
+    [Desktop-True]
+    OSDComputerName=DT-%SerialNumber%
+    MachineObjectOU=ou=desktops,ou=Contoso,dc=contoso,dc=com
+    ```
+
+![figure 2](../images/fig2-gather.png)
+
+The Gather action in the task sequence is reading the rules.
+
+### MDT adds an operating system deployment simulation environment
+
+When testing a deployment, it is important to be able to quickly test any changes you make to the deployment without needing to run through an entire deployment. MDT rules can be tested very quickly, saving significant testing time in a deployment project. For more information, see [Configure MDT settings](../deploy-windows-mdt/configure-mdt-settings.md).
+
+![figure 3](../images/mdt-06-fig03.png)
+
+The folder that contains the rules, a few scripts from MDT, and a custom script (Gather.ps1).
+
+### MDT adds real-time monitoring
+
+With MDT integration, you can follow your deployments in real time, and if you have access to Microsoft Diagnostics and Recovery Toolkit (DaRT), you can even remote into Windows Preinstallation Environment (Windows PE) during deployment. The real-time monitoring data can be viewed from within the MDT Deployment Workbench, via a web browser, Windows PowerShell, the Event Viewer, or Microsoft Excel 2013. In fact, any script or app that can read an Open Data (OData) feed can read the information.
+
+![figure 4](../images/mdt-06-fig04.png)
+
+View the real-time monitoring data with PowerShell.
+
+### MDT adds an optional deployment wizard
+
+For some deployment scenarios, you may need to prompt the user for information during deployment such as the computer name, the correct organizational unit (OU) for the computer, or which applications should be installed by the task sequence. With MDT integration, you can enable the User-Driven Installation (UDI) wizard to gather the required information, and customize the wizard using the UDI Wizard Designer.
+
+![figure 5](../images/mdt-06-fig05.png)
+
+The optional UDI wizard open in the UDI Wizard Designer.
+
+MDT Zero Touch simply extends Configuration Manager with many useful built-in operating system deployment components. By providing well-established, supported solutions, MDT reduces the complexity of deployment in Configuration Manager.
+
+### Why use MDT Lite Touch to create reference images
+
+You can create reference images for Configuration Manager in Configuration Manager, but in general we recommend creating them in MDT Lite Touch for the following reasons:
+-   You can use the same image for every type of operating system deployment - Microsoft Virtual Desktop Infrastructure (VDI), Microsoft System Center Virtual Machine Manager (VMM), MDT, Configuration Manager, Windows Deployment Services (WDS), and more.
+-   Configuration Manager performs deployment in the LocalSystem context. This means that you cannot configure the Administrator account with all of the settings that you would like to be included in the image. MDT runs in the context of the Local Administrator, which means you can configure the look and feel of the configuration and then use the CopyProfile functionality to copy these changes to the default user during deployment.
+-   The Configuration Manager task sequence does not suppress user interface interaction.
+-   MDT Lite Touch supports a Suspend action that allows for reboots, which is useful when you need to perform a manual installation or check the reference image before it is automatically captured.
+-   MDT Lite Touch does not require any infrastructure and is easy to delegate.
+
+## Related topics
+
+[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)<br>
+[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)<br>
+[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)<br>
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)<br>
+[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)<br>
+[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)<br>
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)<br>
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
\ No newline at end of file
diff --git a/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
new file mode 100644
index 0000000000..24ea36579b
--- /dev/null
+++ b/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
@@ -0,0 +1,148 @@
+---
+title: Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager (Windows 10)
+description: Learn how to use Configuration Manager and Microsoft Deployment Toolkit (MDT) to refresh a Windows 7 SP1 client with Windows 10.
+ms.assetid: 57c81667-1019-4711-b3de-15ae9c5387c7
+ms.reviewer: 
+manager: laurawi
+ms.author: greglin
+keywords: upgrade, install, installation, computer refresh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager
+
+**Applies to**
+
+- Windows 10
+
+This topic will show you how to refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager and Microsoft Deployment Toolkit (MDT). A computer refresh is not the same as an in-place upgrade. A computer refresh involves storing user data and settings from the old installation, wiping the hard drives, installing a new OS, and then restoring the user data at the end of the installation. Also see the MDT refesh procedure: [Refresh a Windows 7 computer with Windows 10](../deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md).
+
+A computer refresh with Configuration Manager works the same as it does with MDT Lite Touch installation. Configuration Manager also uses the User State Migration Tool (USMT) from the Windows Assessment and Deployment Kit (Windows ADK) 10 in the background. A computer refresh with Configuration Manager has the following steps:
+
+1.  Data and settings are backed up locally in a backup folder.
+2.  The partition is wiped, except for the backup folder.
+3.  The new operating system image is applied.
+4.  Other applications are installed.
+5.  Data and settings are restored.
+
+## Infrastructure
+
+An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). 
+
+For the purposes of this article, we will use one server computer (CM01) and one client computer (PC0003).
+- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server.
+- PC0003 is a domain member client computer running Windows 7 SP1, or a later version of Windows, with the Configuration Manager client installed, that will be refreshed to Windows 10.
+
+>[!NOTE]
+>If desired, PC0003 can be a VM hosted on the server HV01, which is a Hyper-V host computer that we used previously to build a Windows 10 reference image. However, if PC0003 is a VM then you must ensure it has sufficient resources available to run the Configuration Manager OSD task sequence. 2GB of RAM or more is recommended.  
+
+All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. 
+
+All server and client computers referenced in this guide are on the same subnet. This is not required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates.
+
+>[!IMPORTANT]
+>This article assumes that you have [configured Active Directory permissions](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md#configure-active-directory-permissions) in the specified OU for the **CM_JD** account, and the client's Active Directory computer account is in the **Contoso > Computers > Workstations** OU. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed.
+
+## Verify the Configuration Manager client settings
+
+To verify that PC003 is correctly assigned to the PS1 site:
+
+On **PC0003**:
+
+1. Open the Configuration Manager control panel (control smscfgrc).
+2. On the **Site** tab, click **Configure Settings**, then click **Find Site**.
+3. Verify that Configuration Manager has successfullyl found a site to manage this client is displayed. See the following example.
+
+![pc0003a](../images/pc0003a.png)
+
+## Create a device collection and add the PC0003 computer
+
+On **CM01**:
+
+1.  Using the Configuration Manager console, in the Asset and Compliance workspace, expand **Overview**, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings:
+
+  * General
+    * Name: Install Windows 10 Enterprise x64
+    * Limited Collection: All Systems
+  * Membership rules
+    * Add Rule: Direct rule
+      * Resource Class: System Resource
+      * Attribute Name: Name
+      * Value: PC0003
+    * Select Resources
+      * Select **PC0003**
+
+  Use the default settings to complete the remaining wizard pages and click **Close**.
+
+2.  Review the Install Windows 10 Enterprise x64 collection. Do not continue until you see the PC0003 machine in the collection.
+
+    >[!NOTE]
+    >It may take a short while for the collection to refresh; you can view progress via the Colleval.log file. If you want to speed up the process, you can manually update membership on the Install Windows 10 Enterprise x64 collection by right-clicking the collection and selecting Update Membership.
+
+## Create a new deployment
+
+On **CM01**:
+
+Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64 RTM**, and then click **Deploy**. Use the following settings:
+
+- General
+    - Collection: Install Windows 10 Enterprise x64
+- Deployment Settings
+    - Purpose: Available
+    - Make available to the following: Configuration Manager clients, media and PXE
+
+    >[!NOTE]
+    >It is not necessary to make the deployment available to media and Pre-Boot Execution Environment (PXE) for a computer refresh, but you will use the same deployment for bare-metal deployments later on and you will need it at that point.
+
+- Scheduling
+    - &lt;default&gt;
+- User Experience
+    - &lt;default&gt;
+- Alerts
+    - &lt;default&gt;
+- Distribution Points
+    - &lt;default&gt;
+
+## Initiate a computer refresh
+
+Now you can start the computer refresh on PC0003.
+
+On **CM01**:
+
+1. Using the Configuration Manager console, in the Assets and Compliance workspace, click the **Install Windows 10 Enterprise x64** collection, right-click **PC0003**, point to **Client Notification**, click **Download Computer Policy**, and then click **OK** in the popup dialog box that appears.
+
+On **PC0003**:
+
+1.  Open the Software Center (click Start and type **Software Center**, or click the **New software is available** balloon in the system tray), select **Operating Systems** and click the **Windows 10 Enterprise x64 RTM** deployment, then click **Install**.
+2.  In the **Software Center** warning dialog box, click **Install Operating System**. 
+3. The client computer will run the Configuration Manager task sequence, boot into Windows PE, and install the new OS and applications. See the following examples:
+
+![pc0003b](../images/pc0003b.png)<br>
+![pc0003c](../images/pc0003c.png)<br>
+![pc0003d](../images/pc0003d.png)<br>
+![pc0003e](../images/pc0003e.png)<br>
+![pc0003f](../images/pc0003f.png)<br>
+![pc0003g](../images/pc0003g.png)<br>
+![pc0003h](../images/pc0003h.png)<br>
+![pc0003i](../images/pc0003i.png)<br>
+![pc0003j](../images/pc0003j.png)<br>
+![pc0003k](../images/pc0003k.png)
+
+Next, see [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md).
+
+## Related topics
+
+[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)<br>
+[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)<br>
+[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)<br>
+[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)<br>
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)<br>
+[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)<br>
+[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)<br>
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)<br>
diff --git a/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
new file mode 100644
index 0000000000..b2ef8ff138
--- /dev/null
+++ b/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
@@ -0,0 +1,214 @@
+---
+title: Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager (Windows 10)
+description: In this topic, you will learn how to replacing a Windows 7 SP1 computer using Microsoft Endpoint Configuration Manager.
+ms.assetid: 3c8a2d53-8f08-475f-923a-bca79ca8ac36
+ms.reviewer: 
+manager: laurawi
+ms.author: greglin
+keywords: upgrade, install, installation, replace computer, setup
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager
+
+**Applies to**
+
+- Windows 10
+
+In this topic, you will learn how to replace a Windows 7 SP1 computer using Microsoft Endpoint Configuration Manager. This process is similar to refreshing a computer, but since you are replacing the device, you have to run the backup job separately from the deployment of Windows 10.
+
+In this topic, you will create a backup-only task sequence that you run on PC0004 (the device you are replacing), deploy the PC0006 computer running Windows 10, and then restore this backup of PC0004 onto PC006. This is similar to the MDT replace process: [Replace a Windows 7 computer with a Windows 10 computer](../deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md).
+
+## Infrastructure
+
+An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). 
+
+For the purposes of this article, we will use one server computer (CM01) and two client computers (PC0004, PC0006).
+- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server.
+  - Important: CM01 must include the **[State migration point](https://docs.microsoft.com/configmgr/osd/get-started/manage-user-state#BKMK_StateMigrationPoint)** role for the replace task sequence used in this article to work. 
+- PC0004 is a domain member client computer running Windows 7 SP1, or a later version of Windows, with the Configuration Manager client installed, that will be replaced.
+- PC0006 is a domain member client computer running Windows 10, with the Configuration Manager client installed, that will replace PC0004.
+
+>[!NOTE]
+>PC0004 and PC006 can be VMs hosted on the server HV01, which is a Hyper-V host computer that we used previously to build a Windows 10 reference image. However, the VMs must have sufficient resources available to run the Configuration Manager OSD task sequence. 2GB of RAM or more is recommended.  
+
+All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. 
+
+All server and client computers referenced in this guide are on the same subnet. This is not required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates.
+
+>[!IMPORTANT]
+>This article assumes that you have [configured Active Directory permissions](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md#configure-active-directory-permissions) in the specified OU for the **CM_JD** account, and the client's Active Directory computer account is in the **Contoso > Computers > Workstations** OU. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed.
+
+## Create a replace task sequence
+
+On **CM01**:
+
+1. Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**.
+2. On the **Choose Template** page, select the **Client Replace Task Sequence** template and click **Next**.
+3. On the **General** page, assign the following settings and click **Next**:
+
+   * Task sequence name: Replace Task Sequence
+   * Task sequence comments: USMT backup only
+
+4. On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then click **Next**.
+5. On the **MDT Package** page, browse and select the **OSD / MDT** package. Then click **Next**.
+6. On the **USMT Package** page, browse and select the **OSD / Microsoft Corporation User State Migration Tool for Windows** package. Then click **Next**.
+7. On the **Settings Package** page, browse and select the **OSD / Windows 10 x64 Settings** package. Then click **Next**.
+8. On the **Summary** page, review the details and then click **Next**.
+9. On the **Confirmation** page, click **Finish**.
+
+10. Review the Replace Task Sequence. 
+
+    >[!NOTE]
+    >This task sequence has many fewer actions than the normal client task sequence. If it doesn't seem different, make sure you selected the **Client Replace Task Sequence** template when creating the task sequence.
+
+![The back-up only task sequence](../images/mdt-06-fig42.png "The back-up only task sequence")
+
+The backup-only task sequence (named Replace Task Sequence).
+
+## Associate the new device with the old computer
+
+This section walks you through the process of associating a new, blank device (PC0006), with an existing computer (PC0004), for the purpose of replacing PC0004 with PC0006. PC0006 can be either a physical or virtual machine.
+
+On **HV01** (if PC0006 is a VM) or in the PC0006 BIOS:
+
+1.  Make a note of the MAC address for PC0006. (If PC0006 is a virtual machine, you can see the MAC Address in the virtual machine settings.) In our example, the PC0006 MAC Address is 00:15:5D:0A:6A:96. Do not attempt to PXE boot PC0006 yet.
+
+On **CM01**:
+
+2.  Using the Configuration Manager console, in the Assets and Compliance workspace, right-click **Devices**, and then click **Import Computer Information**.
+3.  On the **Select Source** page, select **Import single computer** and click **Next**.
+4.  On the **Single Computer** page, use the following settings and then click **Next**:
+
+    * Computer Name: PC0006
+    * MAC Address: &lt;the mac address that you wrote down&gt;
+    * Source Computer: PC0004
+
+    ![Create the computer association](../images/mdt-06-fig43.png "Create the computer association")
+
+    Creating the computer association between PC0004 and PC0006.
+
+5.  On the **User Accounts** page, select **Capture and restore all user accounts** and click **Next**.
+6.  On the **Data Preview** page, click **Next**.
+7.  On the **Choose additional collections** page, click **Add** and then select the **Install Windows 10 Enterprise x64** collection. Now, select the checkbox next to the Install Windows 10 Enterprise x64 collection you just added, and then click **Next**.
+8.  On the **Summary** page, click **Next**, and then click **Close**.
+9.  Select the **User State Migration** node and review the computer association in the right hand pane.
+10. Right-click the **PC0004/PC0006** association and click **View Recovery Information**. Note that a recovery key has been assigned already, but a user state store location has not.
+11. Review the **Install Windows 10 Enterprise x64** collection. Do not continue until you see the **PC0006** computer in the collection. You might have to update membership and refresh the collection again.
+
+## Create a device collection and add the PC0004 computer
+
+On **CM01**:
+
+1.  Using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings:
+
+    * General
+      * Name: USMT Backup (Replace)
+      * Limited Collection: All Systems
+    * Membership rules:
+      * Add Rule: Direct rule
+        * Resource Class: System Resource
+        * Attribute Name: Name
+        * Value: PC0004
+        * Select Resources:
+          * Select **PC0004**
+
+    Use default settings for the remaining wizard pages, then click **Close**.
+
+2.  Review the **USMT Backup (Replace)** collection. Do not continue until you see the **PC0004** computer in the collection.
+
+## Create a new deployment
+
+On **CM01**:
+
+Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Replace Task Sequence**, and then select **Deploy**. Use the following settings:
+
+-   General
+    -   Collection: USMT Backup (Replace)
+-   Deployment Settings
+    -   Purpose: Available
+    -   Make available to the following: Only Configuration Manager Clients
+-   Scheduling
+    -   &lt;default&gt;
+-   User Experience
+    -   &lt;default&gt;
+-   Alerts
+    -   &lt;default&gt;
+-   Distribution Points
+    -   &lt;default&gt;
+
+## Verify the backup
+
+This section assumes that you have a computer named PC0004 with the Configuration Manager client installed.
+
+On **PC0004**:
+
+1.  If it is not already started, start the PC0004 computer and open the Configuration Manager control panel (control smscfgrc).
+2.  On the **Actions** tab, select **Machine Policy Retrieval & Evaluation Cycle**, click **Run Now**, and then click **OK** in the popup dialog box that appears.
+
+    >[!NOTE]
+    >You also can use the Client Notification option in the Configuration Manager console, as shown in [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md).
+
+3.  Open the Software Center, select the **Replace Task Sequence** deployment and then click **Install**.
+4.  Confirm you want to upgrade the operating system on this computer by clicking **Install** again.
+5.  Allow the Replace Task Sequence to complete. The PC0004 computer will gather user data, boot into Windows PE and gather more data, then boot back to the full OS. The entire process should only take a few minutes.
+
+![pc0004b](../images/pc0004b.png)
+
+Capturing the user state
+
+On **CM01**:
+
+6.  Open the state migration point storage folder (ex: D:\Migdata) and verify that a sub-folder was created containing the USMT backup.
+7.  Using the Configuration Manager console, in the Assets and Compliance workspace, select the **User State Migration** node, right-click the **PC0004/PC0006** association, and select **View Recovery Information**. Note that the object now also has a user state store location.
+
+    >[!NOTE]
+    >It may take a few minutes for the user state store location to be populated.
+
+## Deploy the new computer
+
+On **PC0006**:
+
+1. Start the PC0006 virtual machine (or physical computer), press **F12** to Pre-Boot Execution Environment (PXE) boot when prompted. Allow it to boot Windows Preinstallation Environment (Windows PE), and then complete the deployment wizard using the following settings:
+
+    * Password: pass@word1
+    * Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM
+
+2.  The setup now starts and does the following:
+
+    * Installs the Windows 10 operating system
+    * Installs the Configuration Manager client
+    * Joins it to the domain
+    * Installs the applications
+    * Restores the PC0004 backup
+
+When the process is complete, you will have a new Windows 10 computer in your domain with user data and settings restored. See the following examples:
+
+![pc0006a](../images/pc0006a.png)<br>
+![pc0006b](../images/pc0006b.png)<br>
+![pc0006c](../images/pc0006c.png)<br>
+![pc0006d](../images/pc0006d.png)<br>
+![pc0006e](../images/pc0006e.png)<br>
+![pc0006f](../images/pc0006f.png)<br>
+![pc0006g](../images/pc0006g.png)<br>
+![pc0006h](../images/pc0006h.png)<br>
+![pc0006i](../images/pc0006i.png)
+
+Next, see [Perform an in-place upgrade to Windows 10 using Configuration Manager](upgrade-to-windows-10-with-configuraton-manager.md).
+
+## Related topics
+
+[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)<br>
+[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)<br>
+[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)<br>
+[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)<br>
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)<br>
+[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)<br>
+[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)<br>
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)<br>
diff --git a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md
new file mode 100644
index 0000000000..553be3b239
--- /dev/null
+++ b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md
@@ -0,0 +1,142 @@
+---
+title: Perform in-place upgrade to Windows 10 via Configuration Manager
+description: In-place upgrades make upgrading Windows 7, Windows 8, and Windows 8.1 to Windows 10 easy -- you can even automate the whole process with a Microsoft Endpoint Configuration Manager task sequence.
+ms.assetid: F8DF6191-0DB0-4EF5-A9B1-6A11D5DE4878
+ms.reviewer: 
+manager: laurawi
+ms.author: greglin
+keywords: upgrade, update, task sequence, deploy
+ms.prod: w10
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Perform an in-place upgrade to Windows 10 using Configuration Manager
+
+
+**Applies to**
+
+-   Windows 10
+
+The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Endpoint Configuration Manager task sequence to completely automate the process.
+
+>[!IMPORTANT]
+>Beginning with Windows 10 and Windows Server 2016, Windows Defender is already installed. A management client for Windows Defender is also installed automatically if the Configuration Manager client is installed. However, previous Windows operating systems installed the System Center Endpoint Protection (SCEP) client with the Configuration Manager client. The SCEP client can block in-place upgrade to Windows 10 due to incompatibility, and must be removed from a device before performing an in-place upgrade to Windows 10.
+
+## Infrastructure
+
+An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). 
+
+For the purposes of this article, we will use one server computer (CM01) and one client computers (PC0004).
+- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server.
+- PC0004 is a domain member client computer running Windows 7 SP1, or a later version of Windows, with the Configuration Manager client installed, that will be upgraded to Windows 10.
+
+All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. 
+
+All server and client computers referenced in this guide are on the same subnet. This is not required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates.
+
+## Add an OS upgrade package
+
+Configuration Manager Current Branch includes a native in-place upgrade task. This task sequence differs from the MDT in-place upgrade task sequence in that it does not use a default OS image, but rather uses an [OS upgrade package](https://docs.microsoft.com/configmgr/osd/get-started/manage-operating-system-upgrade-packages).
+
+On **CM01**:
+
+1. Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Operating System Upgrade Packages**, and click **Add Operating System Upgrade Package**.
+2. On the **Data Source** page, under **Path**, click **Browse** and enter the UNC path to your media source. In this example, we have extracted the Windows 10 installation media to **\\\\cm01\\Sources$\\OSD\\UpgradePackages\\Windows 10**.
+3. If you have multiple image indexes in the installation media, select **Extract a specific image index from install.wim...** and choose the image index you want from the dropdown menu. In this example, we have chosen **Windows 10 Enterprise**.
+4. Next to **Architecture**, select **x64**, choose a language from the dropdown menu next to **Language**, and then click **Next**.
+5. Next to **Name**, enter **Windows 10 x64 RTM** and then complete the wizard by clicking **Next** and **Close**.
+6.  Distribute the OS upgrade package to the CM01 distribution point by right-clicking the **Windows 10 x64 RTM** OS upgrade package and then clicking **Distribute Content**.
+7.  In the Distribute Content Wizard, add the CM01 distribution point, click **Next** and click **Close**.
+8.  View the content status for the Windows 10 x64 RTM upgrade package. Do not continue until the distribution is completed (it might take a few minutes). You also can review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for the **STATMSG: ID=2301** line.
+
+## Create an in-place upgrade task sequence
+
+On **CM01**:
+
+1. Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create Task Sequence**.
+2. On the **Create a new task sequence** page, select **Upgrade an operating system from an upgrade package** and click **Next**.
+3. Use the following settings to complete the wizard:
+
+   * Task sequence name: Upgrade Task Sequence
+   * Description: In-place upgrade
+   * Upgrade package: Windows 10 x64 RTM
+   * Include software updates: Do not install any software updates
+   * Install applications: OSD \ Adobe Acrobat Reader DC
+
+4. Complete the wizard, and click **Close**.
+5. Review the Upgrade Task Sequence.
+
+![The upgrade task sequence](../images/cm-upgrade-ts.png)
+
+The Configuration Manager upgrade task sequence
+
+## Create a device collection
+
+After you create the upgrade task sequence, you can create a collection to test a deployment. In this section, we assume you have the PC0004 computer running Windows 7 SP1, with the Configuration Manager client installed.
+
+On **CM01**:
+
+1.  Using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings:
+    - General
+        - Name: Windows 10 x64 in-place upgrade
+        - Limited Collection: All Systems
+    - Membership rules:
+        - Direct rule
+            - Resource Class: System Resource
+            - Attribute Name: Name
+            - Value: PC0004
+        - Select Resources
+          - Select PC0004
+
+2.  Review the Windows 10 x64 in-place upgrade collection. Do not continue until you see PC0004 in the collection.
+
+## Deploy the Windows 10 upgrade
+
+In this section, you create a deployment for the Windows 10 Enterprise x64 Update application.
+
+On **CM01**:
+
+1.  Using the Configuration Manager console, in the Software Library workspace, right-click the **Upgrade Task Sequence** task sequence, and then click **Deploy**.
+2.  On the **General** page, browse and select the **Windows 10 x64 in-place upgrade** collection, and then click **Next**.
+3.  On the **Content** page, click **Next**.
+4.  On the **Deployment Settings** page, click **Next**:
+5.  On the **Scheduling** page, accept the default settings, and then click **Next**.
+6.  On the **User Experience** page, accept the default settings, and then click **Next**.
+7.  On the **Alerts** page, accept the default settings, and then click **Next**.
+7.  On the **Distribution Points** page, accept the default settings, and then click **Next**.
+8.  On the **Summary** page, click **Next**, and then click **Close**.
+
+## Start the Windows 10 upgrade
+
+Next, run the in-place upgrade task sequence on PC0004.
+
+On **PC0004**:
+
+1.  Open the Configuration Manager control panel (control smscfgrc).
+2.  On the **Actions** tab, select **Machine Policy Retrieval & Evaluation Cycle**, click **Run Now**, and then click **OK** in the popup dialog box that appears.
+
+    >[!NOTE]
+    >You also can use the Client Notification option in the Configuration Manager console, as shown in [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md).
+
+3.  Open the Software Center, select the **Upgrade Task Sequence** deployment and then click **Install**.
+4.  Confirm you want to upgrade the operating system on this computer by clicking **Install** again.
+5.  Allow the Upgrade Task Sequence to complete. The PC0004 computer will download the install.wim file, perform an in-place upgrade, and install your added applications. See the following examples:
+
+![pc0004-a](../images/pc0004-a.png)<br>
+![pc0004-b](../images/pc0004-b.png)<br>
+![pc0004-c](../images/pc0004-c.png)<br>
+![pc0004-d](../images/pc0004-d.png)<br>
+![pc0004-e](../images/pc0004-e.png)<br>
+![pc0004-f](../images/pc0004-f.png)<br>
+![pc0004-g](../images/pc0004-g.png)
+
+In-place upgrade with Configuration Manager
+
+## Related topics
+
+[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)<br>
+[Configuration Manager Team blog](https://go.microsoft.com/fwlink/p/?LinkId=620109)
diff --git a/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md b/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md
deleted file mode 100644
index 45f4bb2bb8..0000000000
--- a/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md
+++ /dev/null
@@ -1,191 +0,0 @@
----
-title: Create a task sequence with Configuration Manager (Windows 10)
-description: Create a Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard.
-ms.assetid: 0b069bec-5be8-47c6-bf64-7a630f41ac98
-ms.reviewer: 
-manager: laurawi
-ms.author: greglin
-keywords: deploy, upgrade, task sequence, install
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.pagetype: mdt
-ms.sitesec: library
-audience: itpro
-author: greg-lindsay
-ms.topic: article
----
-
-# Create a task sequence with Configuration Manager and MDT
-
-
-**Applies to**
-
--   Windows 10
-
-In this topic, you will learn how to create a Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard. Creating task sequences in Configuration Manager requires many more steps than creating task sequences for MDT Lite Touch installation. Luckily, the MDT wizard helps you through the process and also guides you through creating the needed packages.
-
-For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard, both of which are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
-## <a href="" id="sec01"></a>Create a task sequence using the MDT Integration Wizard
-
-
-This section walks you through the process of creating a Configuration Manager task sequence for production use.
-
-1.  On CM01, using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**.
-
-2.  On the **Choose Template** page, select the **Client Task Sequence** template and click **Next**.
-
-3.  On the **General** page, assign the following settings and then click **Next**:
-
-    * Task sequence name: Windows 10 Enterprise x64 RTM
-
-    * Task sequence comments: Production image with Office 2013
-
-4.  On the **Details** page, assign the following settings and then click **Next**:
-
-    * Join a Domain
-
-    * Domain: contoso.com
-
-        * Account: CONTOSO\\CM\_JD
-
-        * Password: Passw0rd!
-
-    * Windows Settings
-
-        * User name: Contoso
-
-        * Organization name: Contoso
-
-        * Product key: &lt;blank&gt;
-
-5.  On the **Capture Settings** page, accept the default settings, and click **Next**.
-
-6.  On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then click **Next**.
-
-7.  On the **MDT Package** page, select **Create a new Microsoft Deployment Toolkit Files package**, and in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\MDT\\MDT**. Then click **Next**.
-
-8.  On the **MDT Details** page, assign the name **MDT** and click **Next**.
-
-9.  On the **OS Image** page, browse and select the **Windows 10 Enterprise x64 RTM** package. Then click **Next**.
-
-10. On the **Deployment Method** page, accept the default settings and click **Next**.
-
-11. On the **Client Package** page, browse and select the **OSD / Configuration Manager Client** package. Then click **Next**.
-
-12. On the **USMT Package** page, browse and select **the OSD / Microsoft Corporation User State Migration Tool for Windows 8 10.0.10240.16384** package. Then click **Next**.
-
-13. On the **Settings Package** page, select the **Create a new settings package** option, and in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\Settings\\Windows 10 x64 Settings**. Then click **Next**.
-
-14. On the **Settings Details** page, assign the name **Windows 10 x64 Settings** and click **Next**.
-
-15. On the **Sysprep Package** page, click **Next** twice.
-
-16. On the **Confirmation** page, click **Finish**.
-
-## <a href="" id="sec02"></a>Edit the task sequence
-
-
-After you create the task sequence, we recommend that you configure the task sequence for an optimal deployment experience. The configurations include enabling support for Unified Extensible Firmware Interface (UEFI), dynamic organizational unit (OU) allocation, computer replace scenarios, and more.
-
-1.  On CM01, using the Configuration Manager Console, select **Task Sequences**, right-click **Windows 10 Enterprise x64 RTM** task sequence, and select **Edit**.
-
-2.  In the **Install** group, select the **Set Variable for Drive Letter** action and configure the following:
-
-    * OSDPreserveDriveLetter: True
-    
-    >[!NOTE]
-    >If you don't change this value, your Windows installation will end up in E:\\Windows.
-
-3.  In the **Post Install** group, select **Apply Network Settings**, and configure the Domain OU value to use the **Contoso / Workstations** OU (browse for values).
-
-4.  In the **Post Install** group, disable the **Auto Apply Drivers** action. (Disabling is done by selecting the action and, in the **Options** tab, selecting the **Disable this step** check box.)
-
-5.  After the disabled **Post Install / Auto Apply Drivers** action, add a new group name: **Drivers**.
-
-6.  After the **Post Install / Drivers** group, add an **Apply Driver Package** action with the following settings:
-
-    * Name: HP EliteBook 8560w
-
-    * Driver Package: Windows 10 x64 - HP EliteBook 8560w
-
-    * Options: Task Sequence Variable: Model equals HP EliteBook 8560w
-    
-    >[!NOTE]
-    >You also can add a Query WMI condition with the following query: SELECT \* FROM Win32\_ComputerSystem WHERE Model LIKE '%HP EliteBook 8560w%'
-    
-    ![Driver package options](../images/fig27-driverpackage.png "Driver package options")
-    
-    *Figure 24. The driver package options*
-
-7.  In the **State Restore / Install Applications** group, select the **Install Application** action.
-
-8.  Select the **Install the following applications** option, and add the OSD / Adobe Reader XI - OSD Install application to the list.
-
-    ![Add an application to the task sequence](../images/fig28-addapp.png "Add an application to the task sequence")
-
-    *Figure 25. Add an application to the Configuration Manager task sequence*
-
-9.  In the **State Restore** group, after the **Set Status 5** action, add a **Request State Store** action with the following settings:
-
-    * Restore state from another computer
-
-    * If computer account fails to connect to state store, use the Network Access account
-
-    * Options: Continue on error
-
-    * Options / Condition:
-    
-      * Task Sequence Variable
-      
-      * USMTLOCAL not equals True
-
-10. In the **State Restore** group, after the **Restore User State** action, add a **Release State Store** action with the following settings:
-
-    * Options: Continue on error
-
-    * Options / Condition:
-    
-      * Task Sequence Variable
-      
-      * USMTLOCAL not equals True
-
-11. Click **OK**.
-
->[!NOTE]
->The Request State Store and Release State Store actions need to be added for common computer replace scenarios.
-
- 
-
-## <a href="" id="sec03"></a>Move the packages
-
-
-While creating the task sequence with the MDT wizard, a few operating system deployment packages were created. To move these packages to the OSD folder, take the following steps.
-
-1.  On CM01, using the Configuration Manager Console, in the Software Library workspace, expand **Application Management**, and then select **Packages**.
-
-2.  Select the **MDT** and **Windows 10 x64 Settings** packages, right-click and select **Move**.
-
-3.  In the **Move Selected Items** dialog box, select the **OSD** folder, and click **OK**.
-
-## Related topics
-
-
-[Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md)
-
-[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-[Create a custom Windows PE boot image with Configuration Manager](../deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-
-[Add a Windows 10 operating system image using Configuration Manager](../deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md)
-
-[Create an application to deploy with Windows 10 using Configuration Manager](../deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-
-[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](../deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-
-[Deploy Windows 10 using PXE and Configuration Manager](../deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md)
-
-[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](../deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](../deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
diff --git a/windows/deployment/deploy-windows-mdt/integrate-configuration-manager-with-mdt.md b/windows/deployment/deploy-windows-mdt/integrate-configuration-manager-with-mdt.md
deleted file mode 100644
index 54b6e72815..0000000000
--- a/windows/deployment/deploy-windows-mdt/integrate-configuration-manager-with-mdt.md
+++ /dev/null
@@ -1,124 +0,0 @@
----
-title: Integrate Configuration Manager with MDT (Windows 10)
-description: Understand the benefits of integrating the Microsoft Deployment Toolkit with Microsoft System Center 2012 R2 Configuration Manager SP1 when you deploy Windows.
-ms.assetid: 3bd1cf92-81e5-48dc-b874-0f5d9472e5a5
-ms.reviewer: 
-manager: laurawi
-ms.author: greglin
-ms.pagetype: mdt
-keywords: deploy, image, customize, task sequence
-ms.prod: w10
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
-author: greg-lindsay
-ms.topic: article
----
-
-# Integrate Configuration Manager with MDT
-
-**Applies to**
--   Windows 10
-
-This topic will help you understand the benefits of integrating the Microsoft Deployment Toolkit with Microsoft System Center 2012 R2 Configuration Manager SP1 when you deploy a new or updated version of the Windows operating system.
-MDT is a free, supported download from Microsoft that adds approximately 280 enhancements to Windows operating system deployment with System Center 2012 R2 Configuration Manager SP1. It is, therefore, recommended that you utilize MDT when deploying the Windows operating system with Configuration Manager SP1. In addition to integrating MDT with Configuration Manager, we also recommend using MDT Lite Touch to create the Windows 10 reference images used in Configuration Manager. For more information on how to create a reference image, see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md).
-
-## <a href="" id="sec01"></a>Why integrate MDT with Configuration Manager
-
-As noted above, MDT adds many enhancements to Configuration Manager. While these enhancements are called Zero Touch, that name does not reflect how deployment is conducted. The following sections provide a few samples of the 280 enhancements that MDT adds to Configuration Manager.
-
-> [!Note] 
-> Microsoft Deployment Toolkit requires you to install [Windows PowerShell 2.0 Engine](https://docs.microsoft.com/powershell/scripting/install/installing-the-windows-powershell-2.0-engine) on your server.
-
-### MDT enables dynamic deployment
-
-When MDT is integrated with Configuration Manager, the task sequence takes additional instructions from the MDT rules. In its most simple form, these settings are stored in a text file, the CustomSettings.ini file, but you can store the settings in Microsoft SQL Server databases, or have Microsoft Visual Basic Scripting Edition (VBScripts) or web services provide the settings used.
-
-The task sequence uses instructions that allow you to reduce the number of task sequences in Configuration Manager and instead store settings outside the task sequence. Here are a few examples:
--   The following settings instruct the task sequence to install the HP Hotkeys package, but only if the hardware is a HP EliteBook 8570w. Note that you don't have to add the package to the task sequence.
-
-    ``` syntax
-    [Settings] 
-    Priority=Model
-    [HP EliteBook 8570w] 
-    Packages001=PS100010:Install HP Hotkeys
-    ```
--   The following settings instruct the task sequence to put laptops and desktops in different organizational units (OUs) during deployment, assign different computer names, and finally have the task sequence install the Cisco VPN client, but only if the machine is a laptop.
-
-    ``` syntax
-    [Settings]
-    Priority= ByLaptopType, ByDesktopType
-    [ByLaptopType]
-    Subsection=Laptop-%IsLaptop%
-    [ByDesktopType]
-    Subsection=Desktop-%IsDesktop%
-    [Laptop-True]
-    Packages001=PS100012:Install Cisco VPN Client
-    OSDComputerName=LT-%SerialNumber%
-    MachineObjectOU=ou=laptops,ou=Contoso,dc=contoso,dc=com
-    [Desktop-True]
-    OSDComputerName=DT-%SerialNumber%
-    MachineObjectOU=ou=desktops,ou=Contoso,dc=contoso,dc=com
-    ```
-
-![figure 2](../images/fig2-gather.png)
-
-Figure 2. The Gather action in the task sequence is reading the rules.
-
-### MDT adds an operating system deployment simulation environment
-
-When testing a deployment, it is important to be able to quickly test any changes you make to the deployment without needing to run through an entire deployment. MDT rules can be tested very quickly, saving significant testing time in a deployment project. For more information, see [Configure MDT settings](configure-mdt-settings.md).
-
-![figure 3](../images/mdt-06-fig03.png)
-
-Figure 3. The folder that contains the rules, a few scripts from MDT, and a custom script (Gather.ps1).
-
-### MDT adds real-time monitoring
-
-With MDT integration, you can follow your deployments in real time, and if you have access to Microsoft Diagnostics and Recovery Toolkit (DaRT), you can even remote into Windows Preinstallation Environment (Windows PE) during deployment. The real-time monitoring data can be viewed from within the MDT Deployment Workbench, via a web browser, Windows PowerShell, the Event Viewer, or Microsoft Excel 2013. In fact, any script or app that can read an Open Data (OData) feed can read the information.
-
-![figure 4](../images/mdt-06-fig04.png)
-
-Figure 4. View the real-time monitoring data with PowerShell.
-
-### MDT adds an optional deployment wizard
-
-For some deployment scenarios, you may need to prompt the user for information during deployment such as the computer name, the correct organizational unit (OU) for the computer, or which applications should be installed by the task sequence. With MDT integration, you can enable the User-Driven Installation (UDI) wizard to gather the required information, and customize the wizard using the UDI Wizard Designer.
-
-![figure 5](../images/mdt-06-fig05.png)
-
-Figure 5. The optional UDI wizard open in the UDI Wizard Designer.
-
-MDT Zero Touch simply extends Configuration Manager with many useful built-in operating system deployment components. By providing well-established, supported solutions, MDT reduces the complexity of deployment in Configuration Manager.
-
-## <a href="" id="sec02"></a>Why use MDT Lite Touch to create reference images
-
-You can create reference images for Configuration Manager in Configuration Manager, but in general we recommend creating them in MDT Lite Touch for the following reasons:
--   In a deployment project, it is typically much faster to create a reference image using MDT Lite Touch than Configuration Manager.
--   You can use the same image for every type of operating system deployment - Microsoft Virtual Desktop Infrastructure (VDI), Microsoft System Center 2012 R2 Virtual Machine Manager (SCVMM), MDT, Configuration Manager, Windows Deployment Services (WDS), and more.
--   Microsoft System Center 2012 R2 performs deployment in the LocalSystem context. This means that you cannot configure the Administrator account with all of the settings that you would like to be included in the image. MDT runs in the context of the Local Administrator, which means you can configure the look and feel of the configuration and then use the CopyProfile functionality to copy these changes to the default user during deployment.
--   The Configuration Manager task sequence does not suppress user interface interaction.
--   MDT Lite Touch supports a Suspend action that allows for reboots, which is useful when you need to perform a manual installation or check the reference image before it is automatically captured.
--   MDT Lite Touch does not require any infrastructure and is easy to delegate.
-
-## Related topics
-
-[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-[Create a custom Windows PE boot image with Configuration Manager](../deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-
-[Add a Windows 10 operating system image using Configuration Manager](../deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md)
-
-[Create an application to deploy with Windows 10 using Configuration Manager](../deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-
-[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](../deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-
-[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-
-[Deploy Windows 10 using PXE and Configuration Manager](../deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md)
-
-
-[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](../deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](../deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) 
diff --git a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
index 41701e19c0..2245bcd552 100644
--- a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
@@ -121,7 +121,7 @@ To install WSUS on MDT01, enter the following at an elevated Windows PowerShell
   cmd /c "C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall CONTENT_DIR=C:\WSUS
   ```
 
->To use the WSUS that you have installed on MDT01, you must also [configure Group Policy](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wsus#configure-automatic-updates-and-update-service-location) on DC01.
+>To use the WSUS that you have installed on MDT01, you must also [configure Group Policy](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wsus#configure-automatic-updates-and-update-service-location) on DC01 and perform the neccessary post-installation configuration of WSUS on MDT01.
 
 ## Install MDT
 
diff --git a/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
deleted file mode 100644
index 04dc40cc6e..0000000000
--- a/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
+++ /dev/null
@@ -1,111 +0,0 @@
----
-title: Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager (Windows 10)
-description: Learn how to configure the Windows Preinstallation Environment (Windows PE) to include required network and storage drivers.
-ms.assetid: 97b3ea46-28d9-407e-8c42-ded2e45e8d5c
-ms.reviewer: 
-manager: laurawi
-ms.author: greglin
-keywords: deploy, task sequence
-ms.prod: w10
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
-author: greg-lindsay
-ms.date: 07/27/2017
-ms.topic: article
----
-
-# Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager
-
-
-**Applies to**
-
--   Windows 10 versions 1507, 1511
-
->[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). 
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10).
-
-In this topic, you will learn how to configure the Windows Preinstallation Environment (Windows PE) to include the network drivers required to connect to the deployment share and the storage drivers required to see the local storage on machines. Even though the Windows PE boot image and the Windows 10 operating system contain many out-of-the-box drivers, it is likely you will have to add new or updated drivers to support all your hardware. In this section, you import drivers for both Windows PE and the full Windows 10 operating system.
-
-For the purposes of this topic, we will use CM01, a machine running Windows Server 2012 R2 Standard that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
-## <a href="" id="sec01"></a>Add drivers for Windows PE
-
-
-This section will show you how to import some network and storage drivers for Windows PE. This section assumes you have downloaded some drivers to the E:\\Sources\\OSD\\DriverSources\\WinPE x64 folder on CM01.
-
-1.  On CM01, using the Configuration Manager Console, in the Software Library workspace, right-click the **Drivers** node and select **Import Driver**.
-
-2.  In the Import New Driver Wizard, on the **Specify a location to import driver** page, below the Import all drivers in the following network path (UNC) option, browse to the **\\\\CM01\\Sources$\\OSD\\DriverSources\\WinPE x64** folder and click **Next**.
-
-3.  On the **Specify the details for the imported driver** page, click **Categories**, create a category named **WinPE x64**, and then click **Next**.
-
-4.  On the **Select the packages to add the imported driver** page, click **Next**.
-
-5.  On the **Select drivers to include in the boot image** page, select the **Zero Touch WinPE x64** boot image. Also select the **Update distribution points when finished** check box, and click **Next** twice.
-
-![Add drivers to Windows PE](../images/fig21-add-drivers.png "Add drivers to Windows PE")
-
-*Figure 21. Add drivers to Windows PE*
-
->[!NOTE]
->The Updating Boot Image part of the wizard will appear to hang when displaying Done. It will complete in a minute or two.
- 
-
-## <a href="" id="sec02"></a>Add drivers for Windows 10
-
-
-This section illustrates how to add drivers for Windows 10 through an example in which you want to import Windows 10 drivers for the HP EliteBook 8560w model. For the purposes of this section, we assume that you have downloaded the Windows 10 drivers for the HP EliteBook 8560w model and copied them to the E:\\Sources\\OSD\\DriverSources\\Windows 10 x64\\HP EliteBook 8560w folder on CM01.
-
-1.  On CM01, using the Configuration Manager Console, right-click the **Drivers** folder and select **Import Driver**.
-
-2.  In the Import New Driver Wizard, on the **Specify a location to import driver** page, below the Import all drivers in the following network path (UNC) option, browse to the **\\\\CM01\\Sources$\\OSD\\DriverSources\\Windows 10 x64\\HP EliteBook 8560w** folder and click **Next**.
-
-3.  On the **Specify the details for the imported driver** page, click **Categories**, create a category named Windows 10 x64 - HP EliteBook 8560w, and then click **Next**.
-
-    ![Create driver categories](../images/fig22-createcategories.png "Create driver categories")
-
-    *Figure 22. Create driver categories*
-
-4.  On the **Select the packages to add the imported driver** page, click **New Package**, use the following settings for the package, and then click **Next**:
-
-    * Name: Windows 10 x64 - HP EliteBook 8560w
-
-    * Path: \\\\CM01\\Sources$\\OSD\\DriverPackages\\Windows 10 x64\\HP EliteBook 8560w
-
-    >[!NOTE]
-    >The package path does not yet exist, so you have to type it in. The wizard will create the new package in that folder.
-     
-
-5.  On the **Select drivers to include in the boot image** page, do not select anything, and click **Next** twice. After the package has been created, click **Close**.
-
-    >[!NOTE]
-    >If you want to monitor the driver import process more closely, you can open the SMSProv.log file during driver import.
-  
-    ![Drivers imported and a new driver package created](../images/mdt-06-fig26.png "Drivers imported and a new driver package created")
-  
-    *Figure 23. Drivers imported and a new driver package created*
-
-## Related topics
-
-
-[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
-
-
-[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-
-[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
-
-[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-
-[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-
-[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
-
-[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
diff --git a/windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
deleted file mode 100644
index 789d6e651e..0000000000
--- a/windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
+++ /dev/null
@@ -1,118 +0,0 @@
----
-title: Create a custom Windows PE boot image with Configuration Manager (Windows 10)
-description: In Microsoft Endpoint Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features.
-ms.assetid: b9e96974-324d-4fa4-b0ce-33cfc49c4809
-ms.reviewer: 
-manager: laurawi
-ms.author: greglin
-keywords: tool, customize, deploy, boot image
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
-author: greg-lindsay
-ms.topic: article
----
-
-# Create a custom Windows PE boot image with Configuration Manager
-
-
-**Applies to**
-
--   Windows 10 versions 1507, 1511
-
->[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). 
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10).
-
-In Microsoft Endpoint Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. This topic shows you how to create a custom Windows PE 5.0 boot image with the Microsoft Deployment Toolkit (MDT) wizard. You can also add the Microsoft Diagnostics and Recovery Toolset (DaRT) 10 to the boot image as part of the boot image creation process.
-
-For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. Both are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
-## <a href="" id="sec01"></a>Add DaRT 10 files and prepare to brand the boot image
-
-
-The steps below outline the process for adding DaRT 10 installation files to the MDT installation directory. You also copy a custom background image to be used later. We assume you have downloaded Microsoft Desktop Optimization Pack (MDOP) 2015 and copied the x64 version of MSDaRT10.msi to the C:\\Setup\\DaRT 10 folder. We also assume you have created a custom background image and saved it in C:\\Setup\\Branding on CM01. In this section, we use a custom background image named ContosoBackground.bmp.
-
-1.  Install DaRT 10 (C:\\Setup\\DaRT 10\\MSDaRT10.msi) using the default settings.
-
-2.  Using File Explorer, navigate to the **C:\\Program Files\\Microsoft DaRT\\v10** folder.
-
-3.  Copy the Toolsx64.cab file to the **C:\\Program Files\\Microsoft Deployment Toolkit\\Templates\\Distribution\\Tools\\x64** folder.
-
-4.  Copy the Toolsx86.cab file to the **C:\\Program Files\\Microsoft Deployment Toolkit\\Templates\\Distribution\\Tools\\x86** folder.
-
-5.  Using File Explorer, navigate to the **C:\\Setup** folder.
-
-6.  Copy the **Branding** folder to **E:\\Sources\\OSD**.
-
-## <a href="" id="sec02"></a>Create a boot image for Configuration Manager using the MDT wizard
-
-
-By using the MDT wizard to create the boot image in Configuration Manager, you gain additional options for adding components and features to the boot image. In this section, you create a boot image for Configuration Manager using the MDT wizard.
-
-1.  Using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Boot Images**, and select **Create Boot Image using MDT**.
-
-2.  On the **Package Source** page, in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\Boot\\Zero Touch WinPE x64** and click **Next**.
-
-    >[!NOTE]
-    >The Zero Touch WinPE x64 folder does not yet exist. The folder will be created later by the wizard.
-
-3.  On the **General Settings** page, assign the name **Zero Touch WinPE x64** and click **Next**.
-
-4.  On the **Options** page, select the **x64** platform, and click **Next**.
-
-5.  On the **Components** page, in addition to the default selected **Microsoft Data Access Components (MDAC/ADO)** support, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box.
-
-    ![Add the DaRT component to the Configuration Manager boot image](../images/mdt-06-fig16.png "Add the DaRT component to the Configuration Manager boot image")
-
-    Figure 15. Add the DaRT component to the Configuration Manager boot image.
-
-6.  On the **Customization** page, select the **Use a custom background bitmap file** check box, and in the **UNC path:** text box, browse to **\\\\CM01\\Sources$\\OSD\\Branding\\ ContosoBackground.bmp**. Then click **Next** twice.
-
-    >[!NOTE]
-    >It will take a few minutes to generate the boot image.
-
-7.  Distribute the boot image to the CM01 distribution point by selecting the **Boot images** node, right-clicking the **Zero Touch WinPE x64** boot image, and selecting **Distribute Content**.
-
-8.  In the Distribute Content Wizard, add the CM01 distribution point, and complete the wizard.
-
-9.  Using Configuration Manager Trace, review the E:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Do not continue until you can see that the boot image is distributed. Look for the line that reads STATMSG: ID=2301. You also can view Content Status in the Configuration Manager Console by selecting **the Zero Touch WinPE x86** boot image.
-
-    ![Content status for the Zero Touch WinPE x64 boot image](../images/fig16-contentstatus.png "Content status for the Zero Touch WinPE x64 boot image")
-
-    Figure 16. Content status for the Zero Touch WinPE x64 boot image
-
-10. Using the Configuration Manager Console, right-click the **Zero Touch WinPE x64** boot image and select **Properties**.
-
-11. In the **Data Source** tab, select the **Deploy this boot image from the PXE-enabled distribution point** check box, and click **OK**.
-
-12. Using Configuration Manager Trace, review the E:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for this text: Expanding PS10000B to E:\\RemoteInstall\\SMSImages.
-
-13. Review the **E:\\RemoteInstall\\SMSImages** folder. You should see three folders containing boot images. Two are from the default boot images, and the third folder (PS10000B) is from your new boot image with DaRT.
-
-## Related topics
-
-
-[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
-
-[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
-
-[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-
-[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-
-[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-
-[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
-
-[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
- 
-
- 
diff --git a/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
deleted file mode 100644
index f19cafa1a4..0000000000
--- a/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
+++ /dev/null
@@ -1,108 +0,0 @@
----
-title: Create an app to deploy with Windows 10 using Configuration Manager
-description: Microsoft Microsoft Endpoint Configuration Manager supports deploying applications as part of the Windows 10 deployment process.
-ms.assetid: 2dfb2f39-1597-4999-b4ec-b063e8a8c90c
-ms.reviewer: 
-manager: laurawi
-ms.author: greglin
-keywords: deployment, task sequence, custom, customize
-ms.prod: w10
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
-author: greg-lindsay
-ms.topic: article
----
-
-# Create an application to deploy with Windows 10 using Configuration Manager
-
-
-**Applies to**
-
--   Windows 10 versions 1507, 1511
-
->[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). 
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for  Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10).
-
-Microsoft Endpoint Configuration Manager supports deploying applications as part of the Windows 10 deployment process. In this section, you create an application in Microsoft Endpoint Configuration Manager that you later configure the task sequence to use.
-
-For the purposes of this topic, we will use CM01, a machine running Windows Server 2012 R2 Standard that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
->[!NOTE]
->Even though the new application model is fully supported to deploy via the task sequence, the most reliable way to deploy software via the task sequence is still the legacy packages, especially if you deploy many applications.
-
-## Example: Create the Adobe Reader XI application
-
-
-The following steps show you how to create the Adobe Reader XI application. This section assumes that you have downloaded the MSI version of Adobe Reader XI to the C:\\Setup\\Adobe Reader XI folder on CM01.
-
-1.  On CM01, using File Explorer, copy the **C:\\Setup\\Adobe Reader XI** folder to the **E:\\Sources\\Software\\Adobe** folder.
-
-2.  Using the Configuration Manager Console, in the Software Library workspace, expand **Application Management**.
-
-3.  Right-click **Applications** and select **Folder / Create Folder**. Assign the name **OSD**.
-
-4.  Right-click the **OSD** folder, and select **Create Application**.
-
-5.  In the Create Application Wizard, on the **General** page, use the following settings:
-
-    * Automatically detect information about this application from installation files
-
-    * Type: Windows Installer (\*.msi file)
-
-    * Location: \\\\CM01\\Sources$\\Software\\Adobe\\Adobe Reader XI
-
-    * \\AdbeRdr11000\_en\_US.msi
-
-    ![The Create Application Wizard](../images/mdt-06-fig20.png "The Create Application Wizard")
-
-    *Figure 19. The Create Application Wizard*
-
-6.  Click **Next**, and wait while Configuration Manager parses the MSI file.
-
-7.  On the **Import Information** page, review the information and then click **Next**.
-
-8.  On the **General Information** page, name the application Adobe Reader XI - OSD Install, click **Next** twice, and then click **Close**.
-
-    >[!NOTE]
-    >Because it is not possible to reference an application deployment type in the task sequence, you should have a single deployment type for applications deployed by the task sequence. If you are deploying applications via both the task sequence and normal application deployment, and you have multiple deployment types, you should have two applications of the same software. In this section, you add the "OSD Install" suffix to applications that are deployed via the task sequence. If using packages, you can still reference both package and program in the task sequence.
-  
-    ![Add the OSD Install suffix to the application name](../images/mdt-06-fig21.png "Add the OSD Install suffix to the application name")
-  
-    *Figure 20. Add the "OSD Install" suffix to the application name*
-
-9.  In the **Applications** node, select the Adobe Reader XI - OSD Install application, and click **Properties** on the ribbon bar.
-
-10. In the **General Information** tab, select the **Allow this application to be installed from the Install Application task sequence action without being deployed** check box, and click **OK**.
-
-## Related topics
-
-
-[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
-
-[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-
-[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
-
-[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-
-[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-
-[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
-
-[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
- 
-
- 
-
-
-
-
-
diff --git a/windows/deployment/deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md b/windows/deployment/deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md
deleted file mode 100644
index 6b8c2133f1..0000000000
--- a/windows/deployment/deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md
+++ /dev/null
@@ -1,77 +0,0 @@
----
-title: Deploy Windows 10 using PXE and Configuration Manager (Windows 10)
-description: In this topic, you will learn how to deploy Windows 10 using Microsoft Endpoint Configuration Manager deployment packages and task sequences.
-ms.assetid: fb93f514-5b30-4f4b-99dc-58e6860009fa
-ms.reviewer: 
-manager: laurawi
-ms.author: greglin
-keywords: deployment, image, UEFI, task sequence
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
-author: greg-lindsay
-ms.topic: article
----
-
-# Deploy Windows 10 using PXE and Configuration Manager
-
-
-**Applies to**
-
--   Windows 10 versions 1507, 1511
-
->[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). 
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10).
-
-In this topic, you will learn how to deploy Windows 10 using Microsoft Endpoint Configuration Manager deployment packages and task sequences. This topic will walk you through the process of deploying the Windows 10 Enterprise image to a Unified Extensible Firmware Interface (UEFI) machine named PC0001.
-
-For the purposes of this topic, we will use two additional machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. DC01, CM01, and PC0001 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
-1.  Start the PC0001 machine. At the Pre-Boot Execution Environment (PXE) boot menu, press **Enter** to allow it to PXE boot.
-
-    ![figure 31](../images/mdt-06-fig36.png)
-
-    Figure 31. PXE booting PC0001.
-
-2.  On the **Welcome to the Task Sequence Wizard** page, type in the password **Passw0rd!** and click **Next**.
-
-3.  On the **Select a task sequence to run** page, select **Windows 10 Enterprise x64 RTM** and click **Next**.
-
-4.  On the **Edit Task Sequence Variables** page, double-click the **OSDComputerName** variable, and in the **Value** field, type **PC0001** and click **OK**. Then click **Next**.
-
-![figure 32](../images/mdt-06-fig37.png)
-
-Figure 32. Typing in the computer name.
-
-## Related topics
-
-
-[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
-
-[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-
-[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
-
-[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-
-[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-
-[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-
-[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
- 
-
- 
-
-
-
-
-
diff --git a/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md b/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md
deleted file mode 100644
index 5a2a0146fc..0000000000
--- a/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md
+++ /dev/null
@@ -1,106 +0,0 @@
----
-title: Deploy Windows 10 with Microsoft Endpoint Configuration Manager (Windows 10)
-description: If you have Microsoft Endpoint Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10.
-ms.assetid: eacd7b7b-dde0-423d-97cd-29bde9e8b363
-ms.reviewer: 
-manager: laurawi
-ms.author: greglin
-keywords: deployment, custom, boot
-ms.prod: w10
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
-author: greg-lindsay
-ms.topic: article
----
-
-# Deploy Windows 10 with Microsoft Endpoint Configuration Manager
-
-
-**Applies to**
-
--   Windows 10 versions 1507, 1511
-
->[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
-
-If you have Microsoft Endpoint Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT).
-
-For the purposes of this topic, we will use four machines: DC01, CM01, PC0003, and PC0004. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 standard. PC0003 and PC0004 are machines with Windows 7 SP1, on which Windows 10 will be deployed via both refresh and replace scenarios. In addition to these four ready-made machines, you could also include a few blank virtual machines to be used for bare-metal deployments. DC01, CM01, PC003, and PC0004 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
-![figure 1](../images/mdt-06-fig01.png)
-
-Figure 1. The machines used in this topic.
-
-## In this section
-
-
--   [Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
-
--   [Prepare for Zero Touch Installation of Windows with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
--   [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-
--   [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
-
--   [Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-
--   [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-
--   [Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-
--   [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md)
-
--   [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
-
--   [Monitor the Windows 10 deployment with Configuration Manager](monitor-windows-10-deployment-with-configuration-manager.md)
-
--   [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
--   [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-## Components of Configuration Manager operating system deployment
-
-
-Operating system deployment with Configuration Manager is part of the normal software distribution infrastructure, but there are additional components. For example, operating system deployment in Configuration Manager may use the State Migration Point role, which is not used by normal application deployment in Configuration Manager. This section describes the Configuration Manager components involved with the deployment of an operating system, such as Windows 10.
-
--   **State migration point (SMP).** The state migration point is used to store user state migration data during computer replace scenarios.
-
--   **Distribution point (DP).** The distribution point is used to store all packages in Configuration Manager, including the operating system deployment-related packages.
-
--   **Software update point (SUP).** The software update point, which is normally used to deploy updates to existing machines, also can be used to update an operating system as part of the deployment process. You also can use offline servicing to update the image directly on the Configuration Manager server.
-
--   **Reporting services point.** The reporting services point can be used to monitor the operating system deployment process.
-
--   **Boot images.** Boot images are the Windows Preinstallation Environment (Windows PE) images Configuration Manager uses to start the deployment.
-
--   **Operating system images.** The operating system image package contains only one file, the custom .wim image. This is typically the production deployment image.
-
--   **Operating system installers.** The operating system installers were originally added to create reference images using Configuration Manager. Instead, we recommend that you use MDT Lite Touch to create your reference images. For more information on how to create a reference image, see [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md).
-
--   **Drivers.** Like MDT Lite Touch, Configuration Manager also provides a repository (catalog) of managed device drivers.
-
--   **Task sequences.** The task sequences in Configuration Manager look and feel pretty much like the sequences in MDT Lite Touch, and they are used for the same purpose. However, in Configuration Manager the task sequence is delivered to the clients as a policy via the Management Point (MP). MDT provides additional task sequence templates to Configuration Manager.
-
-    **Note**  Configuration Manager SP1 along with the Windows Assessment and Deployment Kit (ADK) for Windows 10 are required to support management and deployment of Windows 10.
-
-## See also
-
--   [Microsoft Deployment Toolkit downloads and resources](https://go.microsoft.com/fwlink/p/?LinkId=618117)
--   [Windows deployment tools](../windows-deployment-scenarios-and-tools.md)
--   [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
--   [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
--   [Deploy Windows To Go in your organization](../deploy-windows-to-go.md)
--   [Sideload Windows Store apps](https://technet.microsoft.com/library/dn613831.aspx)
--   [Windows ADK for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526803)
-
- 
-
- 
-
-
-
-
-
diff --git a/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-configuration-manager.md b/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-configuration-manager.md
deleted file mode 100644
index 0c75a0f3df..0000000000
--- a/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-configuration-manager.md
+++ /dev/null
@@ -1,80 +0,0 @@
----
-title: Deploy Windows 10 with Configuration Manager (Windows 10)
-description: If you have Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10.
-ms.assetid: eacd7b7b-dde0-423d-97cd-29bde9e8b363
-ms.reviewer: 
-manager: laurawi
-ms.author: greglin
-keywords: deployment, custom, boot
-ms.prod: w10
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
-author: greg-lindsay
-ms.topic: article
----
-
-# Deploy Windows 10 with Configuration Manager
-
-
-**Applies to**
-
--   Windows 10 versions 1507, 1511
-
->[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
-
-If you have Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT).
-
-For the purposes of this topic, we will use four machines: DC01, CM01, PC0003, and PC0004. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 standard. PC0003 and PC0004 are machines with Windows 7 SP1, on which Windows 10 will be deployed via both refresh and replace scenarios. In addition to these four ready-made machines, you could also include a few blank virtual machines to be used for bare-metal deployments. DC01, CM01, PC003, and PC0004 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
-![figure 1](../images/mdt-06-fig01.png)
-
-Figure 1. The machines used in this topic.
-
-## In this section
-
-
--   [Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
--   [Prepare for Zero Touch Installation of Windows with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
--   [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
--   [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
--   [Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
--   [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
--   [Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
--   [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md)
--   [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
--   [Monitor the Windows 10 deployment with Configuration Manager](monitor-windows-10-deployment-with-configuration-manager.md)
--   [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
--   [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-## Components of Configuration Manager operating system deployment
-
-
-Operating system deployment with Configuration Manager is part of the normal software distribution infrastructure, but there are additional components. For example, operating system deployment in Configuration Manager may use the State Migration Point role, which is not used by normal application deployment in Configuration Manager. This section describes the Configuration Manager components involved with the deployment of an operating system, such as Windows 10.
-
--   **State migration point (SMP).** The state migration point is used to store user state migration data during computer replace scenarios.
--   **Distribution point (DP).** The distribution point is used to store all packages in Configuration Manager, including the operating system deployment-related packages.
--   **Software update point (SUP).** The software update point, which is normally used to deploy updates to existing machines, also can be used to update an operating system as part of the deployment process. You also can use offline servicing to update the image directly on the Configuration Manager server.
--   **Reporting services point.** The reporting services point can be used to monitor the operating system deployment process.
--   **Boot images.** Boot images are the Windows Preinstallation Environment (Windows PE) images Configuration Manager uses to start the deployment.
--   **Operating system images.** The operating system image package contains only one file, the custom .wim image. This is typically the production deployment image.
--   **Operating system installers.** The operating system installers were originally added to create reference images using Configuration Manager. Instead, we recommend that you use MDT Lite Touch to create your reference images. For more information on how to create a reference image, see [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md).
--   **Drivers.** Like MDT Lite Touch, Configuration Manager also provides a repository (catalog) of managed device drivers.
--   **Task sequences.** The task sequences in Configuration Manager look and feel pretty much like the sequences in MDT Lite Touch, and they are used for the same purpose. However, in Configuration Manager the task sequence is delivered to the clients as a policy via the Management Point (MP). MDT provides additional task sequence templates to Configuration Manager.
-
-    **Note**  Configuration Manager SP1 along with the Windows Assessment and Deployment Kit (ADK) for Windows 10 are required to support management and deployment of Windows 10.
-
-     
-
-## See also
-
--   [Microsoft Deployment Toolkit downloads and resources](https://go.microsoft.com/fwlink/p/?LinkId=618117)<br>
--   [Windows deployment tools](../windows-deployment-scenarios-and-tools.md)<br>
--   [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)<br>
--   [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)<br>
--   [Deploy Windows To Go in your organization](../deploy-windows-to-go.md)<br>
--   [Sideload Windows Store apps](https://technet.microsoft.com/library/dn613831.aspx)<br>
--   [Windows ADK for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526803)
diff --git a/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
deleted file mode 100644
index 99f2e1edd9..0000000000
--- a/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
+++ /dev/null
@@ -1,194 +0,0 @@
----
-title: Finalize operating system configuration for Windows 10 deployment
-description: Follow this walk-through to finalize the configuration of your Windows 10 operating deployment.
-ms.assetid: 38b55fa8-e717-4689-bd43-8348751d493e
-ms.reviewer: 
-manager: laurawi
-ms.author: greglin
-keywords: configure, deploy, upgrade
-ms.prod: w10
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
-author: greg-lindsay
-ms.topic: article
----
-
-# Finalize the operating system configuration for Windows 10 deployment with Configuration Manager
-
-
-**Applies to**
-
--   Windows 10 versions 1507, 1511
-
->[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). 
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10).
-
-This topic walks you through the steps to finalize the configuration of your Windows 10 operating deployment, which includes enablement of the optional Microsoft Deployment Toolkit (MDT) monitoring for Microsoft Endpoint Configuration Manager, logs folder creation, rules configuration, content distribution, and deployment of the previously created task sequence.
-
-For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. Both are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
-## <a href="" id="sec01"></a>Enable MDT monitoring
-
-
-This section will walk you through the process of creating the E:\\MDTProduction deployment share using the MDT Deployment Workbench to enable monitoring for Configuration Manager.
-
-1.  On CM01, using the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**. Use the following settings for the New Deployment Share Wizard:
-
-    * Deployment share path: E:\\MDTProduction
-
-    * Share name: MDTProduction$
-
-    * Deployment share description: MDT Production
-
-    * Options: &lt;default settings&gt;
-
-2.  Right-click the **MDT Production** deployment share, and select **Properties**. In the **Monitoring** tab, select the **Enable monitoring for this deployment share** check box, and click **OK**.
-
-    ![Enable MDT monitoring for Configuration Manager](../images/mdt-06-fig31.png)
-
-    *Figure 26. Enable MDT monitoring for Configuration Manager*
-
-## <a href="" id="sec02"></a>Create and share the Logs folder
-
-
-To support additional server-side logging in Configuration Manager, you create and share the E:\\Logs folder on CM01 using Windows PowerShell. Then in the next step, you enable server-side logging by modifying the CustomSettings.ini file used by the Configuration Manager task sequence.
-
-1.  On CM01, start an elevated Windows PowerShell prompt (run as Administrator).
-
-2.  Type the following commands, pressing **Enter** after each one:
-
-    ``` 
-    New-Item -Path E:\Logs -ItemType directory
-    New-SmbShare -Name Logs$ -Path E:\Logs -ChangeAccess EVERYONE
-    icacls E:\Logs /grant '"CM_NAA":(OI)(CI)(M)'
-    ```
-
-## <a href="" id="sec03"></a>Configure the rules (Windows 10 x64 Settings package)
-
-
-This section will show you how to configure the rules (the Windows 10 x64 Settings package) to support the Contoso environment.
-
-1. On CM01, using File Explorer, navigate to the **E:\\Sources\\OSD\\Settings\\Windows 10 x64 Settings** folder.
-
-2. Using Notepad, edit the CustomSetting.ini file with the following settings:
-
-   ``` 
-   [Settings]
-   Priority=Default
-   Properties=OSDMigrateConfigFiles,OSDMigrateMode
-   [Default]
-   DoCapture=NO
-   ComputerBackupLocation=NONE
-   MachineObjectOU=ou=Workstations,ou=Computers,ou=Contoso,dc=contoso,dc=com
-   OSDMigrateMode=Advanced
-   OSDMigrateAdditionalCaptureOptions=/ue:*\* /ui:CONTOSO\*
-   OSDMigrateConfigFiles=Miguser.xml,Migapp.xml
-   SLSHARE=\\CM01\Logs$
-   EventService=http://CM01:9800
-   ApplyGPOPack=NO
-   ```
-
-   ![Settings package during deployment](../images/fig30-settingspack.png)
-
-   *Figure 27. The Settings package, holding the rules and the Unattend.xml template used during deployment*
-
-3. Update the distribution point for the **Windows 10 x64 Settings** package by right-clicking the **Windows 10 x64 Settings** package and selecting **Update Distribution Points**.
-
-   >[!NOTE]
-   >Although you have not yet added a distribution point, you still need to select Update Distribution Points. That process also updates the Configuration Manager 2012 content library with changes.
-
- 
-
-## <a href="" id="sec04"></a>Distribute content to the CM01 distribution portal
-
-
-In Configuration Manager, you can distribute all packages needed by a task sequence in a single task. In this section, you distribute packages that have not yet been distributed to the CM01 distribution point.
-
-1.  **On CM01, using the Configuration Manager Console**, select **Task Sequences**, right-click the **Windows 10 Enterprise x64 RTM** task sequence, and select **Distribute Content.**
-
-2.  In the Distribute Content Wizard, add the CM01 distribution point, and complete the wizard.
-
-3.  Using Configuration Manager Trace, verify the distribution to the CM01 distribution point by reviewing the distmgr.log file, or use the Distribution Status / Content Status option in the Monitoring workspace. Do not continue until you see all the new packages being distributed successfully.
-
-## <a href="" id="sec05"></a>Create a deployment for the task sequence
-
-
-This sections provides steps to help you create a deployment for the task sequence.
-
-1. On CM01, using the Configuration Manager Console, select **Task Sequences**, right-click **Windows 10 Enterprise x64 RTM**, and then select **Deploy**.
-
-2. On the **General** page, select the **All Unknown Computers** collection and click **Next**.
-
-3. On the **Deployment Settings** page, use the following settings and then click **Next**:
-
-   * Purpose: Available
-
-   * Make available to the following: Only media and PXE
-
-   ![Configure the deployment settings](../images/mdt-06-fig33.png)
-    
-   *Figure 28. Configure the deployment settings*
-
-4. On the **Scheduling** page, accept the default settings and click **Next**.
-
-5. On the **User Experience** page, accept the default settings and click **Next**.
-
-6. On the **Alerts** page, accept the default settings and click **Next**.
-
-7. On the **Distribution Points** page, accept the default settings, click **Next** twice, and then click **Close**.
-
-   ![Task sequence deployed](../images/fig32-deploywiz.png)
-
-   *Figure 29. The Windows 10 Enterprise x64 RTM task sequence deployed to the All Unknown Computers collections available for media and PXE*
-
-## <a href="" id="sec06"></a>Configure Configuration Manager to prompt for the computer name during deployment (optional)
-
-
-You can have Configuration Manager prompt you for a computer name or you can use rules to generate a computer name. For more details on how to do this, see [Configure MDT settings](../deploy-windows-mdt/configure-mdt-settings.md).
-
-This section provides steps to help you configure the All Unknown Computers collection to have Configuration Manager prompt for computer names.
-
-1. Using the Configuration Manager Console, in the Asset and Compliance workspace, select **Device Collections**, right-click **All Unknown Computers**, and select **Properties**.
-
-2. In the **Collection Variables** tab, create a new variable with the following settings:
-
-   * Name: OSDComputerName
-
-   * Clear the **Do not display this value in the Configuration Manager console** check box.
-
-3. Click **OK**.
-
-   >[!NOTE]
-   >Configuration Manager can prompt for information in many ways. Using a collection variable with an empty value is just one of them. Another option is the User-Driven Installation (UDI) wizard.
-   
-   ![Configure a collection variable](../images/mdt-06-fig35.png)
-   
-   *Figure 30. Configure a collection variable*
-
-## Related topics
-
-
-[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
-
-[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-
-[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
-
-[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-
-[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-
-[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-
-[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
-
-[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
- 
diff --git a/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md
deleted file mode 100644
index c1461b27eb..0000000000
--- a/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md
+++ /dev/null
@@ -1,89 +0,0 @@
----
-title: Monitor the Windows 10 deployment with Configuration Manager
-description: Learn how to monitor a Windows 10 deployment with Configuration Manager. Use the Deployment Workbench to access the computer remotely.
-ms.assetid: 4863c6aa-6369-4171-8e1a-b052ca195fce
-ms.reviewer: 
-manager: laurawi
-ms.author: greglin
-keywords: deploy, upgrade
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
-author: greg-lindsay
-ms.topic: article
----
-
-# Monitor the Windows 10 deployment with Configuration Manager
-
-
-**Applies to**
-
--   Windows 10 versions 1507, 1511
-
->[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). 
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10).
-
-In this topic, you will learn how to monitor a Windows 10 deployment that was started previously using Microsoft Endpoint Configuration Manager and the Microsoft Deployment Toolkit (MDT) Deployment Workbench. You will also use the Deployment Workbench to access the computer remotely via the Microsoft Diagnostics and Recovery Toolkit (DaRT) Remote Connection feature.
-
-For the purposes of this topic, we will use four machines: DC01, CM01, and PC0001. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. PC0001 is a Unified Extensible Firmware Interface (UEFI) machine to which Windows 10 Enterprise has been deployed. DC01, CM01, and PC0001 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
-To monitor an operating system deployment conducted through  Microsoft Endpoint Configuration Manager, you will use the Deployment Workbench in MDT as follows:
-
-1.  On CM01, using the Deployment Workbench, expand **MDT Production**, and use the **Monitoring** node to view the deployment process (press **F5** to refresh).
-
-    >[!NOTE]
-    >It takes a little while for the task sequence to start reporting monitor information, so if PC0001 does not appear when you press F5 the first time, wait 20 seconds and try again.
-
-    ![PC0001 being deployed by Configuration Manager](../images/mdt-06-fig39.png)
-    
-    *Figure 33. PC0001 being deployed by Configuration Manager*
-
-2.  When you see the PC0001 entry, double-click **PC0001**, and then click **DaRT Remote Control** and review the **Remote Control** option.
-
-3.  The task sequence will now run and do the following:
-
-    * Install the Windows 10 operating system.
-
-    * Install the Configuration Manager client and the client hotfix.
-
-    * Join the machine to the domain.
-
-    * Install the application added to the task sequence.
-    
-    >[!NOTE]
-    >You also can use the built-in reports to get information about ongoing deployments. For example, a task sequence report gives you a quick overview of the task sequence progress.
-  
-4.  If time permits, allow the deployment of PC0001 to complete. Then log in as Administrator in the CONTOSO domain and verify that Adobe Reader XI was installed.
-
-## Related topics
-
-
-[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
-
-[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-
-[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
-
-[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-
-[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-
-[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-
-[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
- 
-
- 
-
-
-
-
-
diff --git a/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
deleted file mode 100644
index 4ccb6b76ea..0000000000
--- a/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
+++ /dev/null
@@ -1,285 +0,0 @@
----
-title: Prepare for Zero Touch Installation of Windows 10 with Configuration Manager (Windows 10)
-description: Learn how to prepare a Zero Touch Installation of Windows 10 with Configuration Manager, by integrating Configuration Manager with Microsoft Deployment Toolkit.
-ms.assetid: 06e3a221-31ef-47a5-b4da-3b927cb50d08
-ms.reviewer: 
-manager: laurawi
-ms.author: greglin
-keywords: install, configure, deploy, deployment
-ms.prod: w10
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
-author: greg-lindsay
-ms.topic: article
----
-
-# Prepare for Zero Touch Installation of Windows 10 with Configuration Manager
-
-
-**Applies to**
-
--   Windows 10 versions 1507, 1511
-
->[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). 
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10).
-
-This topic will walk you through the process of integrating Microsoft Endpoint Configuration Manager SP1 with Microsoft Deployment Toolkit (MDT) 2013 Update 2, as well as the other preparations needed to deploying Windows 10 via Zero Touch Installation. Additional preparations include the installation of hotfixes as well as activities that speed up the Pre-Boot Execution Environment (PXE).
-
-## Prerequisites
-
-
-In this topic, you will use an existing Configuration Manager server structure to prepare for operating system deployment. In addition to the base setup, the following configurations should be made in the Configuration Manager environment:
-
--   Active Directory Schema has been extended and System Management container created.
-
--   Active Directory Forest Discovery and Active Directory System Discovery have been enabled.
-
--   IP range boundaries and a boundary group for content and site assignment have been created.
-
--   The Configuration Manager reporting services point role has been added and configured
-
--   A file system folder structure for packages has been created.
-
--   A Configuration Manager console folder structure for packages has been created.
-
--   Microsoft Endpoint Configuration Manager and any additional Windows 10 prerequisites are installed.
-
-For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. DC01 and CM01 are both members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
-## <a href="" id="sec01"></a>Create the Configuration Manager service accounts
-
-
-To configure permissions for the various service accounts needed for operating system deployment in Configuration Manager, you use a role-based model. To create the Configuration Manager Join Domain account as well as the Configuration Manager Network Access account, follow these steps:
-
-1.  On DC01, using Active Directory User and Computers, browse to **contoso.com / Contoso / Service Accounts**.
-
-2.  Select the Service Accounts OU and create the CM\_JD account using the following settings:
-
-    * Name: CM\_JD
-
-    * User logon name: CM\_JD
-
-    * Password: P@ssw0rd
-
-    * User must change password at next logon: Clear
-
-    * User cannot change password: Select
-
-    * Password never expires: Select
-
-3.  Repeat the step, but for the CM\_NAA account.
-
-4.  After creating the accounts, assign the following descriptions:
-
-    * CM\_JD: Configuration Manager Join Domain Account
-
-    * CM\_NAA: Configuration Manager Network Access Account
-
-![figure 6](../images/mdt-06-fig06.png)
-
-Figure 6. The Configuration Manager service accounts used for operating system deployment.
-
-## <a href="" id="sec02"></a>Configure Active Directory permissions
-
-
-In order for the Configuration Manager Join Domain Account (CM\_JD) to join machines into the contoso.com domain you need to configure permissions in Active Directory. These steps assume you have downloaded the sample [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copied it to C:\\Setup\\Scripts on DC01.
-
-1. On DC01, log on as Administrator in the CONTOSO domain using the password <strong>P@ssw0rd</strong>.
-
-2. In an elevated Windows PowerShell prompt (run as Administrator), run the following commands, pressing **Enter** after each command:
-
-   ``` 
-   Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
-
-   Set-Location C:\Setup\Scripts
-
-   .\Set-OUPermissions.ps1 -Account CM_JD 
-   -TargetOU "OU=Workstations,OU=Computers,OU=Contoso"
-   ```
-
-3. The Set-OUPermissions.ps1 script allows the CM\_JD user account permissions to manage computer accounts in the Contoso / Computers / Workstations OU. The following is a list of the permissions being granted:
-
-   * Scope: This object and all descendant objects
-
-   * Create Computer objects
-
-   * Delete Computer objects
-
-   * Scope: Descendant Computer objects
-
-   * Read All Properties
-
-   * Write All Properties
-
-   * Read Permissions
-
-   * Modify Permissions
-
-   * Change Password
-
-   * Reset Password
-
-   * Validated write to DNS host name
-
-   * Validated write to service principal name
-
-## <a href="" id="sec03"></a>Review the Sources folder structure
-
-
-To support the packages you create in this section, the following folder structure should be created on the Configuration Manager primary site server (CM01):
-
->[!NOTE]
->In most production environments, the packages are stored on a Distributed File System (DFS) share or a "normal" server share, but in a lab environment you can store them on the site server.
-
--   E:\\Sources
-
--   E:\\Sources\\OSD
-
--   E:\\Sources\\OSD\\Boot
-
--   E:\\Sources\\OSD\\DriverPackages
-
--   E:\\Sources\\OSD\\DriverSources
-
--   E:\\Sources\\OSD\\MDT
-
--   E:\\Sources\\OSD\\OS
-
--   E:\\Sources\\OSD\\Settings
-
--   E:\\Sources\\Software
-
--   E:\\Sources\\Software\\Adobe
-
--   E:\\Sources\\Software\\Microsoft
-
-![figure 7](../images/mdt-06-fig07.png)
-
-Figure 7. The E:\\Sources\\OSD folder structure.
-
-## <a href="" id="sec04"></a>Integrate Configuration Manager with MDT
-
-
-To extend the Configuration Manager console with MDT wizards and templates, you install MDT in the default location and run the integration setup. In these steps, we assume you have downloaded MDT to the C:\\Setup\\MDT2013 folder on CM01.
-
-1. On CM01, log on as Administrator in the CONTOSO domain using the password <strong>P@ssw0rd</strong>.
-
-2. Make sure the Configuration Manager Console is closed before continuing.
-
-3. Using File Explorer, navigate to the **C:\\Setup\\MDT** folder.
-
-4. Run the MDT setup (MicrosoftDeploymentToolkit2013\_x64.msi), and use the default options in the setup wizard.
-
-5. From the Start screen, run Configure ConfigManager Integration with the following settings:
-
-   * Site Server Name: CM01.contoso.com
-
-   * Site code: PS1
-
-![figure 8](../images/mdt-06-fig08.png)
-
-Figure 8. Set up the MDT integration with Configuration Manager.
-
-## <a href="" id="sec06"></a>Configure the client settings
-
-
-Most organizations want to display their name during deployment. In this section, you configure the default Configuration Manager client settings with the Contoso organization name.
-
-1.  On CM01, using the Configuration Manager Console, in the Administration workspace, select **Client Settings**.
-
-2.  In the right pane, right-click **Default Client Settings**, and select **Properties**.
-
-3.  In the **Computer Agent** node, in the **Organization name displayed in Software Center** text box, type in **Contoso** and click **OK**.
-
-![figure 9](../images/mdt-06-fig10.png)
-
-Figure 9. Configure the organization name in client settings.
-
-![figure 10](../images/fig10-contosoinstall.png)
-
-Figure 10. The Contoso organization name displayed during deployment.
-
-## <a href="" id="sec07"></a>Configure the Network Access account
-
-
-Configuration Manager uses the Network Access account during the Windows 10 deployment process to access content on the distribution point(s). In this section, you configure the Network Access account.
-
-1.  Using the Configuration Manager Console, in the Administration workspace, expand **Site Configuration** and select **Sites**.
-
-2.  Right-click **PS1 - Primary Site 1**, select **Configure Site Components**, and then select **Software Distribution**.
-
-3.  In the **Network Access Account** tab, configure the **CONTOSO\\CM\_NAA** user account (select New Account) as the Network Access account. Use the new **Verify** option to verify that the account can connect to the **\\\\DC01\\sysvol** network share.
-
-![figure 11](../images/mdt-06-fig12.png)
-
-Figure 11. Test the connection for the Network Access account.
-
-## <a href="" id="sec08"></a>Enable PXE on the CM01 distribution point
-
-
-Configuration Manager has many options for starting a deployment, but starting via PXE is certainly the most flexible in a large environment. In this section, you enable PXE on the CM01 distribution point.
-
-1.  In the Configuration Manager Console, in the Administration workspace, select **Distribution Points**.
-
-2.  Right-click the **\\\\CM01.CONTOSO.COM distribution point** and select **Properties**.
-
-3.  In the **PXE** tab, select the following settings:
-
-    * Enable PXE support for clients
-
-    * Allow this distribution point to respond to incoming PXE requests
-
-    * Enable unknown computer support
-
-    * Require a password when computers use PXE
-
-    * Password and Confirm password: Passw0rd!
-
-    ![figure 12](../images/mdt-06-fig13.png)
-
-    Figure 12. Configure the CM01 distribution point for PXE.
-
-4.  Using the Configuration Manager Trace Log Tool, review the E:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Look for ConfigurePXE and CcmInstallPXE lines.
-
-    ![figure 13](../images/mdt-06-fig14.png)
-
-    Figure 13. The distmgr.log displays a successful configuration of PXE on the distribution point.
-
-5.  Verify that you have seven files in each of the folders **E:\\RemoteInstall\\SMSBoot\\x86** and **E:\\RemoteInstall\\SMSBoot\\x64**.
-
-    ![figure 14](../images/mdt-06-fig15.png)
-
-    Figure 14. The contents of the E:\\RemoteInstall\\SMSBoot\\x64 folder after you enable PXE.
-
-## Related topics
-
-
-[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
-
-[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-
-[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
-
-[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-
-[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-
-[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-
-[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
-
-[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
- 
-
- 
-
-
-
-
-
diff --git a/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
deleted file mode 100644
index d9550467e3..0000000000
--- a/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
+++ /dev/null
@@ -1,148 +0,0 @@
----
-title: Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager (Windows 10)
-description: Learn how to use Configuration Manager and Microsoft Deployment Toolkit (MDT) to refresh a Windows 7 SP1 client with Windows 10.
-ms.assetid: 57c81667-1019-4711-b3de-15ae9c5387c7
-ms.reviewer: 
-manager: laurawi
-ms.author: greglin
-keywords: upgrade, install, installation, computer refresh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
-author: greg-lindsay
-ms.topic: article
----
-
-# Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager
-
-
-**Applies to**
-
--   Windows 10 versions 1507, 1511
-
->[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). 
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10).
-
-This topic will show you how to use a previously created task sequence to refresh a Windows 7 SP1 client with Windows 10 using Microsoft Endpoint Configuration Manager and Microsoft Deployment Toolkit (MDT) 2013 Update 2. When refreshing a machine to a later version, it appears as an upgrade to the end user, but technically it is not an in-place upgrade. A computer refresh also involves taking care of user data and settings from the old installation and making sure to restore those at the end of the installation. For more information, see [Refresh a Windows 7 computer with Windows 10](../deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md).
-
-A computer refresh with Microsoft Endpoint Configuration Manager works the same as it does with MDT Lite Touch installation. Configuration Manager also uses the User State Migration Tool (USMT) from the Windows Assessment and Deployment Kit (Windows ADK) 10 in the background. A computer refresh with Configuration Manager involves the following steps:
-
-1.  Data and settings are backed up locally in a backup folder.
-
-2.  The partition is wiped, except for the backup folder.
-
-3.  The new operating system image is applied.
-
-4.  Other applications are installed.
-
-5.  Data and settings are restored.
-
-For the purposes of this topic, we will use three machines: DC01, CM01, and PC0003. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. PC0003 is a machine with Windows 7 SP1, on which Windows 10 will be deployed. DC01, CM01, and PC003 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
-In this topic, we assume that you have a Windows 7 SP1 client named PC0003 with the Configuration Manager client installed.
-
-## <a href="" id="sec01"></a>Create a device collection and add the PC0003 computer
-
-
-1.  On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings:
-
-    * General
-
-    * Name: Install Windows 10 Enterprise x64
-
-    * Limited Collection: All Systems
-
-    * Membership rules:
-
-    * Direct rule
-
-    * Resource Class: System Resource
-
-    * Attribute Name: Name
-
-    * Value: PC0003
-
-    * Select **Resources**
-
-    * Select **PC0003**
-
-2.  Review the Install Windows 10 Enterprise x64 collection. Do not continue until you see the PC0003 machine in the collection.
-
-    >[!NOTE]
-    >It may take a short while for the collection to refresh; you can view progress via the Colleval.log file. If you want to speed up the process, you can manually update membership on the Install Windows 10 Enterprise x64 collection by right-clicking the collection and selecting Update Membership.
-
- 
-
-## <a href="" id="sec02"></a>Create a new deployment
-
-
-Using the Configuration Manager console, in the Software Library workspace, select **Task Sequences**, right-click **Windows 10 Enterprise x64 RTM**, and then select **Deploy**. Use the following settings:
-
--   General
-
-    -   Collection: Install Windows 10 Enterprise x64
-
--   Deployment Settings
-
-    -   Purpose: Available
-
-    -   Make available to the following: Configuration Manager clients, media and PXE
-
-    >[!NOTE]
-    >It is not necessary to make the deployment available to media and Pre-Boot Execution Environment (PXE) for a computer refresh, but you will use the same deployment for bare-metal deployments later on and you will need it at that point.
-
-     
-
--   Scheduling
-
-    -   &lt;default&gt;
-
--   User Experience
-
-    -   &lt;default&gt;
-
--   Alerts
-
-    -   &lt;default&gt;
-
--   Distribution Points
-
-    -   &lt;default&gt;
-
-## <a href="" id="sec03"></a>Initiate a computer refresh
-
-
-Now you can start the computer refresh on PC0003.
-
-1.  Using the Configuration Manager console, in the Asset and Compliance workspace, in the Install Windows 10 Enterprise x64 collection, right-click **PC0003** and select **Client Notification / Download Computer Policy**. Click **OK**.
-
-    >[!NOTE]
-    >The Client Notification feature is new in Configuration Manager.
-
-2.  On PC0003, using the Software Center (begin using the Start screen, or click the **New software is available** balloon in the system tray), select the **Windows 10 Enterprise x64 RTM** deployment and click **INSTALL**.
-
-3.  In the **Software Center** warning dialog box, click **INSTALL OPERATING SYSTEM**.
-
-## Related topics
-
-
-[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
-
-[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-
-[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
-
-[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-
-[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-
-[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-
-[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
-
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
diff --git a/windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
deleted file mode 100644
index b00e32b337..0000000000
--- a/windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
+++ /dev/null
@@ -1,241 +0,0 @@
----
-title: Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager (Windows 10)
-description: In this topic, you will learn how to replacing a Windows 7 SP1 computer using Microsoft Endpoint Configuration Manager.
-ms.assetid: 3c8a2d53-8f08-475f-923a-bca79ca8ac36
-ms.reviewer: 
-manager: laurawi
-ms.author: greglin
-keywords: upgrade, install, installation, replace computer, setup
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
-author: greg-lindsay
-ms.topic: article
----
-
-# Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager
-
-
-**Applies to**
-
--   Windows 10 versions 1507, 1511
-
->[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). 
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10).
-
-In this topic, you will learn how to replace a Windows 7 SP1 computer using Microsoft Endpoint Configuration Manager. This process is similar to refreshing a computer, but since you are replacing the machine, you have to run the backup job separately from the deployment of Windows 10.
-
-For the purposes of this topic, we will use three machines: DC01, CM01, and PC0004. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. PC0004 is a machine with Windows 7 SP1 that will be replaced with a new machine running Windows 10. DC01, CM01, and PC0004 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
-In this topic, you will create a backup-only task sequence that you run on PC0004, the machine you are replacing. For more information, see [Replace a Windows 7 computer with a Windows 10 computer](../deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md).
-
-## <a href="" id="sec01"></a>Create a replace task sequence
-
-
-1. On CM01, using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**.
-
-2. On the **Choose Template** page, select the **Client Replace Task Sequence** template and click **Next**.
-
-3. On the **General** page, assign the following settings and click **Next**:
-
-   * Task sequence name: Replace Task Sequence
-
-   * Task sequence comments: USMT backup only
-
-4. On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then click **Next**.
-
-5. On the **MDT Package** page, browse and select the **OSD / MDT** package. Then click **Next**.
-
-6. On the **USMT Package** page, browse and select the O**SD / Microsoft Corporation User State Migration Tool for Windows 8 10.0.10240.16384** package. Then click **Next**.
-
-7. On the **Settings Package** page, browse and select the **OSD / Windows 10 x64 Settings** package. Then click **Next**.
-
-8. On the **Summary** page, review the details and then click **Next**.
-
-9. On the **Confirmation** page, click **Finish**.
-
-10. Review the Replace Task Sequence. 
-    >[!NOTE]
-    >This task sequence has many fewer actions than the normal client task sequence. If it doesn't seem different, make sure you selected the Client Replace Task Sequence template when creating the task sequence.
-
-![The back-up only task sequence](../images/mdt-06-fig42.png "The back-up only task sequence")
-
-Figure 34. The backup-only task sequence (named Replace Task Sequence).
-
-## <a href="" id="sec02"></a>Associate the new machine with the old computer
-
-
-This section walks you through the process of associating a blank machine, PC0006, with an old machine, PC0004, for the purpose of replacing PC0004 with PC0006. PC0006 can be either a physical or virtual machine.
-
-1.  Make a note of the PC0006 machine's MAC Address. (If PC0006 is a virtual machine, you can see the MAC Address in the virtual machine settings.) In our example, the PC0006 MAC Address is 00:15:5D:0A:6A:96.
-
-2.  Using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Devices**, and then select **Import Computer Information**.
-
-3.  On the **Select Source** page, select **Import single computer** and click **Next**.
-
-4.  On the **Single Computer** page, use the following settings and then click **Next**:
-
-    * Computer Name: PC0006
-
-    * MAC Address: &lt;the mac address from step 1&gt;
-
-    * Source Computer: PC0004
-
-    ![Create the computer association](../images/mdt-06-fig43.png "Create the computer association")
-
-    Figure 35. Creating the computer association between PC0004 and PC0006.
-
-5.  On the **User Accounts** page, select **Capture and restore all user accounts** and click **Next**.
-
-6.  On the **Data Preview** page, click **Next**.
-
-7.  On the **Choose Target Collection** page, select the **Install Windows 10 Enterprise x64** collection and click **Next**.
-
-8.  On the **Summary** page, click **Next**, and then click **Close**.
-
-9.  Select the **User State Migration** node and review the computer association in the right pane.
-
-10. Right-click the **PC0004/PC0006** association and select **View Recovery Information**. Note that a recovery key has been assigned already, but a user state store location has not.
-
-11. Review the Install Windows 10 Enterprise x64 collection. Do not continue until you see the PC0006 machine in the collection. You might have to update and refresh the collection again.
-
-## <a href="" id="sec03"></a>Create a device collection and add the PC0004 computer
-
-
-1.  On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings.
-
-    * General
-
-    * Name: USMT Backup (Replace)
-
-    * Limited Collection: All Systems
-
-    * Membership rules:
-
-    * Direct rule
-
-    * Resource Class: System Resource
-
-    * Attribute Name: Name
-
-    * Value: PC0004
-
-    * Select **Resources**
-
-    * Select **PC0004**
-
-2.  Review the USMT Backup (Replace) collection. Do not continue until you see the PC0004 machine in the collection.
-
-## <a href="" id="sec04"></a>Create a new deployment
-
-
-Using the Configuration Manager console, in the Software Library workspace, select **Task Sequences**, right-click **Replace Task Sequence**, and then select **Deploy**. Use the following settings:
-
--   General
-
-    -   Collection: USMT Backup (Replace)
-
--   Deployment Settings
-
-    -   Purpose: Available
-
-    -   Make available to the following: Only Configuration Manager Clients
-
--   Scheduling
-
-    -   &lt;default&gt;
-
--   User Experience
-
-    -   &lt;default&gt;
-
--   Alerts
-
-    -   &lt;default&gt;
-
--   Distribution Points
-
-    -   &lt;default&gt;
-
-## <a href="" id="sec05"></a>Verify the backup
-
-
-This section assumes that you have a machine named PC0004 with the Configuration Manager 2012 client installed.
-
-1.  Start the PC0004 machine, and using the Control Panel, start the Configuration Manager applet.
-
-2.  In the **Actions** tab, select the **Machine Policy Retrieval & Evaluation Cycle**, select **Run Now**, and click **OK**.
-
-    >[!NOTE]
-    >You also can use the Client Notification option in the Configuration Manager console, as shown in [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md).
-
-3.  Using the Software Center, select the **Replace Task Sequence** deployment and click **INSTALL**.
-
-4.  In the **Software Center** dialog box, click **INSTALL OPERATING SYSTEM**.
-
-5.  Allow the Replace Task Sequence to complete. It should only take about five minutes.
-
-6.  On CM01, in the **D:\\MigData** folder, verify that a folder was created containing the USMT backup.
-
-7.  Using the Configuration Manager console, in the Asset and Compliance workspace, select the **User State Migration** node, right-click the **PC0004/PC0006** association, and select **View Recovery Information**. Note that the object now also has a user state store location.
-
-    >[!NOTE]
-    >It may take a few minutes for the user state store location to be populated.
-
- 
-
-## <a href="" id="sec06"></a>Deploy the new computer
-
-
-1.  Start the PC0006 virtual machine, press **F12** to Pre-Boot Execution Environment (PXE) boot when prompted. Allow it to boot Windows Preinstallation Environment (Windows PE), and then complete the deployment wizard using the following settings:
-
-    * Password: P@ssw0rd
-
-    * Select a task sequence to execute on this computer: Windows 10 Enterprise x64 Custom Image
-
-2.  The setup now starts and does the following:
-
-    * Installs the Windows 10 operating system
-
-    * Installs the Configuration Manager client
-
-    * Joins it to the domain
-
-    * Installs the applications
-
-    * Restores the PC0004 backup
-
-When the process is complete, you will have a new Windows 10 machine in your domain with user data and settings restored.
-
-## Related topics
-
-
-[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
-
-[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-
-[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
-
-[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-
-[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-
-[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-
-[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
-
-[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
- 
-
- 
-
-
-
-
-
diff --git a/windows/deployment/deploy.md b/windows/deployment/deploy.md
index 8fc3e2cdc1..4680e56b08 100644
--- a/windows/deployment/deploy.md
+++ b/windows/deployment/deploy.md
@@ -30,7 +30,7 @@ Windows 10 upgrade options are discussed and information is provided about plann
 |[Windows 10 deployment test lab](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, additional guides are provided to  deploy Windows 10 in the test lab using [Microsoft Deployment Toolkit](windows-10-poc-mdt.md) or [Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md). |
 |[Plan for Windows 10 deployment](planning/index.md) | This section describes Windows 10 deployment considerations and provides information to assist in Windows 10 deployment planning. |
 |[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). |
-|[Deploy Windows 10 with Microsoft Endpoint Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft Endpoint Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or. |
+|[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) |If you have Microsoft Endpoint Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or. |
 |[Windows 10 deployment tools](windows-10-deployment-tools-reference.md) |Learn about available tools to deploy Windows 10, such as the Windows ADK, DISM, USMT, WDS, MDT, Windows PE and more. |
 |[How to install fonts that are missing after upgrading to Windows 10](windows-10-missing-fonts.md)|Windows 10 introduced changes to the fonts that are included in the image by default. Learn how to install additional fonts from **Optional features** after you install Windows 10 or upgrade from a previous version.|
 
diff --git a/windows/deployment/images/ContosoBackground.bmp b/windows/deployment/images/ContosoBackground.bmp
new file mode 100644
index 0000000000..99c9e7c8eb
Binary files /dev/null and b/windows/deployment/images/ContosoBackground.bmp differ
diff --git a/windows/deployment/images/ContosoBackground.png b/windows/deployment/images/ContosoBackground.png
new file mode 100644
index 0000000000..12a04f0e83
Binary files /dev/null and b/windows/deployment/images/ContosoBackground.png differ
diff --git a/windows/deployment/images/cm-upgrade-ts.png b/windows/deployment/images/cm-upgrade-ts.png
new file mode 100644
index 0000000000..15c6b04400
Binary files /dev/null and b/windows/deployment/images/cm-upgrade-ts.png differ
diff --git a/windows/deployment/images/cm01-content-status1.png b/windows/deployment/images/cm01-content-status1.png
new file mode 100644
index 0000000000..2aa9f3bce1
Binary files /dev/null and b/windows/deployment/images/cm01-content-status1.png differ
diff --git a/windows/deployment/images/cm01-drivers-packages.png b/windows/deployment/images/cm01-drivers-packages.png
new file mode 100644
index 0000000000..9453c20588
Binary files /dev/null and b/windows/deployment/images/cm01-drivers-packages.png differ
diff --git a/windows/deployment/images/cm01-drivers-windows.png b/windows/deployment/images/cm01-drivers-windows.png
new file mode 100644
index 0000000000..16a6c031c7
Binary files /dev/null and b/windows/deployment/images/cm01-drivers-windows.png differ
diff --git a/windows/deployment/images/cm01-drivers.png b/windows/deployment/images/cm01-drivers.png
new file mode 100644
index 0000000000..57de49530b
Binary files /dev/null and b/windows/deployment/images/cm01-drivers.png differ
diff --git a/windows/deployment/images/sccm-asset.PNG b/windows/deployment/images/configmgr-asset.png
similarity index 100%
rename from windows/deployment/images/sccm-asset.PNG
rename to windows/deployment/images/configmgr-asset.png
diff --git a/windows/deployment/images/configmgr-assets.png b/windows/deployment/images/configmgr-assets.png
new file mode 100644
index 0000000000..264606c2ab
Binary files /dev/null and b/windows/deployment/images/configmgr-assets.png differ
diff --git a/windows/deployment/images/sccm-client.PNG b/windows/deployment/images/configmgr-client.PNG
similarity index 100%
rename from windows/deployment/images/sccm-client.PNG
rename to windows/deployment/images/configmgr-client.PNG
diff --git a/windows/deployment/images/sccm-collection.PNG b/windows/deployment/images/configmgr-collection.PNG
similarity index 100%
rename from windows/deployment/images/sccm-collection.PNG
rename to windows/deployment/images/configmgr-collection.PNG
diff --git a/windows/deployment/images/sccm-install-os.PNG b/windows/deployment/images/configmgr-install-os.PNG
similarity index 100%
rename from windows/deployment/images/sccm-install-os.PNG
rename to windows/deployment/images/configmgr-install-os.PNG
diff --git a/windows/deployment/images/sccm-post-refresh.PNG b/windows/deployment/images/configmgr-post-refresh.PNG
similarity index 100%
rename from windows/deployment/images/sccm-post-refresh.PNG
rename to windows/deployment/images/configmgr-post-refresh.PNG
diff --git a/windows/deployment/images/sccm-pxe.PNG b/windows/deployment/images/configmgr-pxe.PNG
similarity index 100%
rename from windows/deployment/images/sccm-pxe.PNG
rename to windows/deployment/images/configmgr-pxe.PNG
diff --git a/windows/deployment/images/sccm-site.PNG b/windows/deployment/images/configmgr-site.PNG
similarity index 100%
rename from windows/deployment/images/sccm-site.PNG
rename to windows/deployment/images/configmgr-site.PNG
diff --git a/windows/deployment/images/sccm-software-cntr.PNG b/windows/deployment/images/configmgr-software-cntr.PNG
similarity index 100%
rename from windows/deployment/images/sccm-software-cntr.PNG
rename to windows/deployment/images/configmgr-software-cntr.PNG
diff --git a/windows/deployment/images/fig16-contentstatus1.png b/windows/deployment/images/fig16-contentstatus1.png
new file mode 100644
index 0000000000..32c6023e7c
Binary files /dev/null and b/windows/deployment/images/fig16-contentstatus1.png differ
diff --git a/windows/deployment/images/fig16-contentstatus2.png b/windows/deployment/images/fig16-contentstatus2.png
new file mode 100644
index 0000000000..d28385f4ae
Binary files /dev/null and b/windows/deployment/images/fig16-contentstatus2.png differ
diff --git a/windows/deployment/images/fig21-add-drivers1.png b/windows/deployment/images/fig21-add-drivers1.png
new file mode 100644
index 0000000000..79b797a7d3
Binary files /dev/null and b/windows/deployment/images/fig21-add-drivers1.png differ
diff --git a/windows/deployment/images/fig21-add-drivers2.png b/windows/deployment/images/fig21-add-drivers2.png
new file mode 100644
index 0000000000..2f18c5b660
Binary files /dev/null and b/windows/deployment/images/fig21-add-drivers2.png differ
diff --git a/windows/deployment/images/fig21-add-drivers3.png b/windows/deployment/images/fig21-add-drivers3.png
new file mode 100644
index 0000000000..45f97d0835
Binary files /dev/null and b/windows/deployment/images/fig21-add-drivers3.png differ
diff --git a/windows/deployment/images/fig21-add-drivers4.png b/windows/deployment/images/fig21-add-drivers4.png
new file mode 100644
index 0000000000..a6613d8718
Binary files /dev/null and b/windows/deployment/images/fig21-add-drivers4.png differ
diff --git a/windows/deployment/images/fig22-createcategories.png b/windows/deployment/images/fig22-createcategories.png
index 8912ad974f..664ffb2777 100644
Binary files a/windows/deployment/images/fig22-createcategories.png and b/windows/deployment/images/fig22-createcategories.png differ
diff --git a/windows/deployment/images/fig27-driverpackage.png b/windows/deployment/images/fig27-driverpackage.png
index c2f66669be..cfb17d05ba 100644
Binary files a/windows/deployment/images/fig27-driverpackage.png and b/windows/deployment/images/fig27-driverpackage.png differ
diff --git a/windows/deployment/images/fig28-addapp.png b/windows/deployment/images/fig28-addapp.png
index a7ba6b3709..34f6f44519 100644
Binary files a/windows/deployment/images/fig28-addapp.png and b/windows/deployment/images/fig28-addapp.png differ
diff --git a/windows/deployment/images/fig30-settingspack.png b/windows/deployment/images/fig30-settingspack.png
index 3479184140..4dd820aadf 100644
Binary files a/windows/deployment/images/fig30-settingspack.png and b/windows/deployment/images/fig30-settingspack.png differ
diff --git a/windows/deployment/images/fig32-deploywiz.png b/windows/deployment/images/fig32-deploywiz.png
index a1387b19d8..ad5052af7d 100644
Binary files a/windows/deployment/images/fig32-deploywiz.png and b/windows/deployment/images/fig32-deploywiz.png differ
diff --git a/windows/deployment/images/mdt-06-fig10.png b/windows/deployment/images/mdt-06-fig10.png
index 1d92505b96..85b448ba87 100644
Binary files a/windows/deployment/images/mdt-06-fig10.png and b/windows/deployment/images/mdt-06-fig10.png differ
diff --git a/windows/deployment/images/mdt-06-fig12.png b/windows/deployment/images/mdt-06-fig12.png
index f33eca6174..a427be3f1d 100644
Binary files a/windows/deployment/images/mdt-06-fig12.png and b/windows/deployment/images/mdt-06-fig12.png differ
diff --git a/windows/deployment/images/mdt-06-fig13.png b/windows/deployment/images/mdt-06-fig13.png
index ab578f69fe..a9f020b0da 100644
Binary files a/windows/deployment/images/mdt-06-fig13.png and b/windows/deployment/images/mdt-06-fig13.png differ
diff --git a/windows/deployment/images/mdt-06-fig14.png b/windows/deployment/images/mdt-06-fig14.png
index 13158231fd..1d06c9c7e2 100644
Binary files a/windows/deployment/images/mdt-06-fig14.png and b/windows/deployment/images/mdt-06-fig14.png differ
diff --git a/windows/deployment/images/mdt-06-fig15.png b/windows/deployment/images/mdt-06-fig15.png
index 2f1a0eba18..ffa5890a84 100644
Binary files a/windows/deployment/images/mdt-06-fig15.png and b/windows/deployment/images/mdt-06-fig15.png differ
diff --git a/windows/deployment/images/mdt-06-fig16.png b/windows/deployment/images/mdt-06-fig16.png
index 40cb46adbd..f448782602 100644
Binary files a/windows/deployment/images/mdt-06-fig16.png and b/windows/deployment/images/mdt-06-fig16.png differ
diff --git a/windows/deployment/images/mdt-06-fig20.png b/windows/deployment/images/mdt-06-fig20.png
index 475fad7597..890c421227 100644
Binary files a/windows/deployment/images/mdt-06-fig20.png and b/windows/deployment/images/mdt-06-fig20.png differ
diff --git a/windows/deployment/images/mdt-06-fig21.png b/windows/deployment/images/mdt-06-fig21.png
index 7cbd1d20bc..07b168ab89 100644
Binary files a/windows/deployment/images/mdt-06-fig21.png and b/windows/deployment/images/mdt-06-fig21.png differ
diff --git a/windows/deployment/images/mdt-06-fig31.png b/windows/deployment/images/mdt-06-fig31.png
index 5e98d623b1..306f4a7980 100644
Binary files a/windows/deployment/images/mdt-06-fig31.png and b/windows/deployment/images/mdt-06-fig31.png differ
diff --git a/windows/deployment/images/mdt-06-fig33.png b/windows/deployment/images/mdt-06-fig33.png
index 18ae4c82dd..1529426830 100644
Binary files a/windows/deployment/images/mdt-06-fig33.png and b/windows/deployment/images/mdt-06-fig33.png differ
diff --git a/windows/deployment/images/mdt-06-fig42.png b/windows/deployment/images/mdt-06-fig42.png
index 12b0e6817a..e9cfe36083 100644
Binary files a/windows/deployment/images/mdt-06-fig42.png and b/windows/deployment/images/mdt-06-fig42.png differ
diff --git a/windows/deployment/images/mdt-06-fig43.png b/windows/deployment/images/mdt-06-fig43.png
index 015edd21e3..c9a2c88306 100644
Binary files a/windows/deployment/images/mdt-06-fig43.png and b/windows/deployment/images/mdt-06-fig43.png differ
diff --git a/windows/deployment/images/pc0001-monitor.png b/windows/deployment/images/pc0001-monitor.png
new file mode 100644
index 0000000000..7ba8e198bf
Binary files /dev/null and b/windows/deployment/images/pc0001-monitor.png differ
diff --git a/windows/deployment/images/pc0001a.png b/windows/deployment/images/pc0001a.png
new file mode 100644
index 0000000000..0f2be5a865
Binary files /dev/null and b/windows/deployment/images/pc0001a.png differ
diff --git a/windows/deployment/images/pc0001b.png b/windows/deployment/images/pc0001b.png
new file mode 100644
index 0000000000..456f6071a9
Binary files /dev/null and b/windows/deployment/images/pc0001b.png differ
diff --git a/windows/deployment/images/pc0001c.png b/windows/deployment/images/pc0001c.png
new file mode 100644
index 0000000000..d093e58d0a
Binary files /dev/null and b/windows/deployment/images/pc0001c.png differ
diff --git a/windows/deployment/images/pc0001d.png b/windows/deployment/images/pc0001d.png
new file mode 100644
index 0000000000..14f14a2e91
Binary files /dev/null and b/windows/deployment/images/pc0001d.png differ
diff --git a/windows/deployment/images/pc0001e.png b/windows/deployment/images/pc0001e.png
new file mode 100644
index 0000000000..41264f2c63
Binary files /dev/null and b/windows/deployment/images/pc0001e.png differ
diff --git a/windows/deployment/images/pc0001f.png b/windows/deployment/images/pc0001f.png
new file mode 100644
index 0000000000..8261c40953
Binary files /dev/null and b/windows/deployment/images/pc0001f.png differ
diff --git a/windows/deployment/images/pc0001g.png b/windows/deployment/images/pc0001g.png
new file mode 100644
index 0000000000..5fd7f8a4a7
Binary files /dev/null and b/windows/deployment/images/pc0001g.png differ
diff --git a/windows/deployment/images/pc0001h.png b/windows/deployment/images/pc0001h.png
new file mode 100644
index 0000000000..65bead5840
Binary files /dev/null and b/windows/deployment/images/pc0001h.png differ
diff --git a/windows/deployment/images/pc0001i.png b/windows/deployment/images/pc0001i.png
new file mode 100644
index 0000000000..76247a04df
Binary files /dev/null and b/windows/deployment/images/pc0001i.png differ
diff --git a/windows/deployment/images/pc0001j.png b/windows/deployment/images/pc0001j.png
new file mode 100644
index 0000000000..01d8fe22b7
Binary files /dev/null and b/windows/deployment/images/pc0001j.png differ
diff --git a/windows/deployment/images/pc0001k.png b/windows/deployment/images/pc0001k.png
new file mode 100644
index 0000000000..1f591d5164
Binary files /dev/null and b/windows/deployment/images/pc0001k.png differ
diff --git a/windows/deployment/images/pc0001l.png b/windows/deployment/images/pc0001l.png
new file mode 100644
index 0000000000..a2d491cef7
Binary files /dev/null and b/windows/deployment/images/pc0001l.png differ
diff --git a/windows/deployment/images/pc0001m.png b/windows/deployment/images/pc0001m.png
new file mode 100644
index 0000000000..d9e07b5d8a
Binary files /dev/null and b/windows/deployment/images/pc0001m.png differ
diff --git a/windows/deployment/images/pc0001n.png b/windows/deployment/images/pc0001n.png
new file mode 100644
index 0000000000..10819a15d9
Binary files /dev/null and b/windows/deployment/images/pc0001n.png differ
diff --git a/windows/deployment/images/pc0003a.png b/windows/deployment/images/pc0003a.png
new file mode 100644
index 0000000000..31d8d4068c
Binary files /dev/null and b/windows/deployment/images/pc0003a.png differ
diff --git a/windows/deployment/images/pc0003b.png b/windows/deployment/images/pc0003b.png
new file mode 100644
index 0000000000..8df2b066e6
Binary files /dev/null and b/windows/deployment/images/pc0003b.png differ
diff --git a/windows/deployment/images/pc0003c.png b/windows/deployment/images/pc0003c.png
new file mode 100644
index 0000000000..69db9cc567
Binary files /dev/null and b/windows/deployment/images/pc0003c.png differ
diff --git a/windows/deployment/images/pc0003d.png b/windows/deployment/images/pc0003d.png
new file mode 100644
index 0000000000..d36e293f74
Binary files /dev/null and b/windows/deployment/images/pc0003d.png differ
diff --git a/windows/deployment/images/pc0003e.png b/windows/deployment/images/pc0003e.png
new file mode 100644
index 0000000000..09be89ba61
Binary files /dev/null and b/windows/deployment/images/pc0003e.png differ
diff --git a/windows/deployment/images/pc0003f.png b/windows/deployment/images/pc0003f.png
new file mode 100644
index 0000000000..6f48f797df
Binary files /dev/null and b/windows/deployment/images/pc0003f.png differ
diff --git a/windows/deployment/images/pc0003g.png b/windows/deployment/images/pc0003g.png
new file mode 100644
index 0000000000..a5a935de32
Binary files /dev/null and b/windows/deployment/images/pc0003g.png differ
diff --git a/windows/deployment/images/pc0003h.png b/windows/deployment/images/pc0003h.png
new file mode 100644
index 0000000000..9e15738b48
Binary files /dev/null and b/windows/deployment/images/pc0003h.png differ
diff --git a/windows/deployment/images/pc0003i.png b/windows/deployment/images/pc0003i.png
new file mode 100644
index 0000000000..7c7b194399
Binary files /dev/null and b/windows/deployment/images/pc0003i.png differ
diff --git a/windows/deployment/images/pc0003j.png b/windows/deployment/images/pc0003j.png
new file mode 100644
index 0000000000..b446bff1c2
Binary files /dev/null and b/windows/deployment/images/pc0003j.png differ
diff --git a/windows/deployment/images/pc0003k.png b/windows/deployment/images/pc0003k.png
new file mode 100644
index 0000000000..ceead7b05b
Binary files /dev/null and b/windows/deployment/images/pc0003k.png differ
diff --git a/windows/deployment/images/pc0004-a.png b/windows/deployment/images/pc0004-a.png
new file mode 100644
index 0000000000..afe954d28f
Binary files /dev/null and b/windows/deployment/images/pc0004-a.png differ
diff --git a/windows/deployment/images/pc0004-b.png b/windows/deployment/images/pc0004-b.png
new file mode 100644
index 0000000000..caad109ace
Binary files /dev/null and b/windows/deployment/images/pc0004-b.png differ
diff --git a/windows/deployment/images/pc0004-c.png b/windows/deployment/images/pc0004-c.png
new file mode 100644
index 0000000000..21490d55a3
Binary files /dev/null and b/windows/deployment/images/pc0004-c.png differ
diff --git a/windows/deployment/images/pc0004-d.png b/windows/deployment/images/pc0004-d.png
new file mode 100644
index 0000000000..db10b4ccdc
Binary files /dev/null and b/windows/deployment/images/pc0004-d.png differ
diff --git a/windows/deployment/images/pc0004-e.png b/windows/deployment/images/pc0004-e.png
new file mode 100644
index 0000000000..d6472a4209
Binary files /dev/null and b/windows/deployment/images/pc0004-e.png differ
diff --git a/windows/deployment/images/pc0004-f.png b/windows/deployment/images/pc0004-f.png
new file mode 100644
index 0000000000..7752a700e0
Binary files /dev/null and b/windows/deployment/images/pc0004-f.png differ
diff --git a/windows/deployment/images/pc0004-g.png b/windows/deployment/images/pc0004-g.png
new file mode 100644
index 0000000000..93b4812149
Binary files /dev/null and b/windows/deployment/images/pc0004-g.png differ
diff --git a/windows/deployment/images/pc0004b.png b/windows/deployment/images/pc0004b.png
new file mode 100644
index 0000000000..f1fb129bbe
Binary files /dev/null and b/windows/deployment/images/pc0004b.png differ
diff --git a/windows/deployment/images/pc0006a.png b/windows/deployment/images/pc0006a.png
new file mode 100644
index 0000000000..399f99885f
Binary files /dev/null and b/windows/deployment/images/pc0006a.png differ
diff --git a/windows/deployment/images/pc0006b.png b/windows/deployment/images/pc0006b.png
new file mode 100644
index 0000000000..bef284d211
Binary files /dev/null and b/windows/deployment/images/pc0006b.png differ
diff --git a/windows/deployment/images/pc0006c.png b/windows/deployment/images/pc0006c.png
new file mode 100644
index 0000000000..1e8f075262
Binary files /dev/null and b/windows/deployment/images/pc0006c.png differ
diff --git a/windows/deployment/images/pc0006d.png b/windows/deployment/images/pc0006d.png
new file mode 100644
index 0000000000..dca5a58c2a
Binary files /dev/null and b/windows/deployment/images/pc0006d.png differ
diff --git a/windows/deployment/images/pc0006e.png b/windows/deployment/images/pc0006e.png
new file mode 100644
index 0000000000..3b3ef3be99
Binary files /dev/null and b/windows/deployment/images/pc0006e.png differ
diff --git a/windows/deployment/images/pc0006f.png b/windows/deployment/images/pc0006f.png
new file mode 100644
index 0000000000..8da05473b3
Binary files /dev/null and b/windows/deployment/images/pc0006f.png differ
diff --git a/windows/deployment/images/pc0006g.png b/windows/deployment/images/pc0006g.png
new file mode 100644
index 0000000000..0cc69e2626
Binary files /dev/null and b/windows/deployment/images/pc0006g.png differ
diff --git a/windows/deployment/images/pc0006h.png b/windows/deployment/images/pc0006h.png
new file mode 100644
index 0000000000..3ae86b01ed
Binary files /dev/null and b/windows/deployment/images/pc0006h.png differ
diff --git a/windows/deployment/images/pc0006i.png b/windows/deployment/images/pc0006i.png
new file mode 100644
index 0000000000..42c8e2adfa
Binary files /dev/null and b/windows/deployment/images/pc0006i.png differ
diff --git a/windows/deployment/images/ps100009-1.png b/windows/deployment/images/ps100009-1.png
new file mode 100644
index 0000000000..6bd970c352
Binary files /dev/null and b/windows/deployment/images/ps100009-1.png differ
diff --git a/windows/deployment/images/ps100009-2.png b/windows/deployment/images/ps100009-2.png
new file mode 100644
index 0000000000..e960ad91d4
Binary files /dev/null and b/windows/deployment/images/ps100009-2.png differ
diff --git a/windows/deployment/images/ref-image.png b/windows/deployment/images/ref-image.png
new file mode 100644
index 0000000000..773a21e150
Binary files /dev/null and b/windows/deployment/images/ref-image.png differ
diff --git a/windows/deployment/index.yml b/windows/deployment/index.yml
index 4414c1e8fe..4cdab97bba 100644
--- a/windows/deployment/index.yml
+++ b/windows/deployment/index.yml
@@ -68,7 +68,7 @@ sections:
       <tr><td>[Windows 10 deployment test lab](windows-10-poc.md) </td><td>This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, additional guides are provided to  deploy Windows 10 in the test lab using [Microsoft Deployment Toolkit](windows-10-poc-mdt.md) or [System Center Configuration Manager](windows-10-poc-sc-config-mgr.md). </td>
       <tr><td>[Plan for Windows 10 deployment](planning/index.md) </td><td>This section describes Windows 10 deployment considerations and provides information to assist in Windows 10 deployment planning. </td>
       <tr><td>[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) </td><td>This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). </td>
-      <tr><td>[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) </td><td>If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or. </td>
+      <tr><td>[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-cm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) </td><td>If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or. </td>
       <tr><td>[Windows 10 deployment tools](windows-10-deployment-tools-reference.md) </td><td>Learn about available tools to deploy Windows 10, such as the Windows ADK, DISM, USMT, WDS, MDT, Windows PE and more. </td>
       </table>
       "
diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md
index 5dc23ca66e..45e00f7007 100644
--- a/windows/deployment/mbr-to-gpt.md
+++ b/windows/deployment/mbr-to-gpt.md
@@ -233,7 +233,7 @@ The following steps illustrate high-level phases of the MBR-to-GPT conversion pr
 1. Disk validation is performed.
 2. The disk is repartitioned to create an EFI system partition (ESP) if one does not already exist.
 3. UEFI boot files are installed to the ESP.
-4. GPT metatdata and layout information is applied.
+4. GPT metadata and layout information is applied.
 5. The boot configuration data (BCD) store is updated.
 6. Drive letter assignments are restored.
 
@@ -427,6 +427,9 @@ To fix this issue, mount the Windows PE image (WIM), copy the missing file from
 
    For example, if the ADK is installed to the default location of C:\Program Files (x86)\Windows Kits\10 and the Windows PE image is mounted to C:\WinPE_Mount, run the following commands from an elevated Command Prompt window:
    
+   > [!NOTE]
+   > You can access the ReAgent files if you have installed the User State Migration Tool (USMT) as a feature while installing Windows Assessment and Deployment Kit.
+   
    **Command 1:**
    ```cmd
    copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Setup\amd64\Sources\ReAgent*.*" "C:\WinPE_Mount\Windows\System32"
diff --git a/windows/deployment/planning/index.md b/windows/deployment/planning/index.md
index dde951580a..76f55d16c6 100644
--- a/windows/deployment/planning/index.md
+++ b/windows/deployment/planning/index.md
@@ -28,7 +28,7 @@ Windows 10 provides new deployment capabilities, scenarios, and tools by buildi
 ## Related topics
 - [Windows 10 servicing options for updates and upgrades](../update/index.md)
 - [Deploy Windows 10 with MDT](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
-- [Deploy Windows 10 with Configuration Manager and MDT 2013 Update 1](../deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md)
+- [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
 - [Upgrade to Windows 10 with MDT](../deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
 - [Upgrade to Windows 10 with Configuration Manager](../upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md)
 - [Windows Imaging and Configuration Designer](https://go.microsoft.com/fwlink/p/?LinkId=733911)
diff --git a/windows/deployment/planning/windows-10-deprecated-features.md b/windows/deployment/planning/windows-10-deprecated-features.md
index 3276da608a..5a34226e0f 100644
--- a/windows/deployment/planning/windows-10-deprecated-features.md
+++ b/windows/deployment/planning/windows-10-deprecated-features.md
@@ -21,14 +21,14 @@ The features described below are no longer being actively developed, and might b
 
 **The following list is subject to change and might not include every affected feature or functionality.**
 
->If you have feedback about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app). 
+> [!NOTE] 
+> If you have feedback about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app). 
 
 |Feature    |  Details and mitigation  | Announced in version |
 | ----------- | --------------------- | ---- |
 | Hyper-V vSwitch on LBFO | In a future release, the Hyper-V vSwitch will no longer have the capability to be bound to an LBFO team.  Instead, it can be bound via [Switch Embedded Teaming](https://docs.microsoft.com/windows-server/virtualization/hyper-v-virtual-switch/rdma-and-switch-embedded-teaming#bkmk_sswitchembedded) (SET).| 1909 |
 | Language Community tab in Feedback Hub | The Language Community tab will be removed from the Feedback Hub. The standard feedback process: [Feedback Hub - Feedback](feedback-hub://?newFeedback=true&feedbackType=2) is the recommended way to provide translation feedback. | 1909 |
 | My People / People in the Shell |  My People is no longer being developed. It may be removed in a future update. | 1909 |
-| TSF1/TSF2 IME |  TSF1 and TSF2 IME will be replaced by TSF3 IME in a future release. [Text Services Framework](https://docs.microsoft.com/windows/win32/tsf/what-is-text-services-framework) (TSF) enables language technologies. TSF IME are Windows components that you can add to enable typing text for Japanese, Simplified Chinese, Traditional Chinese, and Korean languages. ​| 1909 |
 | Package State Roaming (PSR) |  PSR will be removed in a future update. PSR allows non-Microsoft developers to access roaming data on devices, enabling developers of UWP applications to write data to Windows and synchronize it to other instantiations of Windows for that user. <br>&nbsp;<br>The recommended replacement for PSR is [Azure App Service](https://docs.microsoft.com/azure/app-service/). Azure App Service is widely supported, well documented, reliable, and supports cross-platform/cross-ecosystem scenarios such as iOS, Android and web. | 1909 |
 | XDDM-based remote display driver  | Starting with this release, the Remote Desktop Services uses a Windows Display Driver Model (WDDM) based Indirect Display Driver (IDD) for a single session remote desktop. The support for Windows 2000 Display Driver Model (XDDM) based remote display drivers will be removed in a future release. Independent Software Vendors that use an XDDM-based remote display driver should plan a migration to the WDDM driver model. For more information about implementing a remote indirect display driver, ISVs can reach out to [rdsdev@microsoft.com](mailto:rdsdev@microsoft.com). | 1903 |
 | Taskbar settings roaming | Roaming of taskbar settings is no longer being developed and we plan to remove this capability in a future release. | 1903 |
@@ -48,7 +48,6 @@ The features described below are no longer being actively developed, and might b
 |Business Scanning| This feature is also called Distributed Scan Management (DSM) **(Added 05/03/2018)**<br>&nbsp;<br>The [Scan Management functionality](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd759124(v=ws.11)) was introduced in Windows 7 and enabled secure scanning and the management of scanners in an enterprise. We're no longer investing in this feature, and there are no devices available that support it.| 1803 |
 |IIS 6 Management Compatibility*  | We recommend that users use alternative scripting tools and a newer management console. | 1709 |
 |IIS Digest Authentication | We recommend that users use alternative authentication methods.| 1709 |
-|Resilient File System (ReFS) (added: August 17, 2017)| Creation ability will be available in the following editions only: Windows 10 Enterprise and Windows 10 Pro for Workstations.  Creation ability will be removed from all other editions. All other editions will have Read and Write ability. | 1709 |
 |RSA/AES Encryption for IIS   | We recommend that users use CNG encryption provider. | 1709 |
 |Screen saver functionality in Themes   | Disabled in Themes. Screen saver functionality in Group Policies, Control Panel, and Sysprep continues to be functional. Lock screen features and policies are preferred. | 1709 |
 |Sync your settings (updated: August 17, 2017) | Back-end changes: In future releases, the back-end storage for the current sync process will change. A single cloud storage system will be used for Enterprise State Roaming and all other users. The **Sync your settings** options and the Enterprise State Roaming feature will continue to work. | 1709 |
@@ -64,4 +63,4 @@ The features described below are no longer being actively developed, and might b
 |TLS DHE_DSS ciphers DisabledByDefault| [TLS RC4 Ciphers](https://docs.microsoft.com/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server) will be disabled by default in this release. | 1703 |
 |TCPChimney | TCP Chimney Offload is no longer being developed.  See [Performance Tuning Network Adapters](https://docs.microsoft.com/windows-server/networking/technologies/network-subsystem/net-sub-performance-tuning-nics). | 1703 |
 |IPsec Task Offload| [IPsec Task Offload](https://docs.microsoft.com/windows-hardware/drivers/network/task-offload) versions 1 and 2 are no longer being developed and should not be used. | 1703 |
-|wusa.exe /uninstall /kb:####### /quiet|The wusa usage to quietly uninstall an update has been deprecated. The uninstall command with /quite switch fails with event ID 8 in the Setup event log. Uninstalling updates quietly could be a security risk because malicious software could quietly uninstall an update in the background without user intervention.|1507 <br /> Applies to Windows Server 2016 and Windows Server 2019 as well.|
+|wusa.exe /uninstall /kb:####### /quiet|The wusa usage to quietly uninstall an update has been deprecated. The uninstall command with /quiet switch fails with event ID 8 in the Setup event log. Uninstalling updates quietly could be a security risk because malicious software could quietly uninstall an update in the background without user intervention.|1507 <br /> Applies to Windows Server 2016 and Windows Server 2019 as well.|
diff --git a/windows/deployment/planning/windows-10-infrastructure-requirements.md b/windows/deployment/planning/windows-10-infrastructure-requirements.md
index 0b58c82162..b5615f4412 100644
--- a/windows/deployment/planning/windows-10-infrastructure-requirements.md
+++ b/windows/deployment/planning/windows-10-infrastructure-requirements.md
@@ -53,7 +53,7 @@ For System Center Configuration Manager, Windows 10 support is offered with var
 > Configuration Manager 2012 supports Windows 10 version 1507 (build 10.0.10240) and 1511 (build 10.0.10586) for the lifecycle of these builds. Future releases of Windows 10 CB/CBB are not supported With Configuration Manager 2012, and will require Microsoft Endpoint Configuration Manager current branch for supported management. 
  
 
-For more details about Microsoft Endpoint Configuration Manager support for Windows 10, see [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](../deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md).
+For more details about Microsoft Endpoint Configuration Manager support for Windows 10, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
 
 ## Management tools
 
diff --git a/windows/deployment/planning/windows-10-removed-features.md b/windows/deployment/planning/windows-10-removed-features.md
index 3063058112..1c93c41731 100644
--- a/windows/deployment/planning/windows-10-removed-features.md
+++ b/windows/deployment/planning/windows-10-removed-features.md
@@ -18,7 +18,7 @@ ms.topic: article
 
 Each version of Windows 10 adds new features and functionality; occasionally we also remove features and functionality, often because we've added a better option. Below are the details about the features and functionalities that we removed in Windows 10. **The list below is subject to change and might not include every affected feature or functionality.** 
 
-For information about features that might be removed in a future release, see [Windows 10 features we’re no longer developing](windows-10-deprecated-features.md)
+For information about features that might be removed in a future release, see [Windows 10 features we’re no longer developing](windows-10-deprecated-features.md).
 
 > [!NOTE]
 > Join the [Windows Insider program](https://insider.windows.com) to get early access to new Windows 10 builds and test these changes yourself.
@@ -50,12 +50,13 @@ The following features and functionalities have been removed from the installed
 |Reading List | Functionality to be integrated into Microsoft Edge. | 1709 |
 |Screen saver functionality in Themes   | This functionality is disabled in Themes, and classified as **Removed** in this table. Screen saver functionality in Group Policies, Control Panel, and Sysprep continues to be functional. Lock screen features and policies are preferred. | 1709 |
 |Syskey.exe | Removing this nonsecure security feature. We recommend that users use BitLocker instead. For more information, see [4025993 Syskey.exe utility is no longer supported in Windows 10 RS3 and Windows Server 2016 RS3](https://support.microsoft.com/help/4025993/syskey-exe-utility-is-no-longer-supported-in-windows-10-rs3-and-window). | 1709 |
-|TCP Offload Engine | Removing this legacy code. This functionality was previously transitioned to the Stack TCP Engine. For more information, see [Why Are We Deprecating Network Performance Features?](https://blogs.technet.microsoft.com/askpfeplat/2017/06/13/why-are-we-deprecating-network-performance-features-kb4014193).| 1709 |
+|TCP Offload Engine | Removing this legacy code. This functionality was previously transitioned to the Stack TCP Engine. For more information, see [Why Are We Deprecating Network Performance Features?](https://blogs.technet.microsoft.com/askpfeplat/2017/06/13/why-are-we-deprecating-network-performance-features-kb4014193)| 1709 |
 |Tile Data Layer |To be replaced by the Tile Store.| 1709 |
+|Resilient File System (ReFS) (added: August 17, 2017)| Creation ability will be available in the following editions only: Windows 10 Enterprise and Windows 10 Pro for Workstations.  Creation ability will be removed from all other editions. All other editions will have Read and Write ability. | 1709 |
 |Apps Corner| This Windows 10 mobile application is removed in the version 1703 release. | 1703 |
 |By default, Flash autorun in Edge is turned off. | Use the Click-to-Run (C2R) option instead. (This setting can be changed by the user.) | 1703 |
 |Interactive Service Detection Service| See [Interactive Services](https://docs.microsoft.com/windows/win32/services/interactive-services?redirectedfrom=MSDN) for guidance on how to keep software up to date. | 1703 |
 |Microsoft Paint | This application will not be available for languages that are not on the [full localization list](https://www.microsoft.com/windows/windows-10-specifications#Windows-10-localization). | 1703 |
 |NPN support in TLS | This feature is superseded by Application-Layer Protocol Negotiation (ALPN). | 1703 |
 |Windows Information Protection "AllowUserDecryption" policy | Starting in Windows 10, version 1703, AllowUserDecryption is no longer supported. | 1703 |
-|WSUS for Windows Mobile  | Updates are being transitioned to the new Unified Update Platform (UUP) | 1703 |
\ No newline at end of file
+|WSUS for Windows Mobile  | Updates are being transitioned to the new Unified Update Platform (UUP) | 1703 |
diff --git a/windows/deployment/update/images/UC-vid-crop.jpg b/windows/deployment/update/images/UC-vid-crop.jpg
deleted file mode 100644
index 47e74febbc..0000000000
Binary files a/windows/deployment/update/images/UC-vid-crop.jpg and /dev/null differ
diff --git a/windows/deployment/update/images/UC_00_marketplace_search.PNG b/windows/deployment/update/images/UC_00_marketplace_search.PNG
deleted file mode 100644
index dcdf25d38a..0000000000
Binary files a/windows/deployment/update/images/UC_00_marketplace_search.PNG and /dev/null differ
diff --git a/windows/deployment/update/images/UC_01_marketplace_create.PNG b/windows/deployment/update/images/UC_01_marketplace_create.PNG
deleted file mode 100644
index 4b34311112..0000000000
Binary files a/windows/deployment/update/images/UC_01_marketplace_create.PNG and /dev/null differ
diff --git a/windows/deployment/update/images/UC_02_workspace_create.PNG b/windows/deployment/update/images/UC_02_workspace_create.PNG
deleted file mode 100644
index ed3eeeebbb..0000000000
Binary files a/windows/deployment/update/images/UC_02_workspace_create.PNG and /dev/null differ
diff --git a/windows/deployment/update/images/UC_03_workspace_select.PNG b/windows/deployment/update/images/UC_03_workspace_select.PNG
deleted file mode 100644
index d00864b861..0000000000
Binary files a/windows/deployment/update/images/UC_03_workspace_select.PNG and /dev/null differ
diff --git a/windows/deployment/update/images/UC_04_resourcegrp_deployment_successful.PNG b/windows/deployment/update/images/UC_04_resourcegrp_deployment_successful.PNG
deleted file mode 100644
index 3ea9f57531..0000000000
Binary files a/windows/deployment/update/images/UC_04_resourcegrp_deployment_successful.PNG and /dev/null differ
diff --git a/windows/deployment/update/images/UC_commercialID.png b/windows/deployment/update/images/UC_commercialID.png
deleted file mode 100644
index 6896be03e6..0000000000
Binary files a/windows/deployment/update/images/UC_commercialID.png and /dev/null differ
diff --git a/windows/deployment/update/images/UC_commercialID_GP.png b/windows/deployment/update/images/UC_commercialID_GP.png
deleted file mode 100644
index 95d92cf6df..0000000000
Binary files a/windows/deployment/update/images/UC_commercialID_GP.png and /dev/null differ
diff --git a/windows/deployment/update/images/UC_telemetrylevel.png b/windows/deployment/update/images/UC_telemetrylevel.png
deleted file mode 100644
index a11e68a5f8..0000000000
Binary files a/windows/deployment/update/images/UC_telemetrylevel.png and /dev/null differ
diff --git a/windows/deployment/update/images/UC_workspace_WDAV_status.PNG b/windows/deployment/update/images/UC_workspace_WDAV_status.PNG
deleted file mode 100644
index 40dcaef949..0000000000
Binary files a/windows/deployment/update/images/UC_workspace_WDAV_status.PNG and /dev/null differ
diff --git a/windows/deployment/update/images/uc-01-wdav.png b/windows/deployment/update/images/uc-01-wdav.png
deleted file mode 100644
index c0ef37ebc6..0000000000
Binary files a/windows/deployment/update/images/uc-01-wdav.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-01.png b/windows/deployment/update/images/uc-01.png
deleted file mode 100644
index 7f4df9f6d7..0000000000
Binary files a/windows/deployment/update/images/uc-01.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-02.png b/windows/deployment/update/images/uc-02.png
deleted file mode 100644
index 8317f051c3..0000000000
Binary files a/windows/deployment/update/images/uc-02.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-02a.png b/windows/deployment/update/images/uc-02a.png
deleted file mode 100644
index d12544e3a0..0000000000
Binary files a/windows/deployment/update/images/uc-02a.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-03.png b/windows/deployment/update/images/uc-03.png
deleted file mode 100644
index 58494c4128..0000000000
Binary files a/windows/deployment/update/images/uc-03.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-03a.png b/windows/deployment/update/images/uc-03a.png
deleted file mode 100644
index 39412fc8f3..0000000000
Binary files a/windows/deployment/update/images/uc-03a.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-04.png b/windows/deployment/update/images/uc-04.png
deleted file mode 100644
index ef9a37d379..0000000000
Binary files a/windows/deployment/update/images/uc-04.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-04a.png b/windows/deployment/update/images/uc-04a.png
deleted file mode 100644
index 537d4bbe72..0000000000
Binary files a/windows/deployment/update/images/uc-04a.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-05.png b/windows/deployment/update/images/uc-05.png
deleted file mode 100644
index 21c8e9f9e0..0000000000
Binary files a/windows/deployment/update/images/uc-05.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-05a.png b/windows/deployment/update/images/uc-05a.png
deleted file mode 100644
index 2271181622..0000000000
Binary files a/windows/deployment/update/images/uc-05a.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-06.png b/windows/deployment/update/images/uc-06.png
deleted file mode 100644
index 03a559800b..0000000000
Binary files a/windows/deployment/update/images/uc-06.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-06a.png b/windows/deployment/update/images/uc-06a.png
deleted file mode 100644
index 15df1cfea0..0000000000
Binary files a/windows/deployment/update/images/uc-06a.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-07.png b/windows/deployment/update/images/uc-07.png
deleted file mode 100644
index de1ae35e82..0000000000
Binary files a/windows/deployment/update/images/uc-07.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-07a.png b/windows/deployment/update/images/uc-07a.png
deleted file mode 100644
index c0f2d9fd73..0000000000
Binary files a/windows/deployment/update/images/uc-07a.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-08.png b/windows/deployment/update/images/uc-08.png
deleted file mode 100644
index 877fcd64c0..0000000000
Binary files a/windows/deployment/update/images/uc-08.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-08a.png b/windows/deployment/update/images/uc-08a.png
deleted file mode 100644
index 89da287d3d..0000000000
Binary files a/windows/deployment/update/images/uc-08a.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-09.png b/windows/deployment/update/images/uc-09.png
deleted file mode 100644
index 37d7114f19..0000000000
Binary files a/windows/deployment/update/images/uc-09.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-09a.png b/windows/deployment/update/images/uc-09a.png
deleted file mode 100644
index f6b6ec5b60..0000000000
Binary files a/windows/deployment/update/images/uc-09a.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-10.png b/windows/deployment/update/images/uc-10.png
deleted file mode 100644
index ea065590b9..0000000000
Binary files a/windows/deployment/update/images/uc-10.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-10a.png b/windows/deployment/update/images/uc-10a.png
deleted file mode 100644
index 1c6b8b01dc..0000000000
Binary files a/windows/deployment/update/images/uc-10a.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-11.png b/windows/deployment/update/images/uc-11.png
deleted file mode 100644
index 8b4fc568ea..0000000000
Binary files a/windows/deployment/update/images/uc-11.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-12.png b/windows/deployment/update/images/uc-12.png
deleted file mode 100644
index 4198684c99..0000000000
Binary files a/windows/deployment/update/images/uc-12.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-13.png b/windows/deployment/update/images/uc-13.png
deleted file mode 100644
index 117f9b9fd8..0000000000
Binary files a/windows/deployment/update/images/uc-13.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-14.png b/windows/deployment/update/images/uc-14.png
deleted file mode 100644
index 66047984e7..0000000000
Binary files a/windows/deployment/update/images/uc-14.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-15.png b/windows/deployment/update/images/uc-15.png
deleted file mode 100644
index c241cd9117..0000000000
Binary files a/windows/deployment/update/images/uc-15.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-16.png b/windows/deployment/update/images/uc-16.png
deleted file mode 100644
index e7aff4d4ed..0000000000
Binary files a/windows/deployment/update/images/uc-16.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-17.png b/windows/deployment/update/images/uc-17.png
deleted file mode 100644
index cb8e42ca5e..0000000000
Binary files a/windows/deployment/update/images/uc-17.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-18.png b/windows/deployment/update/images/uc-18.png
deleted file mode 100644
index 5eff59adc9..0000000000
Binary files a/windows/deployment/update/images/uc-18.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-19.png b/windows/deployment/update/images/uc-19.png
deleted file mode 100644
index 791900eafc..0000000000
Binary files a/windows/deployment/update/images/uc-19.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-20.png b/windows/deployment/update/images/uc-20.png
deleted file mode 100644
index 7dbb027b9f..0000000000
Binary files a/windows/deployment/update/images/uc-20.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-21.png b/windows/deployment/update/images/uc-21.png
deleted file mode 100644
index 418db41fe4..0000000000
Binary files a/windows/deployment/update/images/uc-21.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-22.png b/windows/deployment/update/images/uc-22.png
deleted file mode 100644
index 2ca5c47a61..0000000000
Binary files a/windows/deployment/update/images/uc-22.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-23.png b/windows/deployment/update/images/uc-23.png
deleted file mode 100644
index 58b82db82d..0000000000
Binary files a/windows/deployment/update/images/uc-23.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-24.png b/windows/deployment/update/images/uc-24.png
deleted file mode 100644
index 00bc61e3e1..0000000000
Binary files a/windows/deployment/update/images/uc-24.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-25.png b/windows/deployment/update/images/uc-25.png
deleted file mode 100644
index 4e0f0bdb03..0000000000
Binary files a/windows/deployment/update/images/uc-25.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-DO-status.png b/windows/deployment/update/images/uc-DO-status.png
deleted file mode 100644
index d4b47be324..0000000000
Binary files a/windows/deployment/update/images/uc-DO-status.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-emptyworkspacetile.PNG b/windows/deployment/update/images/uc-emptyworkspacetile.PNG
deleted file mode 100644
index 24c37d4279..0000000000
Binary files a/windows/deployment/update/images/uc-emptyworkspacetile.PNG and /dev/null differ
diff --git a/windows/deployment/update/images/uc-featureupdatestatus.PNG b/windows/deployment/update/images/uc-featureupdatestatus.PNG
deleted file mode 100644
index ae6a38502f..0000000000
Binary files a/windows/deployment/update/images/uc-featureupdatestatus.PNG and /dev/null differ
diff --git a/windows/deployment/update/images/uc-filledworkspacetile.PNG b/windows/deployment/update/images/uc-filledworkspacetile.PNG
deleted file mode 100644
index 7293578b1a..0000000000
Binary files a/windows/deployment/update/images/uc-filledworkspacetile.PNG and /dev/null differ
diff --git a/windows/deployment/update/images/uc-filledworkspaceview.PNG b/windows/deployment/update/images/uc-filledworkspaceview.PNG
deleted file mode 100644
index 8d99e52e02..0000000000
Binary files a/windows/deployment/update/images/uc-filledworkspaceview.PNG and /dev/null differ
diff --git a/windows/deployment/update/images/uc-needattentionoverview.PNG b/windows/deployment/update/images/uc-needattentionoverview.PNG
deleted file mode 100644
index 50b6d04699..0000000000
Binary files a/windows/deployment/update/images/uc-needattentionoverview.PNG and /dev/null differ
diff --git a/windows/deployment/update/images/uc-overviewblade.PNG b/windows/deployment/update/images/uc-overviewblade.PNG
deleted file mode 100644
index dca364daf6..0000000000
Binary files a/windows/deployment/update/images/uc-overviewblade.PNG and /dev/null differ
diff --git a/windows/deployment/update/images/uc-perspectiveupdatedeploymentstatus.png b/windows/deployment/update/images/uc-perspectiveupdatedeploymentstatus.png
deleted file mode 100644
index f52087a4a7..0000000000
Binary files a/windows/deployment/update/images/uc-perspectiveupdatedeploymentstatus.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-securityupdatestatus.PNG b/windows/deployment/update/images/uc-securityupdatestatus.PNG
deleted file mode 100644
index 75e9d10fd8..0000000000
Binary files a/windows/deployment/update/images/uc-securityupdatestatus.PNG and /dev/null differ
diff --git a/windows/deployment/update/images/uc-windowsdefenderavstatus.PNG b/windows/deployment/update/images/uc-windowsdefenderavstatus.PNG
deleted file mode 100644
index e3f6990348..0000000000
Binary files a/windows/deployment/update/images/uc-windowsdefenderavstatus.PNG and /dev/null differ
diff --git a/windows/deployment/update/index.md b/windows/deployment/update/index.md
index 06ca9774d4..6c8417f572 100644
--- a/windows/deployment/update/index.md
+++ b/windows/deployment/update/index.md
@@ -48,5 +48,5 @@ Windows as a service provides a new way to think about building, deploying, and
 
 >[!TIP]
 >Windows servicing is changing, but for disaster recovery scenarios and bare-metal deployments of Windows 10, you still can use traditional imaging software such as Microsoft Endpoint Configuration Manager or the Microsoft Deployment Toolkit. Using these tools to deploy Windows 10 images is similar to deploying previous versions of Windows.
->With each release of a new feature update for CB, Microsoft makes available new .iso files for use in updating your custom images. Each Windows 10 build has a finite servicing lifetime, so it’s important that images stay up to date with the latest build. For detailed information about how to deploy Windows 10 to bare-metal machines or to upgrade to Windows 10 from previous builds of Windows, see [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](../deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md). Additionally, Windows 10 clients can move from any supported version of Windows 10 (i.e. Version 1511) to the latest version directly (i.e 1709).
+>With each release of a new feature update for CB, Microsoft makes available new .iso files for use in updating your custom images. Each Windows 10 build has a finite servicing lifetime, so it’s important that images stay up to date with the latest build. For detailed information about how to deploy Windows 10 to bare-metal machines or to upgrade to Windows 10 from previous builds of Windows, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). Additionally, Windows 10 clients can move from any supported version of Windows 10 (i.e. Version 1511) to the latest version directly (i.e 1709).
 
diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md
index 6f79f71c7e..c981469bef 100644
--- a/windows/deployment/update/media-dynamic-update.md
+++ b/windows/deployment/update/media-dynamic-update.md
@@ -8,7 +8,7 @@ itproauthor: jaimeo
 author: SteveDiAcetis
 ms.localizationpriority: medium
 ms.author: jaimeo
-ms.reviewer: 
+ms.reviewer:
 manager: laurawi
 ms.collection: M365-modern-desktop
 ms.topic: article
@@ -88,7 +88,7 @@ The main operating system file (install.wim) contains multiple editions of Windo
 
 ### Additional languages and features
 
-You don't have to add more languages and features to the image to accomplish the updates, but it's an opportunity to customize the image with more languages, Optional Components, and Features on Demand beyond what is in your starting image. To do this, it's important to make these changes in the correct order: first apply servicing stack updates, followed by language additions, then by feature additions, and finally the latest cumulative update. The provided sample script installs a second language (in this case Japanese (ja-JP)). Since this language is backed by an lp.cab, there's no need to add a Language Experience Pack. Japanese is added to both the main operating system and to the recovery environment to allow the user to see the recovery screens in Japanese. This includes adding localized versions of the packages currently installed in the recovery image. 
+You don't have to add more languages and features to the image to accomplish the updates, but it's an opportunity to customize the image with more languages, Optional Components, and Features on Demand beyond what is in your starting image. To do this, it's important to make these changes in the correct order: first apply servicing stack updates, followed by language additions, then by feature additions, and finally the latest cumulative update. The provided sample script installs a second language (in this case Japanese (ja-JP)). Since this language is backed by an lp.cab, there's no need to add a Language Experience Pack. Japanese is added to both the main operating system and to the recovery environment to allow the user to see the recovery screens in Japanese. This includes adding localized versions of the packages currently installed in the recovery image.
 
 Optional Components, along with the .Net feature, can be installed offline, however doing so creates pending operations that require the device to restart. As a result, the call to perform image cleanup would fail. There are two options to avoid this. One option is to skip the image cleanup step, though that will result in a larger install.wim. Another option is to install the .Net and Optional Components in a step after cleanup but before export. This is the option in the sample script. By doing this, you will have to start with the original install.wim (with no pending actions) when you maintain or update the image the next time (for example, the next month).
 
@@ -108,7 +108,7 @@ These examples are for illustration only, and therefore lack error handling. The
 The script starts by declaring global variables and creating folders to use for mounting images. Then, make a copy of the original media, from \oldMedia to \newMedia, keeping the original media in case there is a script error and it's necessary to start over from a known state. Also, it will provide a comparison of old versus new media to evaluate changes. To ensure that the new media updates, make sure they are not read-only.
 
 ```
-function Get-TS { return "{0:HH:mm:ss}" -f (Get-Date) } 
+function Get-TS { return "{0:HH:mm:ss}" -f (Get-Date) }
 
 Write-Host "$(Get-TS): Starting media refresh"
 
@@ -121,19 +121,19 @@ $LANG = "ja-jp"
 $LANG_FONT_CAPABILITY = "jpan"
 
 # Declare Dynamic Update packages
-$LCU_PATH = “C:\mediaRefresh\packages\LCU.msu”
-$SSU_PATH = “C:\mediaRefresh\packages\SSU_DU.msu”
+$LCU_PATH = "C:\mediaRefresh\packages\LCU.msu"
+$SSU_PATH = "C:\mediaRefresh\packages\SSU_DU.msu"
 $SETUP_DU_PATH = "C:\mediaRefresh\packages\Setup_DU.cab"
-$SAFE_OS_DU_PATH = “C:\mediaRefresh\packages\SafeOS_DU.cab”
-$DOTNET_CU_PATH = "C:\mediaRefresh\packages\DotNet_CU.msu”
+$SAFE_OS_DU_PATH = "C:\mediaRefresh\packages\SafeOS_DU.cab"
+$DOTNET_CU_PATH = "C:\mediaRefresh\packages\DotNet_CU.msu"
 
 # Declare folders for mounted images and temp files
 $WORKING_PATH = "C:\mediaRefresh\temp"
 $MEDIA_OLD_PATH = "C:\mediaRefresh\oldMedia"
 $MEDIA_NEW_PATH = "C:\mediaRefresh\newMedia"
-$MAIN_OS_MOUNT = $WORKING_PATH + "\MainOSMount”
-$WINRE_MOUNT = $WORKING_PATH + "\WinREMount”
-$WINPE_MOUNT = $WORKING_PATH + "\WinPEMount”
+$MAIN_OS_MOUNT = $WORKING_PATH + "\MainOSMount"
+$WINRE_MOUNT = $WORKING_PATH + "\WinREMount"
+$WINPE_MOUNT = $WORKING_PATH + "\WinPEMount"
 
 # Mount the language pack ISO
 Write-Host "$(Get-TS): Mounting LP ISO"
@@ -152,7 +152,7 @@ $OS_LP_PATH = $LP_ISO_DRIVE_LETTER + ":\x64\langpacks\" + "Microsoft-Windows-Cli
 # Mount the Features on Demand ISO
 Write-Host "$(Get-TS): Mounting FOD ISO"
 $FOD_ISO_DRIVE_LETTER = (Mount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Get-Volume).DriveLetter
-$FOD_PATH = $FOD_ISO_DRIVE_LETTER + ":\" 
+$FOD_PATH = $FOD_ISO_DRIVE_LETTER + ":\"
 
 # Create folders for mounting images and storing temporary files
 New-Item -ItemType directory -Path $WORKING_PATH -ErrorAction Stop | Out-Null
@@ -162,7 +162,7 @@ New-Item -ItemType directory -Path $WINPE_MOUNT -ErrorAction stop | Out-Null
 
 # Keep the original media, make a copy of it for the new, updateed media.
 Write-Host "$(Get-TS): Copying original media to new media path"
-Copy-Item -Path $MEDIA_OLD_PATH“\*” -Destination $MEDIA_NEW_PATH -Force -Recurse -ErrorAction stop | Out-Null
+Copy-Item -Path $MEDIA_OLD_PATH"\*" -Destination $MEDIA_NEW_PATH -Force -Recurse -ErrorAction stop | Out-Null
 Get-ChildItem -Path $MEDIA_NEW_PATH -Recurse | Where-Object { -not $_.PSIsContainer -and $_.IsReadOnly } | ForEach-Object { $_.IsReadOnly = $false }
 ```
 ### Update WinRE
@@ -177,14 +177,14 @@ It finishes by cleaning and exporting the image to reduce the image size.
 ```
 # Mount the main operating system, used throughout the script
 Write-Host "$(Get-TS): Mounting main OS"
-Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\install.wim” -Index 1 -Path $MAIN_OS_MOUNT -ErrorAction stop| Out-Null  
+Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\install.wim" -Index 1 -Path $MAIN_OS_MOUNT -ErrorAction stop| Out-Null  
 
 #
 # update Windows Recovery Environment (WinRE)
 #
-Copy-Item -Path $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim” -Destination $WORKING_PATH"\winre.wim” -Force -Recurse -ErrorAction stop | Out-Null
+Copy-Item -Path $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim" -Destination $WORKING_PATH"\winre.wim" -Force -Recurse -ErrorAction stop | Out-Null
 Write-Host "$(Get-TS): Mounting WinRE"
-Mount-WindowsImage -ImagePath $WORKING_PATH"\winre.wim” -Index 1 -Path $WINRE_MOUNT -ErrorAction stop | Out-Null 
+Mount-WindowsImage -ImagePath $WORKING_PATH"\winre.wim" -Index 1 -Path $WINRE_MOUNT -ErrorAction stop | Out-Null
 
 # Add servicing stack update
 Write-Host "$(Get-TS): Adding package $SSU_PATH"
@@ -226,10 +226,10 @@ if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) ) {
 # Add TTS support for the new language
 if (Test-Path -Path $WINPE_SPEECH_TTS_PATH) {
     if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) ) {
-            
+
         Write-Host "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH"
         Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_SPEECH_TTS_PATH -ErrorAction stop | Out-Null
-            
+
         Write-Host "$(Get-TS): Adding package $WINPE_SPEECH_TTS_LANG_PATH"
         Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_SPEECH_TTS_LANG_PATH -ErrorAction stop | Out-Null
     }
@@ -244,35 +244,35 @@ Write-Host "$(Get-TS): Performing image cleanup on WinRE"
 DISM /image:$WINRE_MOUNT /cleanup-image /StartComponentCleanup | Out-Null
 
 # Dismount
-Dismount-WindowsImage -Path $WINRE_MOUNT  -Save -ErrorAction stop | Out-Null 
+Dismount-WindowsImage -Path $WINRE_MOUNT  -Save -ErrorAction stop | Out-Null
 
 # Export
-Write-Host "$(Get-TS): Exporting image to $WORKING_PATH\winre2.wim”
-Export-WindowsImage -SourceImagePath $WORKING_PATH"\winre.wim” -SourceIndex 1 -DestinationImagePath $WORKING_PATH"\winre2.wim” -ErrorAction stop | Out-Null
-Move-Item -Path $WORKING_PATH"\winre2.wim” -Destination $WORKING_PATH"\winre.wim” -Force -ErrorAction stop | Out-Null
+Write-Host "$(Get-TS): Exporting image to $WORKING_PATH\winre2.wim"
+Export-WindowsImage -SourceImagePath $WORKING_PATH"\winre.wim" -SourceIndex 1 -DestinationImagePath $WORKING_PATH"\winre2.wim" -ErrorAction stop | Out-Null
+Move-Item -Path $WORKING_PATH"\winre2.wim" -Destination $WORKING_PATH"\winre.wim" -Force -ErrorAction stop | Out-Null
 ```
 ### Update WinPE
 
 This script is similar to the one that updates WinRE, but instead it mounts Boot.wim, applies the packages with the latest cumulative update last, and saves. It repeats this for all images inside of Boot.wim, typically two images. It starts by applying the servicing stack Dynamic Update. Since the script is customizing this media with Japanese, it installs the language pack from the WinPE folder on the language pack ISO. Additionally, add font support and text to speech (TTS) support. Since the script is adding a new language, it rebuilds lang.ini, used to identify languages installed in the image. Finally, it cleans and exports Boot.wim, and copies it back to the new media.
 
 ```
-# 
+#
 # update Windows Preinstallation Environment (WinPE)
-# 
+#
 
 # Get the list of images contained within WinPE
-$WINPE_IMAGES = Get-WindowsImage -ImagePath $MEDIA_NEW_PATH“\sources\boot.wim”
+$WINPE_IMAGES = Get-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim"
 
 Foreach ($IMAGE in $WINPE_IMAGES) {
 
     # update WinPE
     Write-Host "$(Get-TS): Mounting WinPE"
-    Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH“\sources\boot.wim” -Index $IMAGE.ImageIndex -Path $WINPE_MOUNT -ErrorAction stop | Out-Null  
+    Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -Index $IMAGE.ImageIndex -Path $WINPE_MOUNT -ErrorAction stop | Out-Null  
 
     # Add SSU
     Write-Host "$(Get-TS): Adding package $SSU_PATH"
     Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH -ErrorAction stop | Out-Null
-        
+
     # Install lp.cab cab
     Write-Host "$(Get-TS): Adding package $WINPE_OC_LP_PATH"
     Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_OC_LP_PATH -ErrorAction stop | Out-Null  
@@ -287,7 +287,7 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
 
             $INDEX = $PACKAGE.PackageName.IndexOf("-Package")
             if ($INDEX -ge 0) {
-                
+
                 $OC_CAB = $PACKAGE.PackageName.Substring(0, $INDEX) + "_" + $LANG + ".cab"
                 if ($WINPE_OC_LANG_CABS.Contains($OC_CAB)) {
                     $OC_CAB_PATH = Join-Path $WINPE_OC_LANG_PATH $OC_CAB
@@ -307,10 +307,10 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
     # Add TTS support for the new language
     if (Test-Path -Path $WINPE_SPEECH_TTS_PATH) {
         if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) ) {
-            
+
             Write-Host "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH"
             Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_SPEECH_TTS_PATH -ErrorAction stop | Out-Null
-            
+
             Write-Host "$(Get-TS): Adding package $WINPE_SPEECH_TTS_LANG_PATH"
             Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_SPEECH_TTS_LANG_PATH -ErrorAction stop | Out-Null
         }
@@ -321,7 +321,7 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
         Write-Host "$(Get-TS): Updating lang.ini"
         DISM /image:$WINPE_MOUNT /Gen-LangINI /distribution:$WINPE_MOUNT | Out-Null
     }    
-    
+
     # Add latest cumulative update
     Write-Host "$(Get-TS): Adding package $LCU_PATH"
     Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $LCU_PATH -ErrorAction stop | Out-Null  
@@ -331,28 +331,28 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
     DISM /image:$WINPE_MOUNT /cleanup-image /StartComponentCleanup | Out-Null
 
     # Dismount
-    Dismount-WindowsImage -Path $WINPE_MOUNT -Save -ErrorAction stop | Out-Null 
+    Dismount-WindowsImage -Path $WINPE_MOUNT -Save -ErrorAction stop | Out-Null
 
     #Export WinPE
-    Write-Host "$(Get-TS): Exporting image to $WORKING_PATH\boot2.wim”
-    Export-WindowsImage -SourceImagePath $MEDIA_NEW_PATH“\sources\boot.wim” -SourceIndex $IMAGE.ImageIndex -DestinationImagePath $WORKING_PATH"\boot2.wim" -ErrorAction stop | Out-Null
+    Write-Host "$(Get-TS): Exporting image to $WORKING_PATH\boot2.wim"
+    Export-WindowsImage -SourceImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -SourceIndex $IMAGE.ImageIndex -DestinationImagePath $WORKING_PATH"\boot2.wim" -ErrorAction stop | Out-Null
 
 }
 
-Move-Item -Path $WORKING_PATH"\boot2.wim" -Destination $MEDIA_NEW_PATH“\sources\boot.wim” -Force -ErrorAction stop | Out-Null
+Move-Item -Path $WORKING_PATH"\boot2.wim" -Destination $MEDIA_NEW_PATH"\sources\boot.wim" -Force -ErrorAction stop | Out-Null
 ```
 ### Update the main operating system
 
 For this next phase, there is no need to mount the main operating system, since it was already mounted in the previous scripts. This script starts by applying the servicing stack Dynamic Update. Then, it adds Japanese language support and then the Japanese language features. Unlike the Dynamic Update packages, it leverages `Add-WindowsCapability` to add these features. For a full list of such features, and their associated capability name, see [Available Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod).
 
 Now is the time to enable other Optional Components or add other Features on Demand. If such a feature has an associated cumulative update (for example, .Net), this is the time to apply those. The script then proceeds with applying the latest cumulative update. Finally, the script cleans and exports the image.
- 
+
 You can install Optional Components, along with the .Net feature, offline, but that will require the device to be restarted. This is why the script installs .Net and Optional Components after cleanup and before export.
 
 ```
-# 
+#
 # update Main OS
-# 
+#
 
 # Add servicing stack update
 Write-Host "$(Get-TS): Adding package $SSU_PATH"
@@ -385,20 +385,20 @@ Add-WindowsCapability -Name "Language.Speech~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOU
 
 # Add latest cumulative update
 Write-Host "$(Get-TS): Adding package $LCU_PATH"
-Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH -ErrorAction stop | Out-Null 
+Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH -ErrorAction stop | Out-Null
 
 # Copy our updated recovery image from earlier into the main OS
-# Note: If I were updating more than 1 edition, I'd want to copy the same recovery image file 
+# Note: If I were updating more than 1 edition, I'd want to copy the same recovery image file
 # into each edition to enable single instancing
-Copy-Item -Path $WORKING_PATH"\winre.wim” -Destination $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim” -Force -Recurse -ErrorAction stop | Out-Null
+Copy-Item -Path $WORKING_PATH"\winre.wim" -Destination $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim" -Force -Recurse -ErrorAction stop | Out-Null
 
 # Perform image cleanup
 Write-Host "$(Get-TS): Performing image cleanup on main OS"
 DISM /image:$MAIN_OS_MOUNT /cleanup-image /StartComponentCleanup | Out-Null
 
 #
-# Note: If I wanted to enable additional Optional Components, I'd add these here. 
-# In addition, we'll add .Net 3.5 here as well. Both .Net and Optional Components might require 
+# Note: If I wanted to enable additional Optional Components, I'd add these here.
+# In addition, we'll add .Net 3.5 here as well. Both .Net and Optional Components might require
 # the image to be booted, and thus if we tried to cleanup after installation, it would fail.
 #
 
@@ -413,9 +413,9 @@ Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $DOTNET_CU_PATH -ErrorActio
 Dismount-WindowsImage -Path $MAIN_OS_MOUNT -Save -ErrorAction stop | Out-Null
 
 # Export
-Write-Host "$(Get-TS): Exporting image to $WORKING_PATH\install2.wim”
-Export-WindowsImage -SourceImagePath $MEDIA_NEW_PATH“\sources\install.wim” -SourceIndex 1 -DestinationImagePath $WORKING_PATH"\install2.wim” -ErrorAction stop | Out-Null
-Move-Item -Path $WORKING_PATH"\install2.wim” -Destination $MEDIA_NEW_PATH“\sources\install.wim” -Force -ErrorAction stop | Out-Null
+Write-Host "$(Get-TS): Exporting image to $WORKING_PATH\install2.wim"
+Export-WindowsImage -SourceImagePath $MEDIA_NEW_PATH"\sources\install.wim" -SourceIndex 1 -DestinationImagePath $WORKING_PATH"\install2.wim" -ErrorAction stop | Out-Null
+Move-Item -Path $WORKING_PATH"\install2.wim" -Destination $MEDIA_NEW_PATH"\sources\install.wim" -Force -ErrorAction stop | Out-Null
 ```
 
 ### Update remaining media files
@@ -446,8 +446,7 @@ Remove-Item -Path $WORKING_PATH -Recurse -Force -ErrorAction stop | Out-Null
 # Dismount ISO images
 Write-Host "$(Get-TS): Dismounting ISO images"
 Dismount-DiskImage -ImagePath $LP_ISO_PATH -ErrorAction stop | Out-Null
-Dismount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Out-Null 
+Dismount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Out-Null
 
 Write-Host "$(Get-TS): Media refresh completed!"
 ```
-
diff --git a/windows/deployment/update/update-compliance-configuration-manual.md b/windows/deployment/update/update-compliance-configuration-manual.md
new file mode 100644
index 0000000000..fc22965271
--- /dev/null
+++ b/windows/deployment/update/update-compliance-configuration-manual.md
@@ -0,0 +1,77 @@
+---
+title: Manually configuring devices for Update Compliance
+ms.reviewer: 
+manager: laurawi
+description: Manually configuring devices for Update Compliance
+keywords: update compliance, oms, operations management suite, prerequisites, requirements, updates, upgrades, antivirus, antimalware, signature, log analytics, wdav
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.pagetype: deploy
+audience: itpro
+author: jaimeo
+ms.author: jaimeo
+ms.localizationpriority: medium
+ms.collection: M365-analytics
+ms.topic: article
+---
+
+# Manually Configuring Devices for Update Compliance
+
+There are a number of requirements to consider when manually configuring Update Compliance. These can potentially change with newer versions of Windows 10. The [Update Compliance Configuration Script](update-compliance-configuration-script.md) will be updated when any configuration requirements change so only a redeployment of the script will be required.
+
+The requirements are separated into different categories:
+
+1. Ensuring the [**required policies**](#required-policies) for Update Compliance are correctly configured.
+2. Devices in every network topography needs to send data to the [**required endpoints**](#required-endpoints) for Update Compliance, for example both devices in main and satellite offices, which may have different network configurations.
+3. Ensure [**Required Windows services**](#required-services) are running or are scheduled to run. It is recommended all Microsoft and Windows services are set to their out-of-box defaults to ensure proper functionality.
+
+## Required policies
+
+> [!NOTE]
+> Windows 10 MDM and Group Policies are backed by registry keys. It is not recommended you set these registry keys directly for configuration as it can lead to unexpected behavior, so the exact registry key locations are not provided, though they are referenced for troubleshooting configuration issues with the [Update Compliance Configuration Script](update-compliance-configuration-script.md).
+
+Update Compliance has a number of policies that must be appropriately configured in order for devices to be processed by Microsoft and visible in Update Compliance. They are enumerated below, separated by whether the policies will be configured via [Mobile Device Management](https://docs.microsoft.com/windows/client-management/mdm/) (MDM) or Group Policy. For both tables:
+
+- **Policy** corresponds to the location and name of the policy.
+- **Value** Indicates what value the policy must be set to. Update Compliance requires *at least* Basic (or Required) telemetry, but can function off Enhanced or Full (or Optional).
+- **Function** details why the policy is required and what function it serves for Update Compliance. It will also detail a minimum version the policy is required, if any.
+
+### Mobile Device Management policies
+
+Each MDM Policy links to its documentation in the CSP hierarchy, providing its exact location in the hierarchy and more details.
+
+| Policy | Value | Function |
+|---------------------------|-|------------------------------------------------------------|
+|**Provider/*ProviderID*/**[**CommercialID**](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp#provider-providerid-commercialid) |[Your CommercialID](update-compliance-get-started.md#get-your-commercialid) |Identifies the device as belonging to your organization. |
+|**System/**[**AllowTelemetry**](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) |1- Basic |Configures the maximum allowed telemetry to be sent to Microsoft. Individual users can still set this lower than what the policy defines, see the below policy for more information. |
+|**System/**[**ConfigureTelemetryOptInSettingsUx**](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux) | Disable Telemetry opt-in Settings | (*Windows 10 1803+*) Determines whether end-users of the device can adjust telemetry to levels lower than the level defined by AllowTelemetry. It is recommended you disable this policy order the effective telemetry level on devices may not be sufficient. |
+|**System/**[**AllowDeviceNameInDiagnosticData**](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata) | 1 - Allowed | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or set to 0 (Disabled), Device Name will not be sent and will not be visible in Update Compliance, showing `#` instead. |
+
+### Group Policies
+
+All Group Policies that need to be configured for Update Compliance are under **Computer Configuration>Administrative Templates>Windows Components\Data Collection and Preview Builds**. All of these policies must be in the *Enabled* state and set to the defined *Value* below.  
+
+| Policy | Value | Function |
+|---------------------------|-|-----------------------------------------------------------|
+|**Configure the Commercial ID** |[Your CommercialID](update-compliance-get-started.md#get-your-commercialid) | Identifies the device as belonging to your organization. |
+|**Allow Telemetry** | 1 - Basic |Configures the maximum allowed telemetry to be sent to Microsoft. Individual users can still set this lower than what the policy defines, see the below policy for more information. |
+|**Configure telemetry opt-in setting user interface** | Disable telemetry opt-in Settings |(*Windows 10 1803+*) Determines whether end-users of the device can adjust telemetry to levels lower than the level defined by AllowTelemetry. It is recommended you disable this policy order the effective telemetry level on devices may not be sufficient. |
+|**Allow device name to be sent in Windows diagnostic data** | Enabled | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or Disabled, Device Name will not be sent and will not be visible in Update Compliance, showing `#` instead. |
+
+## Required endpoints
+
+To enable data sharing between devices, your network, and Microsoft's Diagnostic Data Service, configure your proxy to allow devices to contact the below endpoints.
+
+| **Endpoint**  | **Function**  |
+|---------------------------------------------------------|-----------|
+| `https://v10c.events.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1803 and later. Census.exe must run on a regular cadence and contact this endpoint in order to receive the majority of [WaaSUpdateStatus](update-compliance-schema-waasupdatestatus.md) information for Update Compliance. |
+| `https://v10.vortex-win.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1709 or earlier. |
+| `https://settings-win.data.microsoft.com` | Required for Windows Update functionality. |
+| `http://adl.windows.com` | Required for Windows Update functionality. |
+| `https://watson.telemetry.microsoft.com` | Windows Error Reporting (WER), used to provide more advanced error reporting in the event of certain Feature Update deployment failures. |
+| `https://oca.telemetry.microsoft.com`  | Online Crash Analysis, used to provide device-specific recommendations and detailed errors in the event of certain crashes. |
+| `https://login.live.com` | This endpoint facilitates MSA access and is required to create the primary identifier we use for devices. Without this service, devices will not be visible in the solution. This also requires Microsoft Account Sign-in Assistant service to be running (wlidsvc). |
+
+## Required services
+
+Many Windows and Microsoft services are required to ensure that not only the device can function, but Update Compliance can see device data. It is recommended that you allow all default services from the out-of-box experience to remain running. The [Update Compliance Configuration Script](update-compliance-configuration-script.md) checks whether the majority of these services are running or are allowed to run automatically.
diff --git a/windows/deployment/update/update-compliance-configuration-script.md b/windows/deployment/update/update-compliance-configuration-script.md
new file mode 100644
index 0000000000..d97bb2897a
--- /dev/null
+++ b/windows/deployment/update/update-compliance-configuration-script.md
@@ -0,0 +1,99 @@
+---
+title: Update Compliance Configuration Script
+ms.reviewer: 
+manager: laurawi
+description: Downloading and using the Update Compliance Configuration Script
+keywords: update compliance, oms, operations management suite, prerequisites, requirements, updates, upgrades, antivirus, antimalware, signature, log analytics, wdav
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.pagetype: deploy
+audience: itpro
+author: jaimeo
+ms.author: jaimeo
+ms.localizationpriority: medium
+ms.collection: M365-analytics
+ms.topic: article
+---
+
+# Configuring devices through the Update Compliance Configuration Script
+
+The Update Compliance Configuration Script is the recommended method of configuring devices to send data to Microsoft for use with Update Compliance. The script configures device policies via Group Policy, ensures that required services are running, and more.
+
+You can [**download the script here**](https://github.com/cinglis-msft/UpdateComplianceConfigurationScript). Keep reading to learn how to configure the script and interpret error codes that are output in logs for troubleshooting.
+
+## How the script is organized
+
+The script is organized into two folders **Pilot** and **Deployment**. Both folders have the same key files: `ConfigScript.ps1` and `RunConfig.bat`. You configure `RunConfig.bat` according to the directions in the .bat itself, which will then execute `ConfigScript.ps1` with the parameters entered to RunConfig.bat.
+
+- The **Pilot** folder and its contents are intended to be used on an initial set of single devices in specific environments (main office & satellite office, for example) for testing and troubleshooting prior to broader deployment. This script is configured to collect and output detailed logs for every device it runs on.
+- The **Deployment** folder is intended to be deployed across an entire device population in a specific environment once devices in that environment have been validated with the Pilot script.
+
+## How to use the script
+
+### Piloting and Troubleshooting
+
+> [!IMPORTANT]
+> If you encounter an issue with Update Compliance, the first step should be to run the script in Pilot mode on a device you are encountering issues with, and save these Logs for reference with Support.
+
+When using the script in the context of troubleshooting, use `Pilot`. Enter `RunConfig.bat`, and configure it as follows:
+
+1. Configure `logPath` to a path where the script will have write access and a place you can easily access. This specifies the output of the log files generated when the script is in Verbose mode.
+2. Configure `commercialIDValue` to your CommercialID. To get your CommercialID, see [Getting your CommercialID](update-compliance-get-started.md#get-your-commercialid).
+3. Run the script. The script must be run in System context.
+4. Examine the Logs output for any issues. If there were issues:
+   - Compare Logs output with the required settings covered in [Manually Configuring Devices for Update Compliance] (update-compliance-configuration-manual.md).
+   - Examine the script errors and refer to the [script error reference](#script-error-reference) on how to interpret the codes.
+   - Make the necessary corrections and run the script again.
+5. When you no longer have issues, proceed to using the script for more broad deployment with the `Deployment` folder.
+
+
+### Broad deployment
+
+After verifying on a set of devices in a specific environment that everything is configured correctly, you can proceed to broad deployment.
+
+1. Configure `commercialIDValue` in `RunConfig.bat` to [your CommercialID](update-compliance-get-started.md#get-your-commercialid).
+2. Use a management tool like Configuration Manager or Intune to broadly deploy the script to your entire target population.
+
+## Script Error Reference
+
+|Error |Description |
+|-|-------------------|
+| 27 | Not system account. |
+| 37 | Unexpected exception when collecting logs|
+| 1  | General unexpected error|
+| 6  | Invalid CommercialID|
+| 48 | CommercialID is not a GUID|
+| 8  | Couldn't create registry key path to setup CommercialID|
+| 9  | Couldn't write CommercialID at registry key path|
+| 53 | There are conflicting CommercialID values.|
+| 11 | Unexpected result when setting up CommercialID.|
+| 62 | AllowTelemetry registry key is not of the correct type `REG_DWORD`|
+| 63 | AllowTelemetry is not set to the appropriate value and it could not be set by the script.|
+| 64 | AllowTelemetry is not of the correct type `REG_DWORD`.|
+| 99 | Device is not Windows 10.|
+| 40 | Unexpected exception when checking and setting telemetry.|
+| 12 | CheckVortexConnectivity failed, check Log output for more information.|
+| 12 | Unexpected failure when running CheckVortexConnectivity.|
+| 66 | Failed to verify UTC connectivity and recent uploads.| 
+| 67 | Unexpected failure when verifying UTC CSP connectivity of the WMI Bridge.|
+| 41 | Unable to impersonate logged-on user.|
+| 42 | Unexpected exception when attempting to impersonate logged-on user.|
+| 43 | Unexpected exception when attempting to impersonate logged-on user.|
+| 16 | Reboot is pending on device, restart device and restart script.|
+| 17 | Unexpected exception in CheckRebootRequired.|
+| 44 | Error when running CheckDiagTrack service.|
+| 45 | DiagTrack.dll not found.|
+| 50 | DiagTrack service not running.|
+| 54 | Microsoft Account Sign In Assistant (MSA) Service disabled.|
+| 55 | Failed to create new registry path for `SetDeviceNameOptIn` of the PowerShell script.|
+| 56 | Failed to create property for `SetDeviceNameOptIn` of the PowerShell script at registry path.|
+| 57 | Failed to update value for `SetDeviceNameOptIn` of the PowerShell script.|
+| 58 | Unexpected exception in `SetDeviceNameOptIn` of the PowerShell script.|
+| 59 | Failed to delete `LastPersistedEventTimeOrFirstBoot` property at registry path when attempting to clean up OneSettings.|
+| 60 | Failed to delete registry key when attempting to clean up OneSettings.|
+| 61 | Unexpected exception when attempting to clean up OneSettings.|
+| 52 | Could not find Census.exe|
+| 51 | Unexpected exception when attempting to run Census.exe|
+| 34 | Unexpected exception when attempting to check Proxy settings.|
+| 30 | Unable to disable Enterprise Auth Proxy. This registry value must be 0 for UTC to operate in an authenticated proxy environment.|
+| 35 | Unexpected exception when checking User Proxy.|
diff --git a/windows/deployment/update/update-compliance-feature-update-status.md b/windows/deployment/update/update-compliance-feature-update-status.md
index 2d3216901c..1fc602e081 100644
--- a/windows/deployment/update/update-compliance-feature-update-status.md
+++ b/windows/deployment/update/update-compliance-feature-update-status.md
@@ -37,9 +37,7 @@ Refer to the following list for what each state means:
 
 ## Compatibility holds
 
-Microsoft uses diagnostic data to determine whether devices that use Windows Update are ready for a feature update in order to ensure a smooth experience. When Microsoft determines a device is not ready to update due to a known issue, a *compatibility hold* is generated to delay the device’s upgrade and safeguard the end-user experience. Holds are released over time as diagnostic data is analyzed and fixes are addressed. Details are provided on some, but not all compatibility holds on the Windows 10 release information page for any given release. 
-
-To learn how compatibility holds are reflected in the experience, see [Update compliance perspectives](update-compliance-perspectives.md#deployment-status). 
+Microsoft uses diagnostic data to determine whether devices that use Windows Update are ready for a feature update in order to ensure a smooth experience. When Microsoft determines a device is not ready to update due to a known issue, a *compatibility hold* is generated to delay the device's upgrade and safeguard the end-user experience. Holds are released over time as diagnostic data is analyzed and fixes are addressed. Details are provided on some, but not all compatibility holds on the Windows 10 release information page for any given release. 
 
 ### Opting out of compatibility hold
 
diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md
index 5e81c8e5a0..4e77a4d513 100644
--- a/windows/deployment/update/update-compliance-get-started.md
+++ b/windows/deployment/update/update-compliance-get-started.md
@@ -1,8 +1,8 @@
 ---
-title: Get started with Update Compliance (Windows 10)
+title: Get started with Update Compliance
 ms.reviewer: 
 manager: laurawi
-description: Configure Update Compliance in Azure Portal to see the status of updates and antimalware protection on devices in your network.
+description: Prerequisites, Azure onboarding, and configuring devices for Update Compliance 
 keywords: update compliance, oms, operations management suite, prerequisites, requirements, updates, upgrades, antivirus, antimalware, signature, log analytics, wdav
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -16,113 +16,68 @@ ms.topic: article
 ---
 
 # Get started with Update Compliance
-This topic explains the steps necessary to configure your environment for Update Compliance.
 
-Steps are provided in sections that follow the recommended setup process:
+This topic introduces the high-level steps required to enroll to the Update Compliance solution and configure devices to send data to it. The following steps cover the enrollment and device configuration workflow.
 
-1. Ensure you meet the [Update Compliance prerequisites](#update-compliance-prerequisites).
-2. [Add Update Compliance to your Azure subscription](#add-update-compliance-to-your-azure-subscription).
-3. [Enroll devices in Update Compliance](#enroll-devices-in-update-compliance).
-4. [Use Update Compliance](update-compliance-using.md) to monitor Windows Updates and get Delivery Optimization insights.
+1. Ensure you can [meet the requirements](#update-compliance-prerequisites) to use Update Compliance.
+2. [Add Update Compliance](#add-update-compliance-to-your-azure-subscription) to your Azure subscription.
+3. [Configure devices](#enroll-devices-in-update-compliance) to send data to Update Compliance.
+
+After adding the solution to Azure and configuring devices, there will be a waiting period of up to 72 hours before you can begin to see devices in the solution. Before or as devices appear, you can learn how to [Use Update Compliance](update-compliance-using.md) to monitor Windows Updates and Delivery Optimization.
 
 ## Update Compliance prerequisites
+
 Before you begin the process to add Update Compliance to your Azure subscription, first ensure you can meet the prerequisites:
-1. Update Compliance works only with Windows 10 Professional, Education, and Enterprise editions. Update Compliance only provides data for the standard Desktop Windows 10 version and is not currently compatible with Windows Server, Surface Hub, IoT, etc. 
-2. Update Compliance provides detailed deployment data for devices on the Semi-Annual Channel and the Long-term Servicing Channel. Update Compliance will show Windows Insider Preview devices, but currently will not provide detailed deployment information for them.
-3. Update Compliance requires at least the Basic level of diagnostic data and a Commercial ID to be enabled on the device. 
-4. For Windows 10 1803+, device names will not appear in Update Compliance unless you opt in. The steps to accomplish this is outlined in the [Enroll devices in Update Compliance](#enroll-devices-in-update-compliance) section.
+
+1. **Compatible Operating Systems and Editions**: Update Compliance works only with Windows 10 Professional, Education, and Enterprise editions. Update Compliance supports both the typical Windows 10 Enterprise edition, as well as [Windows 10 Enterprise multi-session](https://docs.microsoft.com/azure/virtual-desktop/windows-10-multisession-faq). Update Compliance only provides data for the standard Desktop Windows 10 version and is not currently compatible with Windows Server, Surface Hub, IoT, etc.
+2. **Compatible Windows 10 Servicing Channels**: Update Compliance supports Windows 10 devices on the Semi-Annual Channel (SAC) and the Long-term Servicing Channel (LTSC). Update Compliance *counts* Windows Insider Preview (WIP) devices, but does not currently provide detailed deployment insights for them.
+3. **Diagnostic data requirements**: Update Compliance requires devices be configured to send diagnostic data at *Required* level (previously *Basic*). To learn more about what's included in different diagnostic levels, see [Diagnostics, feedback, and privacy in Windows 10](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy).
+4. **Data transmission requirements**: Devices must be able to contact specific endpoints required to authenticate and send diagnostic data. These are enumerated in detail at [Configuring Devices for Update Compliance manually](update-compliance-configuration-manual.md).
+5. **Showing Device Names in Update Compliance**: For Windows 10 1803+, device names will not appear in Update Compliance unless you individually opt-in devices via policy. The steps to accomplish this is outlined in [Configuring Devices for Update Compliance](update-compliance-configuration-manual.md).
 
 ## Add Update Compliance to your Azure subscription
-Update Compliance is offered as a solution which is linked to a new or existing [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal) workspace within your Azure subscription. To configure this, follow these steps:
 
-1. Sign in to the [Azure Portal](https://portal.azure.com) with your work or school account or a Microsoft account. If you don't already have an Azure subscription you can create one (including free trial options) through the portal.
+Update Compliance is offered as an Azure Marketplace application which is linked to a new or existing [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal) workspace within your Azure subscription. To configure this, follow these steps:
+
+1. Go to the [Update Compliance page in the Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/Microsoft.WaaSUpdateInsights?tab=Overview). You may need to login to your Azure subscription to access this.
+2. Select **Get it now**.
+3. Choose an existing or configure a new Log Analytics Workspace. While an Azure subscription is required, you will not be charged for ingestion of Update Compliance data.
+   - [Desktop Analytics](https://docs.microsoft.com/sccm/desktop-analytics/overview) customers are advised to use the same workspace for Update Compliance.
+   - [Azure Update Management](https://docs.microsoft.com/azure/automation/automation-update-management) customers are advised to use the same workspace for Update Compliance.
+4. After your workspace is configured and selected, select **Create**. You will receive a notification when the solution has been successfully created.
 
 > [!NOTE]
-> Update Compliance is included at no additional cost with Windows 10 Professional, Education, and Enterprise editions. An Azure subscription is required for managing and using Update Compliance, but no Azure charges are expected to accrue to the subscription as a result of using Update Compliance. 
+> It is not currently supported to programmatically enroll to Update Compliance via the [Azure CLI](https://docs.microsoft.com/cli/azure) or otherwise. You must manually add Update Compliance to your Azure subscription.
 
-2. In the Azure portal select **+ Create a resource**, and search for “Update Compliance". You should see it in the results below. 
+### Get your CommercialID
 
-![Update Compliance marketplace search results](images/UC_00_marketplace_search.png)
+A CommercialID is a globally-unique identifier assigned to a specific Log Analytics workspace. The CommercialID is copied to an MDM or Group Policy and is used to identify devices in your environment.
 
-3. Select **Update Compliance** and a blade will appear summarizing the solution’s offerings. At the bottom, select **Create** to begin adding the solution to Azure.
+To find your CommercialID within Azure:
 
-![Update Compliance solution creation](images/UC_01_marketplace_create.png)
+1. Navigate to the **Solutions** tab for your workspace, and then select the **WaaSUpdateInsights** solution.
+2. From there, select the Update Compliance Settings page on the navbar.
+3. Your CommercialID is available in the settings page.
 
-4. Choose an existing workspace or create a new workspace that will be assigned to the Update Compliance solution. 
-   - [Desktop Analytics](https://docs.microsoft.com/sccm/desktop-analytics/overview) customers are advised to use the same workspace for Update Compliance. 
-   - If you are creating a new workspace, and your organization does not have policies governing naming conventions and structure, consider the following workspace settings to get started:
-       - Choose a workspace name which reflects the scope of planned usage in your organization, for example *PC-Analytics*.
-       - For the resource group setting select **Create new** and use the same name you chose for your new workspace.
-       - For the location setting, choose the Azure region where you would prefer the data to be stored.
-       - For the pricing tier select **per GB**.
-
-![Update Compliance workspace creation](images/UC_02_workspace_create.png)
-
-5. The resource group and workspace creation process could take a few minutes. After this, you are able to use that workspace for Update Compliance. Select **Create**.
-
-![Update Compliance workspace selection](images/UC_03_workspace_select.png)
-
-6. Watch for a notification in the Azure portal that your deployment has been successful. This might take a few minutes. Then, select **Go to resource**. 
-
-![Update Compliance deployment successful](images/UC_04_resourcegrp_deployment_successful.png)
+> [!IMPORTANT]
+> Regenerate your CommercialID only if your original ID can no longer be used or if you want to completely reset your workspace. Regenerating your CommercialID cannot be undone and will result in you losing data for all devices that have the current CommercialID until the new CommercialID is deployed to devices.
 
 ## Enroll devices in Update Compliance
-Once you've added Update Compliance to a workspace in your Azure subscription, you can start enrolling the devices in your organization. For Update Compliance there are three key steps to ensure successful enrollment:
 
-### Deploy your Commercial ID to devices
-A Commercial ID is a globally-unique identifier assigned to a specific Log Analytics workspace. This is used to identify devices as part of your environment.
+Once you've added Update Compliance to a workspace in your Azure subscription, you'll need to configure any devices you want to monitor. There are two ways to configure devices to use Update Compliance.
 
-To find your Commercial ID within Azure: 
-1. Navigate to the **Solutions** tab for your workspace, and then select the **WaaSUpdateInsights** solution. 
-2. From there, select the Update Compliance Settings page on the navbar. 
-3. Your Commercial ID is available in the settings page.
+> [!NOTE]
+> After configuring devices via one of the two methods below, it can take up to 72 hours before devices are visible in the solution. Until then, Update Compliance will indicate it is still assessing devices.
 
-![Update Compliance Settings page](images/UC_commercialID.png)
+### Configure devices using the Update Compliance Configuration Script
 
->**Important**
->
->Regenerate your Commercial ID only if your Original ID key can no longer be used or if you want to completely reset your workspace. Regenerating your Commercial ID cannot be undone and will result in you losing data for all devices that have the current Commercial ID until the new Commercial ID is deployed to devices.
+The recommended way to configure devices to send data to Update Compliance is using the [Update Compliance Configuration Script](update-compliance-configuration-script.md). The script configures required policies via Group Policy. The script comes with two versions:
 
-#### Deploying Commercial ID using Group Policy
-Commercial ID can be deployed using Group Policy. The Group Policy for Commercial ID is under **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\Configure the Commercial ID**. 
+- Pilot is more verbose and is intended to be use on an initial set of devices and for troubleshooting.
+- Deployment is intended to be deployed across the entire device population you want to monitor with Update Compliance.  
 
-![Commercial ID Group Policy location](images/UC_commercialID_GP.png)
+To download the script and learn what you need to configure and how to troubleshoot errors, see [Configuring Devices using the Update Compliance Configuration Script](update-compliance-configuration-script.md).
 
-#### Deploying Commercial ID using MDM
-Commercial ID can be deployed through a [Mobile Device Management](https://docs.microsoft.com/windows/client-management/mdm/) (MDM) policy beginning with Windows 10, version 1607. Commercial ID is under the [DMClient configuration service provider](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp). 
+### Configure devices manually
 
-### Ensure endpoints are whitelisted
-To enable data sharing between devices, your network, and Microsoft's Diagnostic Data Service, configure your proxy to whitelist the following endpoints. You may need security group approval to do this. 
-
-| **Endpoint**  | **Function**  |
-|---------------------------------------------------------|-----------|
-| `https://v10c.events.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1803 and later. |
-| `https://v10.vortex-win.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1709 or earlier. |
-| `https://settings-win.data.microsoft.com` | Enables the compatibility update to send data to Microsoft. |
-| `http://adl.windows.com` | Allows the compatibility update to receive the latest compatibility data from Microsoft. |
-| `https://watson.telemetry.microsoft.com` | Windows Error Reporting (WER), used to provide more advanced error reporting in the event of certain Feature Update deployment failures. |
-| `https://oca.telemetry.microsoft.com`  | Online Crash Analysis, used to provide device-specific recommendations and detailed errors in the event of certain crashes. |
-| `https://login.live.com` | This endpoint is optional but allows for the Update Compliance service to more reliably identify and process devices. If you want to disable end-user managed service account (MSA) access, you should apply the appropriate [policy](https://docs.microsoft.com/windows/security/identity-protection/access-control/microsoft-accounts#block-all-consumer-microsoft-account-user-authentication) instead of blocking this endpoint. |
-
-### Set diagnostic data levels
-Update Compliance requires that devices are configured to send Microsoft at least the Basic level of diagnostic data in order to function. For more information on Windows diagnostic data, see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/privacy/configure-windows-diagnostic-data-in-your-organization).
-
-#### Configuring Telemetry level using Group Policy
-You can set Allow Telemetry through Group Policy, this setting is in the same place as the Commercial ID policy, under **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\Allow Telemetry**. Update Compliance requires at least Basic (level 1) to function.
-
-![Allow Telemetry in Group Policy](images/UC_telemetrylevel.png)
-
-#### Configuring Telemetry level using MDM
-Telemetry level can additionally be configured through a [Mobile Device Management](https://docs.microsoft.com/windows/client-management/mdm/) (MDM) policy. Allow Telemetry is under the [Policy Configuration Service Provider](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) as [System/AllowTelemetry](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowtelemetry).
-
-### Enabling Device Name in telemetry
-Beginning with Windows 10, version 1803, Device Name is no longer collected as part of normal Windows Diagnostic Data and must explicitly be allowed to be sent to Microsoft. If devices do not have this policy enabled, their device name will appear as '#' instead. 
-
-#### Allow Device Name in Telemetry with Group Policy
-Allow Device Name in Telemetry is under the same node as Commercial ID and Allow Telemetry policies in Group Policy, listed as **Allow device name to be sent in Windows diagnostic data**. 
-
-#### Allow Device Name in Telemetry with MDM
-Allow Device Name in Telemetry is under the [Policy Configuration Service Provider](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) as [System/AllowTelemetry](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowtelemetry). 
-
->[!NOTE]
->After enrolling your devices (by deploying your CommercialID and Windows Diagnostic Data settings), it might take 48-72 hours for the first data to appear in the solution. Until then, Update Compliance will indicate it is still assessing devices. 
\ No newline at end of file
+It is possible to manually configure devices to send data to Update Compliance, but the recommended method of configuration is to use the [Update Compliance Configuration Script](update-compliance-configuration-script.md). To learn more about configuring devices manually, see [Manually Configuring Devices for Update Compliance](update-compliance-configuration-manual.md).
diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md
index 2bcc21e872..9e8f6964b8 100644
--- a/windows/deployment/update/update-compliance-monitor.md
+++ b/windows/deployment/update/update-compliance-monitor.md
@@ -20,9 +20,8 @@ ms.topic: article
 > [!IMPORTANT]
 > While [Windows Analytics was retired on January 31, 2020](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor), support for Update Compliance has continued through the Azure Portal; however, please note the following updates:
 >
-> * On March 31, 2020, the Windows Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to define and review security compliance policies using [Microsoft Endpoint Manager](https://docs.microsoft.com/configmgr/), which allows finer control over security features and updates.
-> * The Perspectives feature of Update Compliance will also be removed on March 31, 2020 in favor of a better experience. The Perspectives feature is part of the Log Search portal of Log Analytics, which was deprecated on February 15, 2019 in favor of [Azure Monitor Logs](https://docs.microsoft.com/azure/azure-monitor/log-query/log-search-transition). Your Update Compliance solution will be automatically upgraded to Azure Monitor Logs, and the data available in Perspectives will be migrated to a set of queries in the [Needs Attention section](update-compliance-need-attention.md) of Update Compliance.
-
+> * On March 31, 2020, the Windows Defender Antivirus reporting feature of Update Compliance was retired. You can continue to review malware definition status and manage and monitor malware attacks with Microsoft Endpoint Manager's [Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune). Configuration Manager customers can monitor Endpoint Protection with [Endpoint Protection in Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection).
+> * The Perspectives feature of Update Compliance was retired on March 31, 2020 in favor of a better experience. The Perspectives feature is part of the Log Search portal of Log Analytics, which was deprecated on February 15, 2019 in favor of [Azure Monitor Logs](https://docs.microsoft.com/azure/azure-monitor/log-query/log-search-transition). Your Update Compliance solution will be automatically upgraded to Azure Monitor Logs, and the data available in Perspectives will be migrated to a set of queries in the [Needs Attention section](update-compliance-need-attention.md) of Update Compliance.
 
 ## Introduction
 
@@ -34,30 +33,15 @@ Update Compliance enables organizations to:
 
 Update Compliance is offered through the Azure portal, and is included as part of Windows 10 licenses listed in the [prerequisites](update-compliance-get-started.md#update-compliance-prerequisites).
 
-Update Compliance uses Windows 10 and Windows Defender Antivirus diagnostic data for all of its reporting. It collects system data including update deployment progress, [Windows Update for Business](waas-manage-updates-wufb.md) configuration data, Windows Defender Antivirus data, and Delivery Optimization usage data, and then sends this data to a secure cloud to be stored for analysis and usage in [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal).
+Update Compliance uses Windows 10 diagnostic data for all of its reporting. It collects system data including update deployment progress, [Windows Update for Business](waas-manage-updates-wufb.md) configuration data, and Delivery Optimization usage data, and then sends this data to a customer-owned [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal) workspace to power the experience.
 
 See the following topics in this guide for detailed information about configuring and using the Update Compliance solution:
 
-- [Get started with Update Compliance](update-compliance-get-started.md): How to add Update Compliance to your environment.
-- [Using Update Compliance](update-compliance-using.md): How to begin using Update Compliance.
+- [Get started with Update Compliance](update-compliance-get-started.md) provides directions on adding Update Compliance to your Azure subscription and configuring devices to send data to Update Compliance.
+- [Using Update Compliance](update-compliance-using.md) breaks down every aspect of the Update Compliance experience.
 
-## Update Compliance architecture
-
-The Update Compliance architecture and data flow follows this process:
-
-1. User computers send diagnostic data to a secure Microsoft data center using the Microsoft Data Management Service.
-2. Diagnostic data is analyzed by the Update Compliance Data Service.
-3. Diagnostic data is pushed from the Update Compliance Data Service to your Azure Monitor workspace.
-4. Diagnostic data is available in the Update Compliance solution.
-
-
-> [!NOTE]
-> This process assumes that Windows diagnostic data is enabled and data sharing is enabled as outlined in the enrollment section of [Get started with Update Compliance](update-compliance-get-started.md).
-
-
-
- 
 ## Related topics
 
-[Get started with Update Compliance](update-compliance-get-started.md)<BR>
-[Use Update Compliance to monitor Windows Updates](update-compliance-using.md)
+* [Get started with Update Compliance](update-compliance-get-started.md)
+* [Use Update Compliance to monitor Windows Updates](update-compliance-using.md)
+* [Update Compliance Schema Reference](update-compliance-schema.md)
diff --git a/windows/deployment/update/update-compliance-need-attention.md b/windows/deployment/update/update-compliance-need-attention.md
index a4b940a236..b3a4ca35a7 100644
--- a/windows/deployment/update/update-compliance-need-attention.md
+++ b/windows/deployment/update/update-compliance-need-attention.md
@@ -19,8 +19,8 @@ ms.topic: article
 
 The **Needs attention!** section provides a breakdown of all Windows 10 device and update issues detected by Update Compliance. The summary tile for this section counts the number of devices that have issues, while the blades within break down the issues encountered. Finally, a [list of queries](#list-of-queries) blade in this section contains queries that provide values but do not fit within any other main section. 
 
->[!NOTE]
->The summary tile counts the number of devices that have issues, while the blades within the section break down the issues encountered. A single device can have more than one issue, so these numbers might not add up.
+> [!NOTE]
+> The summary tile counts the number of devices that have issues, while the blades within the section break down the issues encountered. A single device can have more than one issue, so these numbers might not add up.
 
 The different issues are broken down by Device Issues and Update Issues:
 
@@ -39,8 +39,8 @@ The different issues are broken down by Device Issues and Update Issues:
 
 Selecting any of the issues will take you to a [Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal) view with all devices that have the given issue.
 
->[!NOTE]
->This blade also has a link to the [Setup Diagnostic Tool](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag), a standalone tool you can use to obtain details about why a Windows 10 feature update was unsuccessful. 
+> [!NOTE]
+> This blade also has a link to the [Setup Diagnostic Tool](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag), a standalone tool you can use to obtain details about why a Windows 10 feature update was unsuccessful. 
 
 ## List of Queries
 
diff --git a/windows/deployment/update/update-compliance-perspectives.md b/windows/deployment/update/update-compliance-perspectives.md
deleted file mode 100644
index b07741ffeb..0000000000
--- a/windows/deployment/update/update-compliance-perspectives.md
+++ /dev/null
@@ -1,70 +0,0 @@
----
-title: Update Compliance - Perspectives
-ms.reviewer: 
-manager: laurawi
-description: an overview of Update Compliance Perspectives
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.pagetype: deploy
-audience: itpro
-itproauthor: jaimeo
-author: jaimeo
-ms.author: jaimeo
-ms.collection: M365-analytics
-ms.topic: article
----
-
-# Perspectives
-
-> [!IMPORTANT]
-> On March 31, 2020, the Perspectives feature of Update Compliance will be removed in favor of a better experience. The Perspectives feature is part of the Log Search portal of Log Analytics, which was deprecated on February 15, 2019 in favor of [Azure Monitor Logs](https://docs.microsoft.com/azure/azure-monitor/log-query/log-search-transition). Your Update Compliance solution will be automatically upgraded to Azure Monitor Logs, and the data available in Perspectives will be migrated to a set of queries in the [Needs Attention section](update-compliance-need-attention.md) of Update Compliance.
-
-
-![Perspectives data view](images/uc-perspectiveupdatedeploymentstatus.png)
-
-Perspectives are elaborations on specific queries hand-crafted by developers which data views that provide deeper insight into your data. Perspectives are loaded whenever clicking into more detailed views from both the Security Update Status section and Feature Update Status section of Update Compliance. 
-
-There is only one perspective framework; it is for **Update Deployment Status**. The same framework is utilized for both feature and quality updates. 
-
-The first blade is the **Build Summary** blade. This blade summarizes the most important aspects of the given build being queried, listing the total number of devices, the total number of update failures for the build, and a breakdown of the different errors encountered. 
-
-The second blade is the **Deferral Configurations** blade, breaking down Windows Update for Business deferral settings (if any). 
-
-## Deployment status
-
-The third blade is the **Deployment Status** blade. This defines how many days it has been since the queried version has been released, and breaks down the various states in the update funnel each device has reported to be in. The possible states are as follows:
-
-| State | Description |
-| --- | --- |
-| Update Completed | When a device has finished the update process and is on the queried update, it will display here as Update completed. |
-| In Progress |    Devices that report they are "In Progress" are one of the various stages of installing an update; these stages are reported in the Detailed Deployment Status blade. |
-| Deferred | When a device's Windows Update for Business deferral policy dictates that the update is not yet applicable due to deferral, it will report as such in this blade. |
-| Progress stalled | Devices that report as "Progress stalled" have been stuck at "In progress" for more than 7 days. |
-| Cancelled | The update was canceled. |
-| Blocked | There is a hard block on the update being completed. This could be that another update must be completed before this one, or some other task is blocking the installation of the update. |
-| Unknown | Devices that do not report detailed information on the status of their updates will report Unknown. This is most likely devices that do not use Windows Update for deployment. |
-| Update paused | These devices have Windows Update for Business pause enabled, preventing this update from being installed. |
-| Failed | A device is unable to install an update. This failure could be linked to a serious error in the update installation process or, in some cases, a [compatibility hold](update-compliance-feature-update-status.md#compatibility-holds).  |
-
-## Detailed deployment status
-
-The final blade is the **Detailed Deployment Status** blade. This blade breaks down the detailed stage of deployment a device is in, beyond the generalized terms defined in Deployment Status. The following are the possible stages a device can report:
-
-| State | Description |
-| --- | --- |
-| Update deferred |    When a device's Windows Update for Business policy dictates the update is deferred. |
-| Update paused | The device's Windows Update for Business policy dictates the update is paused from being offered. |
-| Update offered | The device has been offered the update, but has not begun downloading it. |
-| Pre-Download tasks passed | The device has finished all necessary tasks prior to downloading the update. |
-| Compatibility hold | The device has been placed under a *compatibility hold* to ensure a smooth feature update experience and will not resume the update until the hold has been cleared. For more information see [Feature Update Status report](update-compliance-feature-update-status.md#compatibility-holds) |
-| Download Started | The update has begun downloading on the device. |
-| Download Succeeded | The update has successfully completed downloading. |
-| Pre-Install Tasks Passed | Tasks that must be completed prior to installing the update have been completed. |
-| Install Started |    Installation of the update has begun. |
-| Reboot Required |    The device has finished installing the update, and a reboot is required before the update can be completed.
-| Reboot Pending | The device has a scheduled reboot to apply the update. |
-| Reboot Initiated | The scheduled reboot has been initiated. |
-| Update Completed/Commit |    The update has successfully installed. |
-
-> [!NOTE]
-> Interacting with any rows in the perspective view will automatically apply the given value to the query and execute it with the new parameter, narrowing the perspective to devices that satisfy that criteria. For example, clicking "Not configured (-1)" devices in Deferral Configurations will filter the query to only contain devices that do not have a deferral configuration. These filters can also be applied to queries via the filter sidebar.
diff --git a/windows/deployment/update/update-compliance-privacy.md b/windows/deployment/update/update-compliance-privacy.md
new file mode 100644
index 0000000000..a455261f8c
--- /dev/null
+++ b/windows/deployment/update/update-compliance-privacy.md
@@ -0,0 +1,55 @@
+---
+title: Privacy in Update Compliance
+ms.reviewer: 
+manager: laurawi
+description: an overview of the Feature Update Status report
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.pagetype: deploy
+audience: itpro
+itproauthor: jaimeo
+author: jaimeo
+ms.author: jaimeo
+ms.collection: M365-analytics
+ms.topic: article
+---
+
+# Privacy in Update Compliance
+
+Update Compliance is fully committed to privacy, centering on these tenets:
+
+- **Transparency:** Windows 10 diagnostic data events that are required for Update Compliance's operation are fully documented (see the links for additional information) so you can review them with your company's security and compliance teams. The Diagnostic Data Viewer lets you see diagnostic data sent from a given device (see [Diagnostic Data Viewer Overview](https://docs.microsoft.com/windows/configuration/diagnostic-data-viewer-overview) for details).
+- **Control:** You ultimately control the level of diagnostic data you wish to share. In Windows 10, version 1709 we added a new policy to Limit enhanced diagnostic data to the minimum required by Windows Analytics.
+- **Security:** Your data is protected with strong security and encryption.
+- **Trust:** Update Compliance supports the Online Services Terms.
+
+## Data flow for Update Compliance
+
+The data flow sequence is as follows:
+
+1. Diagnostic data is sent from devices to the Microsoft Diagnostic Data Management service, which is hosted in the US.
+2. An IT Administrator creates an Azure Log Analytics workspace. They then choose the location this workspace will store data and receives a Commercial ID for that workspace. The Commercial ID is added to each device in an organization by way of Group Policy, MDM or registry key.
+3. Each day Microsoft produces a "snapshot" of IT-focused insights for each workspace in the Diagnostic Data Management Service, identifying devices by Commercial ID.
+4. These snapshots are copied to transient storage, used solely for Update Compliance where they are partitioned by Commercial ID.
+5. The snapshots are then copied to the appropriate Azure Log Analytics workspace, where the Update Compliance experience pulls the information from to populate visuals.
+
+## FAQ
+
+### Can Update Compliance be used without a direct client connection to the Microsoft Data Management Service?
+
+No, the entire service is powered by Windows diagnostic data, which requires that devices have this direct connectivity.
+
+### Can I choose the data center location?
+
+Yes for Azure Log Analytics, but no for the Microsoft Data Management Service (which is hosted in the US).
+
+## Related topics
+
+See related topics for additional background information on privacy and treatment of diagnostic data:
+
+- [Windows 10 and the GDPR for IT Decision Makers](https://docs.microsoft.com/windows/privacy/gdpr-it-guidance)
+- [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization)
+- [Diagnostic Data Viewer Overview](https://docs.microsoft.com/windows/configuration/diagnostic-data-viewer-overview)
+- [Licensing Terms and Documentation](https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=31)
+- [Confidence in the trusted cloud](https://azure.microsoft.com/support/trust-center/)
+- [Trust Center](https://www.microsoft.com/trustcenter)
diff --git a/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md b/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md
new file mode 100644
index 0000000000..3cbcbbeb28
--- /dev/null
+++ b/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md
@@ -0,0 +1,46 @@
+---
+title: Update Compliance Schema - WaaSDeploymentStatus
+ms.reviewer: 
+manager: laurawi
+description: WaaSDeploymentStatus schema
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.pagetype: deploy
+audience: itpro
+itproauthor: jaimeo
+author: jaimeo
+ms.author: jaimeo
+ms.collection: M365-analytics
+ms.topic: article
+---
+
+# WaaSDeploymentStatus
+
+WaaSDeploymentStatus records track a specific update's installation progress on a specific device. Multiple WaaSDeploymentStatus records can exist simultaneously for a given device, as each record is specific to a given update and its type. For example, a device can have both a WaaSDeploymentStatus tracking a Windows Feature Update, as well as one tracking a Windows Quality Update, at the same time.
+
+|Field |Type |Example |Description |
+|-|-|-----|------------------------|
+|**Computer** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`JohnPC-Contoso` |User or Organization-provided device name. If this appears as '#', then Device Name may not be sent through telemetry. To enable Device Name to be sent with telemetry, see [Enabling Device Name in Telemetry](https://docs.microsoft.com/windows/deployment/update/update-compliance-get-started#allow-device-name-in-telemetry-with-group-policy). |
+|**ComputerID** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`g:6755412281299915` |Microsoft Global Device Identifier. This is an internal identifier used by Microsoft. A connection to the end-user Managed Service Account (MSA) service is required for this identifier to be populated; no device data will be present in Update Compliance without this identifier. |
+|**DeferralDays** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`0` |The deferral policy for this content type or `UpdateCategory` (Windows `Feature` or `Quality`). |
+|**DeploymentError** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Disk Error` |A readable string describing the error, if any. If empty, there is either no string matching the error or there is no error. |
+|**DeploymentErrorCode** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`8003001E` |Microsoft internal error code for the error, if any. If empty, there is either no error or there is *no error code*, meaning that the issue raised does not correspond to an error, but some inferred issue. |
+|**DeploymentStatus** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Failed` |The high level status of installing this update on this device. Possible values are:<br><li> **Update completed**: Device has completed the update installation.<li> **In Progress**: Device is in one of the various stages of installing an update, detailed in `DetailedStatus`.<li> **Deferred**: A device's deferral policy is preventing the update from being offered by Windows Update.<li> **Cancelled**: The update was cancelled.<li> **Blocked**: There is a hard block on the update being completed. This could be that another update must be completed before this one, or some other task is blocking the installation of the update.<li> **Unknown**: Update Compliance generated WaaSDeploymentStatus records for devices as soon as it detects an update newer than the one installed on the device. Devices that have not sent any deployment data for that update will have the status `Unknown`.<li> **Update paused**: Devices are paused via Windows Update for Business Pause policies, preventing the update from being offered by Windows Update. <li> **Failed**: Device encountered a failure in the update process, preventing it from installing the update. This may result in an automatic retry in the case of Windows Update, unless the `DeploymentError` indicates the issue requires action before the update can continue.|
+|**DetailedStatus** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Reboot required` |A detailed status for the installation of this update on this device. Possible values are:<br><li> **Update deferred**: When a device's Windows Update for Business policy dictates the update is deferred.<li> **Update paused**: The device's Windows Update for Business policy dictates the update is paused from being offered.<li> **Update offered**: The device has been offered the update, but has not begun downloading it.<li> **Pre-Download tasks passed**: The device has finished all necessary tasks prior to downloading the update.<li> **Compatibility hold**: The device has been placed under a *compatibility hold* to ensure a smooth feature update experience and will not resume the update until the hold has been cleared. For more information see [Feature Update Status report](update-compliance-feature-update-status.md#compatibility-holds).<li> **Download started**: The update has begun downloading on the device.<li> **Download Succeeded**: The update has successfully completed downloading. <li> **Pre-Install Tasks Passed**: Tasks that must be completed prior to installing the update have been completed.<li> **Install Started**: Installation of the update has begun.<li> **Reboot Required**: The device has finished installing the update, and a reboot is required before the update can be completed.<li> **Reboot Pending**: The device has a scheduled reboot to apply the update.<li> **Reboot Initiated**: The scheduled reboot has been initiated.<li> **Commit**: Changes are being committed post-reboot. This is another step of the installation process.<li> **Update Completed**: The update has successfully installed.|
+|**ExpectedInstallDate** |[datetime](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/datetime)|`3/28/2020, 1:00:01.318 PM`|Rather than the expected date this update will be installed, this should be interpreted as the minimum date Windows Update will make the update available for the device. This takes into account Deferrals. |
+|**LastScan** |[datetime](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/datetime)|`3/22/2020, 1:00:01.318 PM`|The last point in time that this device sent Update Session data. |
+|**OriginBuild** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`18363.719` |The build originally installed on the device when this Update Session began. |
+|**OSBuild** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`18363.719` |The build currently installed on the device. |
+|**OSRevisionNumber** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`719` |The revision of the OSBuild installed on the device. |
+|**OSServicingBranch** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Semi-Annual` |The Servicing Branch or [Servicing Channel](https://docs.microsoft.com/windows/deployment/update/waas-overview#servicing-channels) the device is on. Dictates which Windows updates the device receives and the cadence of those updates. |
+|**OSVersion** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`1909` |The version of Windows 10. This typically is of the format of the year of the version's release, following the month. In this example, `1909` corresponds to 2019-09 (September). This maps to the `Major` portion of OSBuild. |
+|**PauseState** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`NotConfigured` |The on-client Windows Update for Business Pause state. Reflects whether or not a device has paused Feature Updates.<br><li> **Expired**: The pause period has expired.<li> **NotConfigured**: Pause is not configured.<li> **Paused**: The device was last reported to be pausing this content type.<li> **NotPaused**: The device was last reported to not have any pause on this content type. |
+|**RecommendedAction** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) | |The recommended action to take in the event this device needs attention, if any. |
+|**ReleaseName** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`KB4551762` |The KB Article corresponding to the TargetOSRevision, if any. |
+|**TargetBuild** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`18363.720` |The target OSBuild, the update being installed or considered as part of this WaaSDeploymentStatus record. |
+|**TargetOSVersion** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`1909` |The target OSVersion. |
+|**TargetOSRevision** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`720` |The target OSRevisionNumber. |
+|**TimeGenerated** |[datetime](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/datetime) |`3/22/2020, 1:00:01.318 PM`|A DateTime corresponding to the moment Azure Monitor Logs ingested this record to your Log Analytics workspace. |
+|**UpdateCategory** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Quality` |The high-level category of content type this Windows Update belongs to. Possible values are **Feature** and **Quality**. |
+|**UpdateClassification** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Security` |Similar to UpdateCategory, this more specifically determines whether a Quality update is a security update or not. |
+|**UpdateReleasedDate** |[datetime](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/datetime) |`3/22/2020, 1:00:01.318 PM`|A DateTime corresponding to the time the update came available on Windows Update. |
diff --git a/windows/deployment/update/update-compliance-schema-waasinsiderstatus.md b/windows/deployment/update/update-compliance-schema-waasinsiderstatus.md
new file mode 100644
index 0000000000..2ddf505e62
--- /dev/null
+++ b/windows/deployment/update/update-compliance-schema-waasinsiderstatus.md
@@ -0,0 +1,35 @@
+---
+title: Update Compliance Schema - WaaSInsiderStatus
+ms.reviewer: 
+manager: laurawi
+description: WaaSInsiderStatus schema
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.pagetype: deploy
+audience: itpro
+itproauthor: jaimeo
+author: jaimeo
+ms.author: jaimeo
+ms.collection: M365-analytics
+ms.topic: article
+---
+
+# WaaSInsiderStatus
+
+WaaSInsiderStatus records contain device-centric data and acts as the device record for devices on Windows Insider Program builds in Update Compliance. Each record provided in daily snapshots map to a single device in a single tenant. This table has data such as the current device's installed version of Windows, whether it is on the latest available updates, and whether the device needs attention. Insider devices have fewer fields than [WaaSUpdateStatus](update-compliance-schema-waasupdatestatus.md).
+
+
+|Field |Type |Example |Description |
+|--|--|---|--|
+|**Computer** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`JohnPC-Contoso` |User or Organization-provided device name. If this appears as '#', then Device Name may not be sent through telemetry. To enable Device Name to be sent with telemetry, see [Enabling Device Name in Telemetry](https://docs.microsoft.com/windows/deployment/update/update-compliance-get-started#allow-device-name-in-telemetry-with-group-policy). |
+|**ComputerID** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`g:6755412281299915` |Microsoft Global Device Identifier. This is an internal identifier used by Microsoft. A connection to the end-user Managed Service Account (MSA) service is required for this identifier to be populated; no device data will be present in Update Compliance without this identifier. |
+|**OSArchitecture** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`amd64` |The architecture of the Operating System. |
+|**OSName** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Windows 10` |The name of the Operating System. This will always be Windows 10 for Update Compliance. |
+|**OSVersion** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`1909` |The version of Windows 10. This typically is of the format of the year of the version's release, following the month. In this example, `1909` corresponds to 2019-09 (September). This maps to the `Major` portion of OSBuild. |
+|**OSBuild** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`18363.720` |The currently-installed Windows 10 Build, in the format `Major`.`Revision`. `Major` corresponds to which Feature Update the device is on, whereas `Revision` corresponds to which quality update the device is on. Mappings between Feature release and Major, as well as Revision and KBs, are available at [aka.ms/win10releaseinfo](https://docs.microsoft.com/windows/release-information/). |
+|**OSRevisionNumber** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`720` |An integer value for the revision number of the currently-installed Windows 10 OSBuild on the device. |
+|**OSEdition** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Enterprise` |The Windows 10 Edition or SKU. |
+|**OSFamily** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Windows.Desktop` |The Device Family of the device. Only `Windows.Desktop` is currently supported. |
+|**OSServicingBranch** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Semi-Annual` |The Servicing Branch or [Servicing Channel](https://docs.microsoft.com/windows/deployment/update/waas-overview#servicing-channels) the device is on. Dictates which Windows updates the device receives and the cadence of those updates. |
+|**TimeGenerated** |[datetime](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/datetime)|3/22/`2020, 1:00:01.318 PM`|A DateTime corresponding to the moment Azure Monitor Logs ingested this record to your Log Analytics workspace. |
+|**LastScan** |[datetime](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/datetime)|3/22/`2020, 2:00:00.436 AM`|A DateTime corresponding to the last time the device sent data to Microsoft. This does not necessarily mean all data that is needed to populate all fields Update Compliance uses was sent, this is more like a "heartbeat". |
diff --git a/windows/deployment/update/update-compliance-schema-waasupdatestatus.md b/windows/deployment/update/update-compliance-schema-waasupdatestatus.md
new file mode 100644
index 0000000000..0b5adb4096
--- /dev/null
+++ b/windows/deployment/update/update-compliance-schema-waasupdatestatus.md
@@ -0,0 +1,46 @@
+---
+title: Update Compliance Schema - WaaSUpdateStatus
+ms.reviewer: 
+manager: laurawi
+description: WaaSUpdateStatus schema
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.pagetype: deploy
+audience: itpro
+itproauthor: jaimeo
+author: jaimeo
+ms.author: jaimeo
+ms.collection: M365-analytics
+ms.topic: article
+---
+
+# WaaSUpdateStatus
+
+WaaSUpdateStatus records contain device-centric data and acts as the device record for Update Compliance. Each record provided in daily snapshots map to a single device in a single tenant. This table has data such as the current device's installed version of Windows, whether it is on the latest available updates, and whether the device needs attention.
+
+|Field |Type |Example |Description |
+|--|-|----|------------------------|
+|**Computer** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`JohnPC-Contoso` |User or Organization-provided device name. If this appears as '#', then Device Name may not be sent through telemetry. To enable Device Name to be sent with telemetry, see [Enabling Device Name in Telemetry](https://docs.microsoft.com/windows/deployment/update/update-compliance-get-started#allow-device-name-in-telemetry-with-group-policy). |
+|**ComputerID** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`g:6755412281299915` |Microsoft Global Device Identifier. This is an internal identifier used by Microsoft. A connection to the end-user Managed Service Account (MSA) service is required for this identifier to be populated; no device data will be present in Update Compliance without this identifier. |
+|**DownloadMode** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Simple (99)` |The device's Delivery Optimization DownloadMode. To learn about possible values, see [Delivery Optimization Reference - Download mode](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization-reference#download-mode) |
+|**FeatureDeferralDays** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`0`                        |The on-client Windows Update for Business Deferral Policy days.<br> - **<0**: A value below 0 indicates the policy is disabled. <br> - **0**: A value of 0 indicates the policy is enabled, but the deferral period is 0 days.<br> - **1+**: A value of 1 and above indicates the deferral setting, in days. |
+|**FeaturePauseDays** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`0` |*Deprecated* This provides the count of days left in a pause |
+|**FeaturePauseState** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`NotConfigured` |The on-client Windows Update for Business Pause state. Reflects whether or not a device has paused Feature Updates.<br><li> **Expired**: The pause period has expired.<li> **NotConfigured**: Pause is not configured.<li> **Paused**: The device was last reported to be pausing this content type.<li> **NotPaused**: The device was last reported to not have any pause on this content type. |
+|**QualityDeferralDays** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`0` |The on-client Windows Update for Business Deferral Policy days.<br><li> **<0**: A value below 0 indicates the policy is disabled. <li> **0**: A value of 0 indicates the policy is enabled, but the deferral period is 0 days. <li> **1+**: A value of 1 and above indicates the deferral setting, in days. |
+|**QualityPauseDays**      |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`0` |**Deprecated**. This provides the count of days left in a pause period.|
+|**QualityPauseState**     |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string)  |`NotConfigured`            |The on-client Windows Update for Business Pause state. Reflects whether or not a device has paused Quality Updates.<br><li>**Expired**: The pause period has expired.<li> **NotConfigured**: Pause is not configured.<li>**Paused**: The device was last reported to be pausing this content type.<li>**NotPaused**: The device was last reported to not have any pause on this content type. |
+|**NeedAttentionStatus**   |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string)  | |Indicates any reason a device needs attention; if empty, there are no [Device Issues](https://docs.microsoft.com/windows/deployment/update/update-compliance-need-attention#device-issues) for this device. |
+|**OSArchitecture**        |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string)  |`amd64` |The architecture of the Operating System. |
+|**OSName**                |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string)  |`Windows 10` |The name of the Operating System. This will always be Windows 10 for Update Compliance. |
+|**OSVersion**             |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string)  |`1909` |The version of Windows 10. This typically is of the format of the year of the version's release, following the month. In this example, `1909` corresponds to 2019-09 (September). This maps to the `Major` portion of OSBuild. |
+|**OSBuild**               |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string)  |`18363.720`                |The currently-installed Windows 10 Build, in the format `Major`.`Revision`. `Major` corresponds to which Feature Update the device is on, whereas `Revision` corresponds to which quality update the device is on. Mappings between Feature release and Major, as well as Revision and KBs, are available at [aka.ms/win10releaseinfo](https://docs.microsoft.com/windows/release-information/). |
+|**OSRevisionNumber**      |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int)     |`720`                      |An integer value for the revision number of the currently-installed Windows 10 OSBuild on the device. |
+|**OSCurrentStatus**       |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string)  |`Current`                  |*Deprecated* Whether or not the device is on the latest Windows Feature Update available, as well as the latest Quality Update for that Feature Update. |
+|**OSEdition**             |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string)  |`Enterprise`               |The Windows 10 Edition or SKU.  |
+|**OSFamily**              |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string)  |`Windows.Desktop`          |The Device Family of the device. Only `Windows.Desktop` is currently supported. |
+|**OSFeatureUpdateStatus** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string)  |`Up-to-date`               |Indicates whether or not the device is on the latest available Windows 10 Feature Update. |
+|**OSQualityUpdateStatus** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string)  |`Up-to-date`               |Indicates whether or not the device is on the latest available Windows 10 Quality Update (for its Feature Update). |
+|**OSSecurityUpdateStatus**|[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string)  |`Up-to-date`               |Indicates whether or not the device is on the latest available Windows 10 Quality Update **that is classified as containing security fixes**. |
+|**OSServicingBranch**     |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string)  |`Semi-Annual`              |The Servicing Branch or [Servicing Channel](https://docs.microsoft.com/windows/deployment/update/waas-overview#servicing-channels) the device is on. Dictates which Windows updates the device receives and the cadence of those updates. |
+|**TimeGenerated**         |[datetime](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/datetime)|`3/22/2020, 1:00:01.318 PM`|A DateTime corresponding to the moment Azure Monitor Logs ingested this record to your Log Analytics workspace. |
+|**LastScan**              |[datetime](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/datetime)|`3/22/2020, 2:00:00.436 AM`|A DateTime corresponding to the last time the device sent data to Microsoft. This does not necessarily mean all data that is needed to populate all fields Update Compliance uses was sent, this is more like a "heartbeat". |
diff --git a/windows/deployment/update/update-compliance-schema-wudoaggregatedstatus.md b/windows/deployment/update/update-compliance-schema-wudoaggregatedstatus.md
new file mode 100644
index 0000000000..6aa934c711
--- /dev/null
+++ b/windows/deployment/update/update-compliance-schema-wudoaggregatedstatus.md
@@ -0,0 +1,34 @@
+---
+title: Update Compliance Schema - WUDOAggregatedStatus
+ms.reviewer: 
+manager: laurawi
+description: WUDOAggregatedStatus schema
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.pagetype: deploy
+audience: itpro
+itproauthor: jaimeo
+author: jaimeo
+ms.author: jaimeo
+ms.collection: M365-analytics
+ms.topic: article
+---
+
+# WUDOAggregatedStatus
+
+WUDOAggregatedStatus records provide information, across all devices, on their bandwidth utilization for a specific content type in the event they use [Delivery Optimization](https://support.microsoft.com/help/4468254/windows-update-delivery-optimization-faq), over the past 28 days.
+
+These fields are briefly described in this article, to learn more about Delivery Optimization in general, check out the [Delivery Optimization Reference](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization-reference).
+
+|Field |Type |Example |Description |
+|-|-|-|-|
+|**DeviceCount** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`9999` |Total number of devices in this aggregated record. |
+|**BWOptPercent28Days** |[real](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/real) |`68.72` |Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) as a result of using Delivery Optimization *across all devices*, computed on a rolling 28-day basis. |
+|**BWOptPercent7Days** |[real](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/real) |`13.58` |Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) as a result of using Delivery Optimization *across all devices*, computed on a rolling 7-day basis. |
+|**BytesFromCDN** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`254139` |Total number of bytes downloaded from a CDN versus a Peer. This counts against bandwidth optimization.|
+|**BytesFromGroupPeers** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`523132` |Total number of bytes downloaded from Group Peers. |
+|**BytesFromIntPeers** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`328350` |Total number of bytes downloaded from Internet Peers. |
+|**BytesFromPeers** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`43145` |Total number of bytes downloaded from peers. |
+|**ContentType** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`Quality Updates` |The type of content being downloaded.|
+|**DownloadMode** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`HTTP+LAN (1)` |Device's Delivery Optimization [Download Mode](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization-reference#download-mode) configuration for this device. |
+|**TimeGenerated** |[datetime](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/datetime)|`1601-01-01T00:00:00Z` |A DateTime corresponding to the moment Azure Monitor Logs ingested this record to your Log Analytics workspace.|
diff --git a/windows/deployment/update/update-compliance-schema-wudostatus.md b/windows/deployment/update/update-compliance-schema-wudostatus.md
new file mode 100644
index 0000000000..7a9adf27cd
--- /dev/null
+++ b/windows/deployment/update/update-compliance-schema-wudostatus.md
@@ -0,0 +1,57 @@
+---
+title: Update Compliance Schema - WUDOStatus
+ms.reviewer: 
+manager: laurawi
+description: WUDOStatus schema
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.pagetype: deploy
+audience: itpro
+itproauthor: jaimeo
+author: jaimeo
+ms.author: jaimeo
+ms.collection: M365-analytics
+ms.topic: article
+---
+
+# WUDOStatus
+
+> [!NOTE]
+> Currently all location-based fields are not working properly. This is a known issue.
+
+WUDOStatus records provide information, for a single device, on their bandwidth utilization for a specific content type in the event they use [Delivery Optimization](https://support.microsoft.com/help/4468254/windows-update-delivery-optimization-faq), and other information to create more detailed reports and splice on certain common characteristics.
+
+These fields are briefly described in this article, to learn more about Delivery Optimization in general, check out the [Delivery Optimization Reference](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization-reference).
+
+|Field |Type |Example |Description |
+|-|-|-|-|
+|**Computer** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`JohnPC-Contoso` |User or Organization-provided device name. If this appears as '#', then Device Name may not be sent through telemetry. To enable Device Name to be sent with telemetry, see [Enabling Device Name in Telemetry](https://docs.microsoft.com/windows/deployment/update/update-compliance-get-started#allow-device-name-in-telemetry-with-group-policy). |
+|**ComputerID** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`g:6755412281299915` |Microsoft Global Device Identifier. This is an internal identifier used by Microsoft. A connection to the end-user Managed Service Account (MSA) service is required for this identifier to be populated; no device data will be present in Update Compliance without this identifier. |
+|**City** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) | |Approximate city device was in while downloading content, based on IP Address. |
+|**Country** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) | |Approximate country device was in while downloading content, based on IP Address. |
+|**ISP** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) | |The Internet Service Provider estimation. |
+|**BWOptPercent28Days** |[real](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/real) |`68.72` |Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) as a result of using Delivery Optimization *for this device*, computed on a rolling 28-day basis. |
+|**BWOptPercent7Days** |[real](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/real) |`13.58` |Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) as a result of using Delivery Optimization *for this device*, computed on a rolling 7-day basis. |
+|**BytesFromCDN** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`254139` |Total number of bytes downloaded from a CDN versus a Peer. This counts against bandwidth optimization. |
+|**BytesFromGroupPeers** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`523132` |Total number of bytes downloaded from Group Peers. |
+|**BytesFromIntPeers** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`328350` |Total number of bytes downloaded from Internet Peers. |
+|**BytesFromPeers** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`43145` |Total number of bytes downloaded from peers. |
+|**ContentDownloadMode** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`0` |Device's Delivery Optimization [Download Mode](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization-reference#download-mode)**@JAIME** configuration for this content. |
+|**ContentType** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`Quality Updates` |The type of content being downloaded. |
+|**DOStatusDescription** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) | |A short description of DO's status, if any. |
+|**DownloadMode** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`HTTP+LAN (1)` |Device's Delivery Optimization [Download Mode](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization-reference#download-mode) configuration for this device. |
+|**DownloadModeSrc** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Default` |The source of the DownloadMode configuration. |
+|**GroupID** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) | |The DO Group ID. |
+|**NoPeersCount** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) | |The number of peers this device interacted with. |
+|**OSName** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Windows 10` |The name of the Operating System. This will always be Windows 10 for Update Compliance. |
+|**OSVersion** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`1909` |The version of Windows 10. This typically is of the format of the year of the version's release, following the month. In this example, `1909` corresponds to 2019-09 (September). This maps to the `Major` portion of OSBuild.  |
+|**PeerEligibleTransfers** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`0` |Total number of eligible transfers by Peers. |
+|**PeeringStatus** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`On` |The DO Peering Status |
+|**PeersCannotConnectCount**|[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`0` |The number of peers this device was unable to connect to. |
+|**PeersSuccessCount** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`0` |The number of peers this device successfully connected to. |
+|**PeersUnknownCount** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`0` |The number of peers for which there is an unknown relation. |
+|**LastScan** |[datetime](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/datetime)|`1601-01-01T00:00:00Z` |A DateTime corresponding to the last time the device sent data to Microsoft. This does not necessarily mean all data that is needed to populate all fields Update Compliance uses was sent, this is more like a "heartbeat". |
+|**TimeGenerated** |[datetime](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/datetime)|`1601-01-01T00:00:00Z` |A DateTime corresponding to the moment Azure Monitor Logs ingested this record to your Log Analytics workspace. |
+|**TotalTimeForDownload** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`0:00:00` |The total time it took to download the content. |
+|**TotalTransfers** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`0` |The total number of data transfers to download this content. |
+
diff --git a/windows/deployment/update/update-compliance-schema.md b/windows/deployment/update/update-compliance-schema.md
new file mode 100644
index 0000000000..2be2ac0e78
--- /dev/null
+++ b/windows/deployment/update/update-compliance-schema.md
@@ -0,0 +1,29 @@
+---
+title: Update Compliance Data Schema
+ms.reviewer: 
+manager: laurawi
+description: an overview of Update Compliance data schema
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.pagetype: deploy
+audience: itpro
+itproauthor: jaimeo
+author: jaimeo
+ms.author: jaimeo
+ms.collection: M365-analytics
+ms.topic: article
+---
+
+# Update Compliance Schema
+
+When the visualizations provided in the default experience don't fulfill your reporting needs, or if you need to troubleshoot issues with devices, it's valuable to understand the schema for Update Compliance and have a high-level understanding of the capabilities of [Azure Monitor log queries](https://docs.microsoft.com/azure/azure-monitor/log-query/query-language) to power additional dashboards, integration with external data analysis tools, automated alerting, and more.
+
+The table below summarizes the different tables that are part of the Update Compliance solution. To learn how to navigate Azure Monitor Logs to find this data, see [Get started with log queries in Azure Monitor](https://docs.microsoft.com/azure/azure-monitor/log-query/get-started-queries).
+
+|Table |Category |Description |
+|--|--|--|
+|[**WaaSUpdateStatus**](update-compliance-schema-waasupdatestatus.md) |Device record |This table houses device-centric data and acts as the device record for Update Compliance. Each record provided in daily snapshots map to a single device in a single tenant. This table has data such as the current device's installed version of Windows, whether it is on the latest available updates, and whether the device needs attention. |
+|[**WaaSInsiderStatus**](update-compliance-schema-waasinsiderstatus.md) |Device record |This table houses device-centric data specifically for devices enrolled to the Windows Insider Program. Devices enrolled to the Windows Insider Program do not currently have any WaaSDeploymentStatus records, so do not have Update Session data to report on update deployment progress. |
+|[**WaaSDeploymentStatus**](update-compliance-schema-waasdeploymentstatus.md) |Update Session record |This table tracks a specific update on a specific device. Multiple WaaSDeploymentStatus records can exist simultaneously for a given device, as each record is specific to a given update and its type. For example, a device can have both a WaaSDeploymentStatus tracking a Windows Feature Update, as well as one tracking a Windows Quality Update, at the same time. |
+|[**WUDOStatus**](update-compliance-schema-wudostatus.md) |Delivery Optimization record |This table provides information, for a single device, on their bandwidth utilization across content types in the event they use [Delivery Optimization](https://support.microsoft.com/help/4468254/windows-update-delivery-optimization-faq). |
+|[**WUDOAggregatedStatus**](update-compliance-schema-wudoaggregatedstatus.md) |Delivery Optimization record |This table aggregates all individual WUDOStatus records across the tenant and summarizes bandwidth savings across all devices enrolled to Delivery Optimization. |
diff --git a/windows/deployment/update/update-compliance-security-update-status.md b/windows/deployment/update/update-compliance-security-update-status.md
index f6f30a2709..67cc9067ac 100644
--- a/windows/deployment/update/update-compliance-security-update-status.md
+++ b/windows/deployment/update/update-compliance-security-update-status.md
@@ -22,49 +22,4 @@ The **Overall Security Update Status** blade provides a visualization of devices
  
 The **Latest Security Update Status** and **Previous Security Update Status** tiles are stacked to form one blade. The **Latest Security Update Status** provides a visualization of the different deployment states devices are in regarding the latest update for each build (or version) of Windows 10, along with the revision of that update. The **Previous Security Update Status** blade provides the same information without the accompanying visualization. 
 
-The various deployment states reported by devices are as follows:
-
-## Deployment status
-Deployment status summarizes detailed status into higher-level states to get a quick sense of the status the given device was last reported to be in relative to this specific update. Note that with the latency of deployment data, devices might have since moved on from the reported deployment status.  
-
-|Deployment status    |Description  |
-|---------|---------|
-|Failed     |  The device encountered a failure during the update process. Note that due to latency, devices reporting this status may have since retried the update.        |
-|Progress stalled     | The device started the update process, but no progress has been reported in the last 7 days.        |
-|Deferred     |   The device is currently deferring the update process due to Windows Update for Business policies.      |
-|In progress     | The device has begun the updating process for this update. This status appears if the device is in any stage of the update process including and after download, but before completing the update. If no progress has been reported in the last 7 days, devices will move to **Progress stalled**.**         |
-|Update completed     |  The device has completed the update process.        |
-|Update paused     |  The device is prevented from being offered the update due to updates being paused on the device.       |
-|Unknown     | No record is available for this device relative to this update. This is a normal status if an update has recently been released or if the device does not use Windows Update.  |
-
-
-## Detailed status
-Detailed status provides a detailed stage-level representation of where in the update process the device was last reported to be in relative to this specific update. Note that with the latency of deployment data, devices might have since moved on from the reported detailed status.
-
-
-|Detailed status  |Description  |
-|---------|---------|
-|Scheduled in next X days     |  The device is currently deferring the update with Windows Update for Business policies but will be offered the update within the next X days.       |
-|Compatibility hold     |  The device has been placed under a *compatibility hold* to ensure a smooth feature update experience and will not resume the update until the hold has been cleared. For more information see [Feature Update Status report](update-compliance-feature-update-status.md#compatibility-holds)        |
-|Update deferred     |  The device is currently deferring the update with Windows Update for Business policies.       |
-|Update paused     |  The device is prevented from being offered the update due to updates being paused on the device.        |
-|Update offered     |  The device has been offered the update by Windows Update but has not yet begun to download it.       |
-|Download started     | The device has begun downloading the update.        |
-|Download succeeded     | The device has finished downloading the update but has not yet begun installing the update.         |
-|Install started     |  The device has begun installing the update.       |
-|PreInstall task passed     |  The device has passed checks prior to beginning the rest of the installation process after a restart.       |
-|Reboot required     |  The device requires a restart to install the update, but one has not yet been scheduled.       |
-|Reboot pending     |  The device is pending a restart to install the update.       |
-|Reboot initiated     |  The device reports "Reboot initiated" just before actually restarting specifically to apply the update.       |
-|Commit     | The device, after a restart, is committing changes relevant to the update.        |
-|Finalize succeeded     | The device has finished final tasks after a restart to apply the update.        |
-|Update successful     | The device has successfully applied the update.        |
-|Cancelled     | The update was canceled at some point in the update process.        |
-|Uninstalled     | The update was successfully uninstalled from the device.        |
-|Rollback     |  The update failed to apply during the update process, causing the device to roll back changes and revert to the previous update.       |
-
-
-
-
-
 The rows of each tile in this section are interactive; selecting them will navigate you to the query that is representative of that row and section. 
diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md
index 3f9b6fbcbb..47ea2040ed 100644
--- a/windows/deployment/update/update-compliance-using.md
+++ b/windows/deployment/update/update-compliance-using.md
@@ -21,14 +21,13 @@ In this section you'll learn how to use Update Compliance to monitor your device
 
 
 Update Compliance: 
-- Provides detailed deployment data for Windows 10 security, quality, and feature updates.
-- Reports when devices have issues related to updates that need attention.
-- Shows Windows Defender AV status information for devices that use it and meet the [prerequisites](update-compliance-get-started.md#update-compliance-prerequisites).
+- Provides detailed deployment monitoring for Windows 10 Feature and Quality updates.
+- Reports when devices need attention due to issues related to update deployment.
 - Shows bandwidth usage and savings for devices that are configured to use [Delivery Optimization](waas-delivery-optimization.md).
 - Provides all of the above data in [Log Analytics](#using-log-analytics), which affords additional querying and export capabilities.
 
 ## The Update Compliance tile
-After Update Compliance has successfully been [added to your Azure subscription](update-compliance-get-started.md#add-update-compliance-to-your-azure-subscription), you’ll see this tile:
+After Update Compliance has successfully been [added to your Azure subscription](update-compliance-get-started.md#add-update-compliance-to-your-azure-subscription), you'll see this tile:
 
 ![Update Compliance tile no data](images/UC_tile_assessing.png)
 
@@ -48,7 +47,7 @@ When you select this tile, you will be redirected to the Update Compliance works
 
 ![The Overview blade](images/UC_workspace_overview_blade.png)
 
-Update Compliance’s overview blade summarizes all the data Update Compliance provides. It functions as a hub from which you can navigate to different sections. The total number of devices detected by Update Compliance is reported in the title of this blade. What follows is a distribution for all devices as to whether they are up to date on the following items:
+Update Compliance's overview blade summarizes all the data Update Compliance provides. It functions as a hub from which you can navigate to different sections. The total number of devices detected by Update Compliance is reported in the title of this blade. What follows is a distribution for all devices as to whether they are up to date on the following items:
 * Security updates: A device is up to date on quality updates whenever it has the latest applicable quality update installed. Quality updates are monthly cumulative updates that are specific to a version of Windows 10.
 * Feature updates: A device is up to date on feature updates whenever it has the latest applicable feature update installed. Update Compliance considers [Servicing Channel](waas-overview.md#servicing-channels) when determining update applicability. 
 * AV Signature: A device is up to date on Antivirus Signature when the latest Windows Defender Signatures have been downloaded. This distribution only considers devices that are running Windows Defender Antivirus. 
@@ -84,9 +83,9 @@ This means you should generally expect to see new data device data every 24 hour
 Update Compliance is built on the Log Analytics platform that is integrated into Operations Management Suite. All data in the workspace is the direct result of a query. Understanding the tools and features at your disposal, all integrated within Azure Portal, can deeply enhance your experience and complement Update Compliance. 
 
 See below for a few topics related to Log Analytics: 
-* Learn how to effectively execute custom Log Searches by referring to Microsoft Azure’s excellent documentation on [querying data in Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-log-searches).
+* Learn how to effectively execute custom Log Searches by referring to Microsoft Azure's excellent documentation on [querying data in Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-log-searches).
 * To develop your own custom data views in Operations Management Suite or [Power BI](https://powerbi.microsoft.com/); check out documentation on [analyzing data for use in Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-dashboards). 
-* [Gain an overview of Log Analytics’ alerts](https://docs.microsoft.com/azure/log-analytics/log-analytics-alerts) and learn how to use it to always stay informed about the most critical issues you care about. 
+* [Gain an overview of Log Analytics' alerts](https://docs.microsoft.com/azure/log-analytics/log-analytics-alerts) and learn how to use it to always stay informed about the most critical issues you care about. 
 
 ## Related topics
 
diff --git a/windows/deployment/update/update-compliance-wd-av-status.md b/windows/deployment/update/update-compliance-wd-av-status.md
deleted file mode 100644
index 3fae8e0328..0000000000
--- a/windows/deployment/update/update-compliance-wd-av-status.md
+++ /dev/null
@@ -1,47 +0,0 @@
----
-title: Update Compliance - Windows Defender AV Status report
-ms.reviewer: 
-manager: laurawi
-description: an overview of the Windows Defender AV Status report
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.pagetype: deploy
-audience: itpro
-itproauthor: jaimeo
-author: jaimeo
-ms.author: jaimeo
-ms.collection: M365-analytics
-ms.topic: article
----
-
-# Windows Defender AV Status
-
-
-> [!IMPORTANT]
-> On March 31, 2020, the Windows Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to define and review security compliance policies using [Microsoft Endpoint Manager](https://docs.microsoft.com/configmgr/), which allows finer control over security features and updates.
-
-![The Windows Defender AV Status report](images/UC_workspace_WDAV_status.png)
-
-The Windows Defender AV Status section deals with data concerning signature and threat status for devices that use Windows Defender Antivirus. The section tile in the [Overview Blade](update-compliance-using.md#overview-blade) provides the percentage of devices with insufficient protection – this percentage only considers devices using Windows Defender Antivirus.
-
-> [!NOTE]
-> Update Compliance's Windows Defender Antivirus status is compatible with E3, B, F1, VL Professional and below licenses. Devices with an E5 license are not shown here; devices with an E5 license can be monitored using the [Windows Defender ATP portal](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection). If you'd like to learn more about Windows 10 licensing, see the [Windows 10 product licensing options](https://www.microsoft.com/Licensing/product-licensing/windows10.aspx). 
-
-## Windows Defender AV Status sections
-The **Protection Status** blade gives a count for devices that have either out-of-date signatures or real-time protection turned off. Below, it gives a more detailed breakdown of the two issues. Selecting any of these statuses will navigate you to a Log Search view containing the query. 
-
-The **Threat Status** blade shows, among devices that have encountered threats, how many were and were not remediated successfully. It also provides a detailed count. Selecting either of these will take you to the respective query in Log Search for further investigation. 
-
-Here are some important terms to consider when using the Windows Defender AV Status section of Update Compliance:
-* **Signature out of date** devices are devices with a signature older than 14 days.
-* **No real-time protection** devices are devices that are using Windows Defender AV but have turned off real-time protection.
-* **Recently disappeared** devices are devices that were previously seen by Windows Defender AV and are no longer seen in the past 7 days.
-* **Remediation failed** devices are devices where Windows Defender AV failed to remediate the threat. This could be due to a number of reasons, including a full disk, network error, operation aborted, etc. Manual intervention might be needed from IT team.
-* **Not assessed** devices are devices where either a non-Microsoft AV solution is used or it has been more than 7 days since the device recently disappeared.
-
-## Windows Defender data latency
-Because of the way Windows Defender is associated with the rest of Windows device data, Defender data for new devices might take much longer to appear than other data types. This process could take up to 28 days. 
-
-## Related topics
-
-- [Windows Defender Antivirus pre-requisites](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting#confirm-pre-requisites)
diff --git a/windows/deployment/update/waas-delivery-optimization-reference.md b/windows/deployment/update/waas-delivery-optimization-reference.md
index e7d8d21550..de0d1957dc 100644
--- a/windows/deployment/update/waas-delivery-optimization-reference.md
+++ b/windows/deployment/update/waas-delivery-optimization-reference.md
@@ -135,7 +135,7 @@ Starting in Windows 10, version 1803, set this policy to restrict peer selection
 - 4 = DNS Suffix
 - 5 = Starting with Windows 10, version 1903, you can use the Azure Active Directory (AAD) Tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5.
 
-When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy will be ignored. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-4, the policy is ignored.  
+When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy will be ignored. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-5, the policy is ignored.  
 
 
 ### Minimum RAM (inclusive) allowed to use Peer Caching  
diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md
index 14223dbdc3..13b02958f8 100644
--- a/windows/deployment/update/waas-manage-updates-wsus.md
+++ b/windows/deployment/update/waas-manage-updates-wsus.md
@@ -280,6 +280,9 @@ You can manually approve updates and set deadlines for installation within the W
 
 To simplify the manual approval process, start by creating a software update view that contains only Windows 10 updates.
 
+> [!NOTE]
+> If you approve more than one feature update for a computer, an error can result with the client. Approve only one feature update per computer.  
+
 **To approve and deploy feature updates manually**
 
 1.	 In the WSUS Administration Console, go to Update Services\\*Server_Name*\Updates. In the **Action** pane, click **New Update View**.
diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md
index 2486006471..0e9f6ba908 100644
--- a/windows/deployment/update/waas-manage-updates-wufb.md
+++ b/windows/deployment/update/waas-manage-updates-wufb.md
@@ -52,7 +52,7 @@ You can control when updates are applied, for example by deferring when an updat
 
 Windows Update for Business offers you the ability to turn on or off both driver and Microsoft product updates.   
 
-- Drivers (on/off): When "on," this policy will not include drivers with Windows Update.
+- Disable Drivers (on/off): When "on," this policy will not include drivers with Windows Update.
 - Microsoft product updates (on/off): When "on" this policy will install updates for other Microsoft products.
 
 
diff --git a/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md b/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md
deleted file mode 100644
index 2d3ffa0e03..0000000000
--- a/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md
+++ /dev/null
@@ -1,219 +0,0 @@
----
-title: Perform in-place upgrade to Windows 10 via Configuration Manager
-description: In-place upgrades make upgrading Windows 7, Windows 8, and Windows 8.1 to Windows 10 easy -- you can even automate the whole process with a Microsoft Endpoint Configuration Manager task sequence.
-ms.assetid: F8DF6191-0DB0-4EF5-A9B1-6A11D5DE4878
-ms.reviewer: 
-manager: laurawi
-ms.author: greglin
-keywords: upgrade, update, task sequence, deploy
-ms.prod: w10
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-audience: itpro
-author: greg-lindsay
-ms.topic: article
----
-
-# Perform an in-place upgrade to Windows 10 using Configuration Manager
-
-
-**Applies to**
-
--   Windows 10
-
-The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Endpoint Configuration Manager task sequence to completely automate the process.
-
->[!IMPORTANT]
->Beginning with Windows 10 and Windows Server 2016, Windows Defender is already installed. A management client for Windows Defender is also installed automatically if the Configuration Manager client is installed. However, previous Windows operating systems installed the System Center Endpoint Protection (SCEP) client with the Configuration Manager client. The SCEP client can block in-place upgrade to Windows 10 due to incompatibility, and must removed from a device before performing an in-place upgrade to Windows 10.
-
-## Proof-of-concept environment
-
-For the purposes of this topic, we will use three computers: DC01, CM01, and PC0001. DC01 is a domain controller and CM01 is a domain member server. PC0001 is a computer running Windows 7 SP1, targeted for the Windows 10 upgrade. For more details on the setup for this topic, please see [Prepare for deployment with MDT](../deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md).
-
-![computers](../images/dc01-cm01-pc0001.png)
-
-The computers used in this topic.
-
-## Upgrade to Windows 10 with Configuration Manager
-
-
-System Center 2012 R2 Configuration Manager SP 1 adds support to manage and deploy Windows 10. Although it does not include built-in support to perform an in-place upgrade from Windows 7, Windows 8, or Windows 8.1 to Windows 10, you can build a custom task sequence to perform the necessary tasks.
-
-## Create the task sequence
-
-
-To help with this process, the Configuration Manager team has published [a blog](https://go.microsoft.com/fwlink/p/?LinkId=620179) that provides a sample task sequence, as well as the [original blog that includes the instructions for setting up the task sequence](https://go.microsoft.com/fwlink/p/?LinkId=620180). To summarize, here are the tasks you need to perform:
-
-1.  Download the [Windows10Upgrade1506.zip](https://go.microsoft.com/fwlink/p/?LinkId=620182) file that contains the sample task sequence and related scripts. Extract the contents onto a network share.
-2.  Copy the Windows 10 Enterprise RTM x64 media into the extracted but empty **Windows vNext Upgrade Media** folder.
-3.  Using the Configuration Manager Console, right-click the **Task Sequences** node, and then choose **Import Task Sequence**. Select the **Windows-vNextUpgradeExport.zip** file that you extracted in Step 1.
-4.  Distribute the two created packages (one contains the Windows 10 Enterprise x64 media, the other contains the related scripts) to the Configuration Manager distribution point.
-
-For full details and an explanation of the task sequence steps, review the full details of the two blogs that are referenced above.
-
-## Create a device collection
-
-
-After you create the upgrade task sequence, you can create a collection to test a deployment. In this section, we assume you have the PC0001 machine running Windows 7 SP1, with the Configuration Manager client installed.
-
-1.  On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings:
-    -   General
-
-        -   Name: Windows 10 Enterprise x64 Upgrade
-
-        -   Limited Collection: All Systems
-
-    -   Membership rules:
-
-        -   Direct rule
-
-            -   Resource Class: System Resource
-
-            -   Attribute Name: Name
-
-            -   Value: PC0001
-
-        -   Select Resources
-
-        -   Select PC0001
-
-2.  Review the Windows 10 Enterprise x64 Upgrade collection. Do not continue until you see the PC0001 machine in the collection.
-
-## Deploy the Windows 10 upgrade
-
-
-In this section, you create a deployment for the Windows 10 Enterprise x64 Update application.
-
-1.  On CM01, using the Configuration Manager console, in the Software Library workspace, right-click the **Windows vNext Upgrade** task sequence, and then select **Deploy**.
-2.  On the **General** page, select the **Windows 10 Enterprise x64 Upgrade** collection, and then click **Next**.
-3.  On the **Content** page, click **Next**.
-4.  On the **Deployment Settings** page, select the following settings, and then click **Next**:
-    -   Action: Install
-
-    -   Purpose: Available
-
-5.  On the **Scheduling** page, accept the default settings, and then click **Next**.
-6.  On the **User Experience** page, accept the default settings, and then click **Next**.
-7.  On the **Alerts** page, accept the default settings, and then click **Next**.
-8.  On the **Summary** page, click **Next**, and then click **Close**.
-
-## Start the Windows 10 upgrade
-
-
-In this section, you start the Windows 10 Upgrade task sequence on PC0001 (currently running Windows 7 SP1).
-
-1.  On PC0001, start the **Software Center**.
-2.  Select the **Windows vNext Upgrade** task sequence, and then click **Install**.
-
-When the task sequence begins, it will automatically initiate the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers.
-
-![figure 2](../images/upgradecfg-fig2-upgrading.png)
-
-Figure 2. Upgrade from Windows 7 to Windows 10 Enterprise x64 with a task sequence.
-
-After the task sequence finishes, the computer will be fully upgraded to Windows 10.
-
-## Upgrade to Windows 10 with Microsoft Endpoint Configuration Manager
-
-
-With Configuration Manager, new built-in functionality makes it easier to upgrade to Windows 10.
-
-**Note**  
-For more details about Configuration Manager, see the [Configuration Manager Team blog](https://go.microsoft.com/fwlink/p/?LinkId=620205). An [evaluation version is currently available](https://go.microsoft.com/fwlink/p/?LinkId=620206) for you to try. The instructions below are specific to the Technical Preview 2 release and may change after the next version of Configuration Manager is released.
-
- 
-
-### Create the OS upgrade package
-
-First, you need to create an operating system upgrade package that contains the full Windows 10 Enterprise x64 installation media.
-
-1.  On CM01, using the Configuration Manager console, in the Software Library workspace, right-click the **Operating System Upgrade Packages** node, then select **Add Operating System Upgrade Package**.
-2.  On the **Data Source** page, specify the UNC path to the Windows 10 Enterprise x64 media, and then click **Next**.
-3.  On the **General** page, specify Windows 10 Enterprise x64 Upgrade, and then click **Next**.
-4.  On the **Summary** page, click **Next**, and then click **Close**.
-5.  Right-click the created **Windows 10 Enterprise x64 Update** package, and then select **Distribute Content**. Choose the CM01 distribution point.
-
-### Create the task sequence
-
-To create an upgrade task sequence, perform the following steps:
-
-1.  On CM01, using the Configuration Manager console, in the Software Library workspace, right-click the **Task Sequences** node, and then select **Create Task Sequence**.
-2.  On the **Create a new task sequence** page, select **Upgrade an operating system from upgrade package**, and then click **Next**.
-3.  On the **Task Sequence Information** page, specify **Windows 10 Enterprise x64 Upgrade**, and then click **Next**.
-4.  On the **Upgrade the Windows operating system** page, select the **Windows 10 Enterprise x64 Upgrade operating system upgrade** package, and then click **Next**.
-5.  Click **Next** through the remaining wizard pages, and then click **Close**.
-
-![figure 3](../images/upgradecfg-fig3-upgrade.png)
-
-Figure 3. The Configuration Manager upgrade task sequence.
-
-### Create a device collection
-
-After you create the upgrade task sequence, you can create a collection to test a deployment. In this section, we assume you have the PC0001 machine running Windows 7 SP1, with the next version of Configuration Manager client installed.
-
-1.  On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings:
-    -   General
-
-        -   Name: Windows 10 Enterprise x64 Upgrade
-
-        -   Limited Collection: All Systems
-
-    -   Membership rules:
-
-        -   Direct rule
-
-            -   Resource Class: System Resource
-
-            -   Attribute Name: Name
-
-            -   Value: PC0001
-
-        -   Select Resources
-
-        -   Select PC0001
-
-2.  Review the Windows 10 Enterprise x64 Upgrade collection. Do not continue until you see the PC0001 machine in the collection.
-
-### Deploy the Windows 10 upgrade
-
-In this section, you create a deployment for the Windows 10 Enterprise x64 Update application.
-
-1.  On CM01, using the Configuration Manager console, in the Software Library workspace, right-click the **Windows vNext Upgrade** task sequence, and then select **Deploy**.
-2.  On the **General** page, select the **Windows 10 Enterprise x64 Upgrade** collection, and then click **Next**.
-3.  On the **Content** page, click **Next**.
-4.  On the **Deployment Settings** page, select the following settings and click **Next**:
-    -   Action: Install
-
-    -   Purpose: Available
-
-5.  On the **Scheduling** page, accept the default settings, and then click **Next**.
-6.  On the **User Experience** page, accept the default settings, and then click **Next**.
-7.  On the **Alerts** page, accept the default settings, and then click **Next**.
-8.  On the **Summary** page, click **Next**, and then click **Close**.
-
-### Start the Windows 10 upgrade
-
-In this section, you start the Windows 10 Upgrade task sequence on PC0001 (currently running Windows 7 SP1).
-
-1.  On PC0001, start the **Software Center**.
-2.  Select the **Windows 10 Enterprise x64 Upgrade** task sequence, and then click **Install.**
-
-When the task sequence begins, it automatically initiates the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers.
-
-After the task sequence completes, the computer will be fully upgraded to Windows 10.
-
-## Related topics
-
-
-[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
-
-[Configuration Manager Team blog](https://go.microsoft.com/fwlink/p/?LinkId=620109)
-
- 
-
- 
-
-
-
-
-
diff --git a/windows/deployment/volume-activation/install-vamt.md b/windows/deployment/volume-activation/install-vamt.md
index fa6196d4f9..4c1c3fa279 100644
--- a/windows/deployment/volume-activation/install-vamt.md
+++ b/windows/deployment/volume-activation/install-vamt.md
@@ -34,16 +34,17 @@ You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for
 
 - [Windows Server with Desktop Experience](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-with-desktop-experience), with internet access (for the main VAMT console) and all updates applied
 - [Windows 10, version 1903 ADK](https://go.microsoft.com/fwlink/?linkid=2086042)
-- [SQL Server 2017 Express](https://www.microsoft.com/sql-server/sql-server-editions-express)
-- alternatively any full SQL instance e.g. SQL Server 2014 or newer incl. CU / SP
+- Any supported [SQL Server Express](https://www.microsoft.com/sql-server/sql-server-editions-express) version, the latest is recommended
+- Alternatively, any supported **full** SQL instance
 
-### Install SQL Server 2017 Express / alternatively use any Full SQL instance e.g. SQL Server 2014 or newer
+### Install SQL Server Express / alternatively use any full SQL instance
 
-1. Download and open the [SQL Server 2017 Express](https://www.microsoft.com/sql-server/sql-server-editions-express) package.
+1. Download and open the [SQL Server Express](https://www.microsoft.com/sql-server/sql-server-editions-express) package.
 2. Select **Basic**.
 3. Accept the license terms.
 4. Enter an install location or use the default path, and then select **Install**.
 5. On the completion page, note the instance name for your installation, select **Close**, and then select **Yes**. 
+
     ![In this example, the instance name is SQLEXPRESS01](images/sql-instance.png)
 
 ### Install VAMT using the ADK
@@ -56,7 +57,7 @@ Reminder: There won't be new ADK release for 1909.
 5. On the **Select the features you want to install** page, select **Volume Activation Management Tool (VAMT)**, and then select **Install**. (You can select additional features to install as well.)
 6. On the completion page, select **Close**.
 
-### Configure VAMT to connect to SQL Server 2017 Express or full SQL Server
+### Configure VAMT to connect to SQL Server Express or full SQL Server
 
 1. Open **Volume Active Management Tool 3.1** from the Start menu.
 2. Enter the server instance name (for a remote SQL use the FQDN) and a name for the database, select **Connect**, and then select **Yes** to create the database. See the following image for an example for SQL.
diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md
index 3479b54e9c..c67c06b664 100644
--- a/windows/deployment/windows-10-deployment-scenarios.md
+++ b/windows/deployment/windows-10-deployment-scenarios.md
@@ -11,7 +11,6 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.localizationpriority: medium
 ms.sitesec: library
-ms.date: 11/06/2018
 audience: itpro
 author: greg-lindsay
 ms.topic: article
@@ -55,7 +54,7 @@ The following table summarizes various Windows 10 deployment scenarios. The scen
       Use Windows Setup to update your OS and migrate apps and settings. Rollback data is saved in Windows.old.
     </td>
     <td align="center" style="width:16%; border:1;"> 
-<a href="https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit">Perform an in-place upgrade to Windows 10 with MDT</a><br><a href="https://docs.microsoft.com/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager">Perform an in-place upgrade to Windows 10 using Configuration Manager</a>
+<a href="https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit">Perform an in-place upgrade to Windows 10 with MDT</a><br><a href="https://docs.microsoft.com/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager">Perform an in-place upgrade to Windows 10 using Configuration Manager</a>
     </td>
   </tr>
   <tr>
@@ -109,7 +108,7 @@ The following table summarizes various Windows 10 deployment scenarios. The scen
       Deploy a new device, or wipe an existing device and deploy with a fresh image. 
     </td>
     <td align="center" style="width:16%; border:1;"> 
- <a href="https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt">Deploy a Windows 10 image using MDT</a><br><a href="https://docs.microsoft.com/configmgr/osd/deploy-use/install-new-windows-version-new-computer-bare-metal">Install a new version of Windows on a new computer with Microsoft Endpoint Configuration Manager</a>
+ <a href="https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt">Deploy a Windows 10 image using MDT</a><br><a href="https://docs.microsoft.com/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager">Deploy Windows 10 using PXE and Configuration Manager</a>
     </td>
   </tr>
   <tr>
@@ -121,7 +120,7 @@ The following table summarizes various Windows 10 deployment scenarios. The scen
       Also called wipe and load. Redeploy a device by saving the user state, wiping the disk, then restoring the user state. 
     </td>
     <td align="center" style="width:16%; border:1;"> 
- <a href="https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10">Refresh a Windows 7 computer with Windows 10</a><br><a href="https://docs.microsoft.com/windows/deployment/deploy-windows-configmgr/refresh-a-windows-7-client-with-windows-10-using-configuration-manager">Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager</a>
+ <a href="https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10">Refresh a Windows 7 computer with Windows 10</a><br><a href="https://docs.microsoft.com/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager">Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager</a>
     </td>
   </tr>
   <tr>
@@ -133,7 +132,7 @@ The following table summarizes various Windows 10 deployment scenarios. The scen
       Replace an existing device with a new one by saving the user state on the old device and then restoring it to the new device.
     </td>
     <td align="center" style="width:16%; border:1;"> 
- <a href="https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer">Replace a Windows 7 computer with a Windows 10 computer</a><br><a href="https://docs.microsoft.com/windows/deployment/deploy-windows-configmgr/replace-a-windows-7-client-with-windows-10-using-configuration-manager">Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager</a>
+ <a href="https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer">Replace a Windows 7 computer with a Windows 10 computer</a><br><a href="https://docs.microsoft.com/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager">Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager</a>
     </td>
   </tr>
 </table>
@@ -206,16 +205,14 @@ While the initial Windows 10 release includes a variety of provisioning setting
 
 ## Traditional deployment: 
 
-New versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md), Windows Deployment Services, the [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md), and [Microsoft Endpoint Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md).
+New versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md), Windows Deployment Services, the [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md), and [Microsoft Endpoint Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
 
 With the release of Windows 10, all of these tools are being updated to fully support Windows 10. Although newer scenarios such as in-place upgrade and dynamic provisioning may reduce the need for traditional deployment capabilities in some organizations, these traditional methods remain important and will continue to be available to organizations that need them.
 
 The traditional deployment scenario can be divided into different sub-scenarios. These are explained in detail in the following sections, but the following provides a brief summary:
 
 -   **New computer.** A bare-metal deployment of a new machine.
-
 -   **Computer refresh.** A reinstall of the same machine (with user-state migration and an optional full Windows Imaging (WIM) image backup).
-
 -   **Computer replace.** A replacement of the old machine with a new machine (with user-state migration and an optional full WIM image backup).
 
 ### New computer
diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md
index 4548f59a91..5a53df6187 100644
--- a/windows/deployment/windows-10-poc-sc-config-mgr.md
+++ b/windows/deployment/windows-10-poc-sc-config-mgr.md
@@ -326,7 +326,7 @@ WDSUTIL /Set-Server /AnswerClients:None
 
      See the following example:
 
-     <img src="images/sccm-pxe.png" alt="Config Mgr PXE"/>
+     <img src="images/configmgr-pxe.png" alt="Config Mgr PXE"/>
 
 5. Click **OK**.
 6. Wait for a minute, then type the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present:
@@ -900,7 +900,7 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
 
 14. Click the **Site** tab, click **Configure Settings**, and click **Find Site**. The client will report that it has found the PS1 site. See the following example:
 
-    ![site](images/sccm-site.png)
+    ![site](images/configmgr-site.png)
 
     If the client is not able to find the PS1 site, review any error messages that are displayed in **C:\Windows\CCM\Logs\ClientIDManagerStartup.log** and **LocationServices.log**. A common reason the site code is not located is because a previous configuration exists. For example, if a previous site code is configured at **HKLM\SOFTWARE\Microsoft\SMS\Mobile Client\GPRequestedSiteAssignmentCode** this must be deleted or updated.
 
@@ -908,7 +908,7 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
 
 16. Click **All Desktop and Server Clients** and verify that the computer account for PC1 is displayed here with **Yes** and **Active** in the **Client** and **Client Activity** columns, respectively. You might have to refresh the view and wait few minutes for the client to appear here.  See the following example:
 
-    ![client](images/sccm-client.png)
+    ![client](images/configmgr-client.png)
 
     >It might take several minutes for the client to fully register with the site and complete a client check. When it is complete you will see a green check mark over the client icon as shown above. To refresh the client, click it and then press **F5** or right-click the client and click **Refresh**.
 
@@ -970,7 +970,7 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
 
 11. Click **Device Collections** and then double-click **Install Windows 10 Enterprise x64**. Verify that **PC4** is displayed in the collection. You might have to update and refresh the collection, or wait a few minutes, but do not proceed until PC4 is available. See the following example:
 
-    ![collection](images/sccm-collection.png)
+    ![collection](images/configmgr-collection.png)
 
 ### Create a device collection for PC1
 
@@ -1018,7 +1018,7 @@ In the Configuration Manager console, in the Software Library workspace under Op
 
 4. In the Software Center , click **Available Software** and then select the **Replace Task Sequence** checkbox. See the following example:
 
-    ![software](images/sccm-software-cntr.png)
+    ![software](images/configmgr-software-cntr.png)
 
     >If you do not see any available software, try running step #2 again to start the Machine Policy Retrieval & Evaluation Cycle. You should see an alert that new software is available.
 
@@ -1056,17 +1056,17 @@ In the Configuration Manager console, in the Software Library workspace under Op
 3. On PC1, in the notification area, click **New software is available** and then click **Open Software Center**.
 4. In the Software Center, click **Operating Systems**, click **Windows 10 Enterprise x64**, click **Install** and then click **INSTALL OPERATING SYSTEM**. See the following example:
 
-    ![installOS](images/sccm-install-os.png)
+    ![installOS](images/configmgr-install-os.png)
 
     The computer will restart several times during the installation process. Installation includes downloading updates, reinstalling the Configuration Manager Client Agent, and restoring the user state. You can view status of the installation in the Configuration Manager console by accessing the Monitoring workspace, clicking **Deployments**, and then double-clicking the deployment associated with the **Install Windows 10 Enterprise x64** collection. Under **Asset Details**, right-click the device and then click **More Details**. Click the **Status** tab to see a list of tasks that have been performed.  See the following example:
 
-    ![asset](images/sccm-asset.png)   
+    ![asset](images/configmgr-asset.png)   
     
     You can also monitor progress of the installation by using the MDT deployment workbench and viewing the **Monitoring** node under **Deployment Shares\MDT Production**. 
     
     When installation has completed, sign in using the contoso\administrator account or the contoso\user1 account and verify that applications and settings have been successfully backed up and restored to your new Windows 10 Enterprise operating system.
 
-    ![post-refresh](images/sccm-post-refresh.png) 
+    ![post-refresh](images/configmgr-post-refresh.png) 
 
 
 
diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md
index 2b72ab624c..e86a065bf5 100644
--- a/windows/deployment/windows-10-poc.md
+++ b/windows/deployment/windows-10-poc.md
@@ -781,7 +781,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
 
     Windows 10 deployment with MDT and Microsoft Endpoint Configuration Manager requires specific accounts to perform some actions. Service accounts will be created to use for these tasks. A user account is also added in the contoso.com domain that can be used for testing purposes. In the test lab environment, passwords are set to never expire.
 
-    >To keep this test lab relatively simple, we will not create a custom OU structure and set permissions. Required permissions are enabled by adding accounts to the Domain Admins group. To configure these settings in a production environment, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+    >To keep this test lab relatively simple, we will not create a custom OU structure and set permissions. Required permissions are enabled by adding accounts to the Domain Admins group. To configure these settings in a production environment, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
 
     On DC1, open an elevated Windows PowerShell prompt and type the following commands:
 
diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md
index bdb8c230c4..d953b17ab2 100644
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@@ -89,7 +89,7 @@ For Microsoft customers that do not have EA or MPSA, you can obtain Windows 10 E
 
 If devices are running Windows 7 or Windows 8.1, see [New Windows 10 upgrade benefits for Windows Cloud Subscriptions in CSP](https://blogs.windows.com/business/2017/01/19/new-windows-10-upgrade-benefits-windows-cloud-subscriptions-csp/)
 
-#### Muti-factor authentication
+#### Multi-factor authentication
 
 An issue has been identified with Hybrid Azure AD joined devices that have enabled [multi-factor authentication](https://docs.microsoft.com/azure/active-directory/authentication/howto-mfa-getstarted) (MFA). If a user signs into a device using their Active Directory account and MFA is enabled, the device will not successfully upgrade to their Windows Enterprise subscription.  
 
diff --git a/windows/deployment/windows-autopilot/images/csp2.png b/windows/deployment/windows-autopilot/images/csp2.png
index cf095b831c..06cc80fe95 100644
Binary files a/windows/deployment/windows-autopilot/images/csp2.png and b/windows/deployment/windows-autopilot/images/csp2.png differ
diff --git a/windows/deployment/windows-autopilot/images/csp3a.png b/windows/deployment/windows-autopilot/images/csp3a.png
new file mode 100644
index 0000000000..3fb1291370
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/csp3a.png differ
diff --git a/windows/deployment/windows-autopilot/images/csp3b.png b/windows/deployment/windows-autopilot/images/csp3b.png
new file mode 100644
index 0000000000..c2034c1ebc
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/csp3b.png differ
diff --git a/windows/deployment/windows-autopilot/images/csp4.png b/windows/deployment/windows-autopilot/images/csp4.png
index 608128e5ab..ddada725b2 100644
Binary files a/windows/deployment/windows-autopilot/images/csp4.png and b/windows/deployment/windows-autopilot/images/csp4.png differ
diff --git a/windows/deployment/windows-autopilot/known-issues.md b/windows/deployment/windows-autopilot/known-issues.md
index 40de54fe9a..162db9fe0e 100644
--- a/windows/deployment/windows-autopilot/known-issues.md
+++ b/windows/deployment/windows-autopilot/known-issues.md
@@ -26,6 +26,9 @@ ms.topic: article
 <table>
 <th>Issue<th>More information
 
+<tr><td>Windows Autopilot user-driven Hybrid Azure AD deployments do not grant users Administrator rights even when specified in the Windows Autopilot profile.</td>
+<td>This will occur when there is another user on the device that already has Administrator rights.  For example, a PowerShell script or policy could create an additional local account that is a member of the Administrators group.  To ensure this works properly, do not create an additional account until after the Windows Autopilot process has completed.</tr>
+
 <tr><td>Windows Autopilot device provisioning can fail with TPM attestation errors or ESP timeouts on devices where the real-time clock is off by a significant amount of time (e.g. several minutes or more).</td>
 <td>To fix this issue: <ol><li>Boot the device to the start of the out-of-box experience (OOBE).
 <li>Establish a network connection (wired or wireless).
diff --git a/windows/deployment/windows-autopilot/registration-auth.md b/windows/deployment/windows-autopilot/registration-auth.md
index a91c17be27..cb93b03921 100644
--- a/windows/deployment/windows-autopilot/registration-auth.md
+++ b/windows/deployment/windows-autopilot/registration-auth.md
@@ -45,11 +45,15 @@ For a CSP to register Windows Autopilot devices on behalf of a customer, the cus
     ![Request a reseller relationship](images/csp1.png)
     - Select the checkbox indicating whether or not you want delegated admin rights:
     ![Delegated rights](images/csp2.png)
-    - NOTE: Depending on your partner, they might request Delegated Admin Permissions (DAP) when requesting this consent.  You should ask them to use the newer DAP-free process (shown in this document) if possible. If not, you can easily remove their DAP status either from Microsoft Store for Business or the Office 365 admin portal:  https://docs.microsoft.com/partner-center/customers_revoke_admin_privileges
+    - NOTE: Depending on your partner, they might request Delegated Admin Permissions (DAP) when requesting this consent.  You should ask them to use the newer DAP-free process (shown in this document) if possible. If not, you can easily remove their DAP status either from Microsoft Admin Center or the Office 365 admin portal:  https://docs.microsoft.com/partner-center/customers_revoke_admin_privileges
     - Send the template above to the customer via email.
-2. Customer with global administrator privileges in Microsoft Store for Business (MSfB) clicks the link in the body of the email once they receive it from the CSP, which takes them directly to the following MSfB page:
+2. Customer with global administrator privileges in Microsoft Admin Center clicks the link in the body of the email once they receive it from the CSP, which takes them directly to the following Microsoft 365 admin center page:
 
-    ![Global admin](images/csp3.png)
+    ![Global admin](images/csp3a.png)
+
+    The image above is what the customer will see if they requested delegated admin rights (DAP). Note that the page says what Admin roles are being requested.  If the customer did not request delegated admin rights they would see the following page:
+
+    ![Global admin](images/csp3b.png)   
 
     > [!NOTE]
     > A user without global admin privileges who clicks the link will see a message similar to the following:
diff --git a/windows/deployment/windows-autopilot/white-glove.md b/windows/deployment/windows-autopilot/white-glove.md
index a0bef4bb0b..88eb4f33e3 100644
--- a/windows/deployment/windows-autopilot/white-glove.md
+++ b/windows/deployment/windows-autopilot/white-glove.md
@@ -30,7 +30,7 @@ With **Windows Autopilot for white glove deployment**, the provisioning process
 
  ![OEM](images/wg02.png)
 
-Enabled with Microsoft Intune in Windows 10, version 1903 and later, white glove deployment capabilities build on top of existing Windows Autopilot [user-driven scenarios](user-driven.md), supporting both the user-driven mode for Azure Active Directory Join, and user-driven mode for Hybrid Azure Active directory join scenarios.
+Enabled with Microsoft Intune in Windows 10, version 1903 and later, white glove deployment capabilities build on top of existing Windows Autopilot [user-driven scenarios](user-driven.md), supporting both the user-driven mode for Azure Active Directory Join, and user-driven mode for Hybrid Azure Active Directory join scenarios.
 
 ## Prerequisites
 
@@ -61,8 +61,8 @@ To enable white glove deployment, an additional Autopilot profile setting must b
 
 The Windows Autopilot for white glove deployment pre-provisioning process will apply all device-targeted policies from Intune.  That includes certificates, security templates, settings, apps, and more – anything targeting the device.  Additionally, any apps (Win32 or LOB) that are configured to install in the device context and targeted to the user that has been pre-assigned to the Autopilot device will also be installed. Please make sure not to target both win32 and LOB apps to the same device. 
 
->[!NOTE]
->Other user-targeted policies will not apply until the user signs into the device.  To verify these behaviors, be sure to create appropriate apps and policies targeted to devices and users.
+> [!NOTE]
+> The white glove technician phase will install all device-targeted apps as well as any user-targeted, device-context apps that are targeted to the assigned user. If there is no assigned user, then it will only install the device-targeted apps. Other user-targeted policies will not apply until the user signs into the device. To verify these behaviors, be sure to create appropriate apps and policies targeted to devices and users.
 
 ## Scenarios
 
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md
index 0e9d529823..75f70fe534 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md
@@ -27,7 +27,7 @@ Windows Autopilot depends on specific capabilities available in Windows 10, Azur
 
 ## Software requirements
 
-- A [supported version](https://docs.microsoft.com/windows/release-information/) of Windows 10 semi-annual channel is required. Windows 10 Enterprise 2019 long-term servicing channel (LTSC) is also supported.
+- A [supported version](https://docs.microsoft.com/windows/release-information/) of Windows 10 Semi-Annual Channel is required. Windows 10 Enterprise 2019 long-term servicing channel (LTSC) is also supported.
 - The following editions are supported:
   - Windows 10 Pro
   - Windows 10 Pro Education
@@ -81,7 +81,8 @@ If the Microsoft Store is not accessible, the AutoPilot process will still conti
 <tr><td><b>Office 365<b><td>As part of the Intune device configuration, installation of Office 365 ProPlus may be required. For more information, see <a href="https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2">Office 365 URLs and IP address ranges</a> (includes all Office services, DNS names, IP addresses; includes Azure AD and other services that may overlap with those listed above).
 <tr><td><b>Certificate revocation lists (CRLs)<b><td>Some of these services will also need to check certificate revocation lists (CRLs) for certificates used in the services.  A full list of these is documented at <a href="https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2#bkmk_crl">Office 365 URLs and IP address ranges</a> and <a href="https://aka.ms/o365chains">Office 365 Certificate Chains</a>.
 <tr><td><b>Hybrid AAD join<b><td>The device can be hybrid AAD joined. The computer should be on corporate network for hybrid AAD join to work. See details at <a href="https://docs.microsoft.com/windows/deployment/windows-autopilot/user-driven-hybrid">Windows Autopilot user-driven mode</a>
-<tr><td><b>Autopilot Self-Deploying mode and Autopilot White Glove<b><td>Firmware TPM devices, which are only provided by Intel, AMD, or Qualcomm, do not include all needed certificates at boot time and must be able to retrieve them from the manufacturer on first use. Devices with discrete TPM chips(including ones from any other manufacturer) come with these certificates preinstalled. Make sure that these URLs are accessible for each firmware TPM provider so that certificates can be successfully requested: 
+<tr><td><b>Autopilot Self-Deploying mode and Autopilot White Glove<b><td>Firmware TPM devices, which are only provided by Intel, AMD, or Qualcomm, do not include all needed certificates at boot time and must be able to retrieve them from the manufacturer on first use. Devices with discrete TPM chips (including devices from any other manufacturer) come with these certificates preinstalled. See <a href="https://docs.microsoft.com/windows/security/information-protection/tpm/tpm-recommendations">TPM recommendations</a> for more details. Make sure that these URLs are accessible for each firmware TPM provider so that certificates can be successfully requested: 
+
   <br>Intel- https://ekop.intel.com/ekcertservice 
   <br>Qualcomm- https://ekcert.spserv.microsoft.com/EKCertificate/GetEKCertificate/v1
   <br>AMD- https://ftpm.amd.com/pki/aia
diff --git a/windows/deployment/windows-deployment-scenarios-and-tools.md b/windows/deployment/windows-deployment-scenarios-and-tools.md
index 8c74c372fe..a9089d86bc 100644
--- a/windows/deployment/windows-deployment-scenarios-and-tools.md
+++ b/windows/deployment/windows-deployment-scenarios-and-tools.md
@@ -20,18 +20,18 @@ ms.topic: article
 
 To successfully deploy the Windows 10 operating system and applications for your organization, it is essential that you know about the available tools to help with the process. In this topic, you will learn about the most commonly used tools for Windows 10 deployment.
 
-Microsoft provides many tools, services, and solutions. These tools include Windows Deployment Services (WDS), the Volume Activation Management Tool (VAMT), the User State Migration Tool (USMT), Windows System Image Manager (Windows SIM), Windows Preinstallation Environment (Windows PE), and Windows Recovery Environment (Windows RE). Keep in mind that these are just tools and not a complete solution on their own. It’s when you combine these tools with solutions like [Microsoft Deployment Toolkit (MDT)](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) or [Microsoft System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) that you get the complete deployment solution.
+Microsoft provides many tools, services, and solutions. These tools include Windows Deployment Services (WDS), the Volume Activation Management Tool (VAMT), the User State Migration Tool (USMT), Windows System Image Manager (Windows SIM), Windows Preinstallation Environment (Windows PE), and Windows Recovery Environment (Windows RE). Keep in mind that these are just tools and not a complete solution on their own. It’s when you combine these tools with solutions like [Microsoft Deployment Toolkit (MDT)](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) or [Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) that you get the complete deployment solution.
 
 In this topic, you also learn about different types of reference images that you can build, and why reference images are beneficial for most organizations
 
-## <a href="" id="sec06"></a>Windows Assessment and Deployment Kit
+## Windows Assessment and Deployment Kit
 
 
 Windows ADK contains core assessment and deployment tools and technologies, including Deployment Image Servicing and Management (DISM), Windows Imaging and Configuration Designer (Windows ICD), Windows System Image Manager (Windows SIM), User State Migration Tool (USMT), Volume Activation Management Tool (VAMT), Windows Preinstallation Environment (Windows PE), Windows Assessment Services, Windows Performance Toolkit (WPT), Application Compatibility Toolkit (ACT), and Microsoft SQL Server 2012 Express. For more details, see [Windows ADK for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526803  ) or [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md).
 
 ![figure 1](images/win-10-adk-select.png)
 
-Figure 1. The Windows 10 ADK feature selection page.
+The Windows 10 ADK feature selection page.
 
 ### Deployment Image Servicing and Management (DISM)
 
@@ -52,7 +52,7 @@ Enable-WindowsOptionalFeature -Online -FeatureName NetFx3 -All
 
 ![figure 2](images/mdt-11-fig05.png)
 
-Figure 2. Using DISM functions in PowerShell.
+Using DISM functions in PowerShell.
 
 For more information on DISM, see [DISM technical reference](https://go.microsoft.com/fwlink/p/?LinkId=619161).
 
@@ -68,38 +68,30 @@ Occasionally, we find that customers are wary of USMT because they believe it re
 USMT includes several command-line tools, the most important of which are ScanState and LoadState:
 
 -   **ScanState.exe.** This performs the user-state backup.
-
 -   **LoadState.exe.** This performs the user-state restore.
-
 -   **UsmtUtils.exe.** This supplements the functionality in ScanState.exe and LoadState.exe.
 
 In addition to these tools, there are also XML templates that manage which data is migrated. You can customize the templates, or create new ones, to manage the backup process at a high level of detail. USMT uses the following terms for its templates:
 
 -   **Migration templates.** The default templates in USMT.
-
 -   **Custom templates.** Custom templates that you create.
-
 -   **Config template.** An optional template, called Config.xml, which you can use to exclude or include components in a migration without modifying the other standard XML templates.
 
 ![figure 3](images/mdt-11-fig06.png)
 
-Figure 3. A sample USMT migration file that will exclude .MP3 files on all local drives and include the folder C:\\Data and all its files, including its subdirectories and their files.
+A sample USMT migration file that will exclude .MP3 files on all local drives and include the folder C:\\Data and all its files, including its subdirectories and their files.
 
 USMT supports capturing data and settings from Windows Vista and later, and restoring the data and settings to Windows 7 and later (including Windows 10 in both cases). It also supports migrating from a 32-bit operating system to a 64-bit operating system, but not the other way around. For example, you can use USMT to migrate from Windows 7 x86 to Windows 10 x64.
 
 By default USMT migrates many settings, most of which are related to the user profile but also to Control Panel configurations, file types, and more. The default templates that are used in Windows 10 deployments are MigUser.xml and MigApp.xml. These two default templates migrate the following data and settings:
 
 -   Folders from each profile, including those from user profiles as well as shared and public profiles. For example, the My Documents, My Video, My Music, My Pictures, desktop files, Start menu, Quick Launch settings, and Favorites folders are migrated.
-
 -   Specific file types. USMT templates migrate the following file types: .accdb, .ch3, .csv, .dif, .doc\*, .dot\*, .dqy, .iqy, .mcw, .mdb\*, .mpp, .one\*, .oqy, .or6, .pot\*, .ppa, .pps\*, .ppt\*, .pre, .pst, .pub, .qdf, .qel, .qph, .qsd, .rqy, .rtf, .scd, .sh3, .slk, .txt, .vl\*, .vsd, .wk\*, .wpd, .wps, .wq1, .wri, .xl\*, .xla, .xlb, .xls\*.
 
     **Note**  
     The OpenDocument extensions (\*.odt, \*.odp, \*.ods, etc.) that Microsoft Office applications can use are not migrated by default.
 
-     
-
 -   Operating system component settings
-
 -   Application settings
 
 These are the settings migrated by the default MigUser.xml and MigApp.xml templates. For more details on what USMT migrates, see [What does USMT migrate?](https://go.microsoft.com/fwlink/p/?LinkId=619227) For more information on the USMT overall, see the [USMT technical reference](https://go.microsoft.com/fwlink/p/?LinkId=619228).
@@ -110,7 +102,7 @@ Windows Imaging and Configuration Designer (Windows ICD) is a tool designed to a
 
 ![figure 4](images/windows-icd.png)
 
-Figure 4. Windows Imaging and Configuration Designer.
+Windows Imaging and Configuration Designer.
 
 For more information, see [Windows Imaging and Configuration Designer](https://go.microsoft.com/fwlink/p/?LinkID=525483).
 
@@ -120,7 +112,7 @@ Windows SIM is an authoring tool for Unattend.xml files. When using MDT and/or C
 
 ![figure 7](images/mdt-11-fig07.png)
 
-Figure 5. Windows answer file opened in Windows SIM.
+Windows answer file opened in Windows SIM.
 
 For more information, see [Windows System Image Manager Technical Reference]( https://go.microsoft.com/fwlink/p/?LinkId=619906).
 
@@ -130,7 +122,7 @@ If you don’t use KMS, you can still manage your MAKs centrally with the Volume
 
 ![figure 6](images/mdt-11-fig08.png)
 
-Figure 6. The updated Volume Activation Management Tool.
+The updated Volume Activation Management Tool.
 
 VAMT also can be used to create reports, switch from MAK to KMS, manage Active Directory-based activation, and manage Office 2010 and Office 2013 volume activation. VAMT also supports PowerShell (instead of the old command-line tool). For example, if you want to get information from the VAMT database, you can type:
 
@@ -148,7 +140,7 @@ The key thing to know about Windows PE is that, like the operating system, it ne
 
 ![figure 7](images/mdt-11-fig09.png)
 
-Figure 7. A machine booted with the Windows ADK default Windows PE boot image.
+A machine booted with the Windows ADK default Windows PE boot image.
 
 For more details on Windows PE, see [Windows PE (WinPE)](https://go.microsoft.com/fwlink/p/?LinkId=619233).
 
@@ -159,18 +151,18 @@ Windows Recovery Environment (Windows RE) is a diagnostics and recovery toolset
 
 ![figure 8](images/mdt-11-fig10.png)
 
-Figure 8. A Windows 10 client booted into Windows RE, showing Advanced options.
+A Windows 10 client booted into Windows RE, showing Advanced options.
 
 For more information on Windows RE, see [Windows Recovery Environment](https://go.microsoft.com/fwlink/p/?LinkId=619236).
 
-## <a href="" id="sec08"></a>Windows Deployment Services
+## Windows Deployment Services
 
 
 Windows Deployment Services (WDS) has been updated and improved in several ways starting with Windows 8. Remember that the two main functions you will use are the PXE boot support and multicast. Most of the changes are related to management and increased performance. In Windows Server 2012 R2, WDS also can be used for the Network Unlock feature in BitLocker.
 
 ![figure 9](images/mdt-11-fig11.png)
 
-Figure 9. Windows Deployment Services using multicast to deploy three machines.
+Windows Deployment Services using multicast to deploy three machines.
 
 In Windows Server 2012 R2, [Windows Deployment Services](https://go.microsoft.com/fwlink/p/?LinkId=619245) can be configured for stand-alone mode or for Active Directory integration. In most scenarios, the Active Directory integration mode is the best option. WDS also has the capability to manage drivers; however, driver management through MDT and Configuration Manager is more suitable for deployment due to the flexibility offered by both solutions, so you will use them instead. In WDS, it is possible to pre-stage devices in Active Directory, but here, too, Configuration Manager has that capability built in, and MDT has the ability to use a SQL Server database for pre-staging. In most scenarios, those solutions are better than the built-in pre-staging function as they allow greater control and management.
 
@@ -181,16 +173,14 @@ In some cases, you need to modify TFTP Maximum Block Size settings for performan
 Also, there are a few new features related to TFTP performance:
 
 -   **Scalable buffer management.** Allows buffering an entire file instead of a fixed-size buffer for each client, enabling different sessions to read from the same shared buffer.
-
 -   **Scalable port management.** Provides the capability to service clients with shared UDP port allocation, increasing scalability.
-
 -   **Variable-size transmission window (Variable Windows Extension).** Improves TFTP performance by allowing the client and server to determine the largest workable window size.
 
 ![figure 10](images/mdt-11-fig12.png)
 
-Figure 10. TFTP changes are now easy to perform.
+TFTP changes are now easy to perform.
 
-## <a href="" id="sec09"></a>Microsoft Deployment Toolkit
+## Microsoft Deployment Toolkit
 
 
 MDT is a free deployment solution from Microsoft. It provides end-to-end guidance, best practices, and tools for planning, building, and deploying Windows operating systems. MDT builds on top of the core deployment tools in the Windows ADK by contributing guidance, reducing complexity, and adding critical features for an enterprise-ready deployment solution.
@@ -204,20 +194,20 @@ Lite Touch and Zero Touch are marketing names for the two solutions that MDT sup
 
 ![figure 11](images/mdt-11-fig13.png)
 
-Figure 11. The Deployment Workbench in, showing a task sequence.
+The Deployment Workbench in, showing a task sequence.
 
 For more information on MDT, see the [Microsoft Deployment Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=618117) resource center.
 
-## <a href="" id="sec10"></a>Microsoft Security Compliance Manager 2013
+## Microsoft Security Compliance Manager 2013
 
 
 [Microsoft SCM](https://go.microsoft.com/fwlink/p/?LinkId=619246) is a free utility used to create baseline security settings for the Windows client and server environment. The baselines can be exported and then deployed via Group Policy, local policies, MDT, or Configuration Manager. The current version of Security Compliance Manager includes baselines for Windows 8.1 and several earlier versions of Windows, Windows Server, and Internet Explorer.
 
 ![figure 12](images/mdt-11-fig14.png)
 
-Figure 12. The SCM console showing a baseline configuration for a fictional client's computer security compliance.
+The SCM console showing a baseline configuration for a fictional client's computer security compliance.
 
-## <a href="" id="sec11"></a>Microsoft Desktop Optimization Pack
+## Microsoft Desktop Optimization Pack
 
 
 MDOP is a suite of technologies available to Software Assurance customers through an additional subscription.
@@ -229,36 +219,33 @@ The following components are included in the MDOP suite:
 -   **Microsoft User Experience Virtualization (UE-V).** UE-V monitors the changes that are made by users to application settings and Windows operating system settings. The user settings are captured and centralized to a settings storage location. These settings can then be applied to the different computers that are accessed by the user, including desktop computers, laptop computers, and virtual desktop infrastructure (VDI) sessions.
 
 -   **Microsoft Advanced Group Policy Management (AGPM).** AGPM enables advanced management of Group Policy objects by providing change control, offline editing, and role-based delegation.
-
 -   **Microsoft Diagnostics and Recovery Toolset (DaRT).** DaRT provides additional tools that extend Windows RE to help you troubleshoot and repair your machines.
-
 -   **Microsoft BitLocker Administration and Monitoring (MBAM).** MBAM is an administrator interface used to manage BitLocker drive encryption. It allows you to configure your enterprise with the correct BitLocker encryption policy options, as well as monitor compliance with these policies.
 
 For more information on the benefits of an MDOP subscription, see [Microsoft Desktop Optimization Pack](https://go.microsoft.com/fwlink/p/?LinkId=619247).
 
-## <a href="" id="sec12"></a>Internet Explorer Administration Kit 11
-
+## Internet Explorer Administration Kit 11
 
 There has been a version of IEAK for every version of Internet Explorer since 3.0. It gives you the capability to customize Internet Explorer as you would like. The end result of using IEAK is an Internet Explorer package that can be deployed unattended. The wizard creates one .exe file and one .msi file.
 
 ![figure 13](images/mdt-11-fig15.png)
 
-Figure 13. The User Experience selection screen in IEAK 11.
+The User Experience selection screen in IEAK 11.
 
 To download IEAK 11, see the [Internet Explorer Administration Kit (IEAK) Information and Downloads](https://go.microsoft.com/fwlink/p/?LinkId=619248) page.
 
-## <a href="" id="sec13"></a>Windows Server Update Services
+## Windows Server Update Services
 
 
 WSUS is a server role in Windows Server 2012 R2 that enables you to maintain a local repository of Microsoft updates and then distribute them to machines on your network. WSUS offers approval control and reporting of update status in your environment.
 
 ![figure 14](images/mdt-11-fig16.png)
 
-Figure 14. The Windows Server Update Services console.
+The Windows Server Update Services console.
 
 For more information on WSUS, see the [Windows Server Update Services Overview](https://go.microsoft.com/fwlink/p/?LinkId=619249).
 
-## <a href="" id="sec14"></a>Unified Extensible Firmware Interface
+## Unified Extensible Firmware Interface
 
 
 For many years BIOS has been the industry standard for booting a PC. BIOS has served us well, but it is time to replace it with something better. **UEFI** is the replacement for BIOS, so it is important to understand the differences between BIOS and UEFI. In this section, you learn the major differences between the two and how they affect operating system deployment.
@@ -268,11 +255,8 @@ For many years BIOS has been the industry standard for booting a PC. BIOS has se
 BIOS has been in use for approximately 30 years. Even though it clearly has proven to work, it has some limitations, including:
 
 -   16-bit code
-
 -   1 MB address space
-
 -   Poor performance on ROM initialization
-
 -   MBR maximum bootable disk size of 2.2 TB
 
 As the replacement to BIOS, UEFI has many features that Windows can and will use.
@@ -280,19 +264,12 @@ As the replacement to BIOS, UEFI has many features that Windows can and will use
 With UEFI, you can benefit from:
 
 -   **Support for large disks.** UEFI requires a GUID Partition Table (GPT) based disk, which means a limitation of roughly 16.8 million TB in disk size and more than 100 primary disks.
-
 -   **Faster boot time.** UEFI does not use INT 13, and that improves boot time, especially when it comes to resuming from hibernate.
-
 -   **Multicast deployment.** UEFI firmware can use multicast directly when it boots up. In WDS, MDT, and Configuration Manager scenarios, you need to first boot up a normal Windows PE in unicast and then switch into multicast. With UEFI, you can run multicast from the start.
-
 -   **Compatibility with earlier BIOS.** Most of the UEFI implementations include a compatibility support module (CSM) that emulates BIOS.
-
 -   **CPU-independent architecture.** Even if BIOS can run both 32- and 64-bit versions of firmware, all firmware device drivers on BIOS systems must also be 16-bit, and this affects performance. One of the reasons is the limitation in addressable memory, which is only 64 KB with BIOS.
-
 -   **CPU-independent drivers.** On BIOS systems, PCI add-on cards must include a ROM that contains a separate driver for all supported CPU architectures. That is not needed for UEFI because UEFI has the ability to use EFI Byte Code (EBC) images, which allow for a processor-independent device driver environment.
-
 -   **Flexible pre-operating system environment.** UEFI can perform many functions for you. You just need an UEFI application, and you can perform diagnostics and automatic repairs, and call home to report errors.
-
 -   **Secure boot.** Windows 8 and later can use the UEFI firmware validation process, called secure boot, which is defined in UEFI 2.3.1. Using this process, you can ensure that UEFI launches only a verified operating system loader and that malware cannot switch the boot loader.
 
 ### Versions
@@ -304,11 +281,8 @@ UEFI Version 2.3.1B is the version required for Windows 8 and later logo complia
 In regard to UEFI, hardware is divided into four device classes:
 
 -   **Class 0 devices.** This is the UEFI definition for a BIOS, or non-UEFI, device.
-
 -   **Class 1 devices.** These devices behave like a standard BIOS machine, but they run EFI internally. They should be treated as normal BIOS-based machines. Class 1 devices use a CSM to emulate BIOS. These older devices are no longer manufactured.
-
 -   **Class 2 devices.** These devices have the capability to behave as a BIOS- or a UEFI-based machine, and the boot process or the configuration in the firmware/BIOS determines the mode. Class 2 devices use a CSM to emulate BIOS. These are the most common type of devices currently available.
-
 -   **Class 3 devices.** These are UEFI-only devices, which means you must run an operating system that supports only UEFI. Those operating systems include Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. Windows 7 is not supported on these class 3 devices. Class 3 devices do not have a CSM to emulate BIOS.
 
 ### Windows support for UEFI
@@ -322,31 +296,13 @@ With UEFI 2.3.1, there are both x86 and x64 versions of UEFI. Windows 10 support
 There are many things that affect operating system deployment as soon as you run on UEFI/EFI-based hardware. Here are considerations to keep in mind when working with UEFI devices:
 
 -   Switching from BIOS to UEFI in the hardware is easy, but you also need to reinstall the operating system because you need to switch from MBR/NTFS to GPT/FAT32 and NTFS.
-
 -   When you deploy to a Class 2 device, make sure the boot option you select matches the setting you want to have. It is common for old machines to have several boot options for BIOS but only a few for UEFI, or vice versa.
-
 -   When deploying from media, remember the media has to be FAT32 for UEFI, and FAT32 has a file-size limitation of 4GB.
-
 -   UEFI does not support cross-platform booting; therefore, you need to have the correct boot media (32- or 64-bit).
 
 For more information on UEFI, see the [UEFI firmware](https://go.microsoft.com/fwlink/p/?LinkId=619251) overview and related resources.
 
 ## Related topics
 
-
-
-
-[Deploy Windows To Go](deploy-windows-to-go.md)
-
-[Sideload apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10)
-
-[Windows ADK for Windows 10 scenarios for IT pros](windows-adk-scenarios-for-it-pros.md)
-
- 
-
- 
-
-
-
-
-
+[Sideload apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10)<br>
+[Windows ADK for Windows 10 scenarios for IT pros](windows-adk-scenarios-for-it-pros.md)
\ No newline at end of file
diff --git a/windows/docfx.json b/windows/docfx.json
index afb77d1e77..4661aaf2be 100644
--- a/windows/docfx.json
+++ b/windows/docfx.json
@@ -9,7 +9,7 @@
       ],
     "resource": [
         {
-          "files": ["**/images/**", "**/*.pdf"],
+          "files": ["**/images/**", "**/*.pdf", "**/*.bmp"],
           "exclude": ["**/obj/**"]
         }
     ],
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
index 291b0a7d56..d15ec0f74b 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
@@ -10,8 +10,8 @@ ms.localizationpriority: high
 audience: ITPro
 author: medgarmedgar
 ms.author: v-medgar
-manager: sanashar
-ms.date: 9/10/2019
+manager: robsize
+ms.date: 3/25/2020
 ---
 
 # Manage connections from Windows 10 operating system components to Microsoft services using Microsoft Intune MDM Server
@@ -31,6 +31,9 @@ This article describes the network connections that Windows 10 components make t
 >- To ensure CSPs take priority over Group Policies in case of conflicts, use the [ControlPolicyConflict](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy.
 >- The **Get Help** and **Give us Feedback** links in Windows may no longer work after applying some or all of the MDM/CSP settings.
 
+>[!Warning]
+>If a user executes the "Reset this PC" command (Settings -> Update & Security -> Recovery) with the "Remove Everything" option the >Windows Restricted Traffic Limited Functionality settings will need to be re-applied in order re-restrict the device's egress traffic. >To do this the client must be re-enrolled to the Microsoft Intune service. Egress traffic may occur during the period prior to the re->application of the Restricted Traffic Limited Functionality settings.  If the user executes a "Reset this PC" with the "Keep my files" >option the Restricted Traffic Limited Functionality settings are retained on the device, and therefore the client will remain in a >Restricted Traffic configuration during and after the "Keep my files" reset, and no re-enrollment is required. 
+
 For more information on Microsoft Intune please see [Transform IT service delivery for your modern workplace](https://www.microsoft.com/en-us/enterprise-mobility-security/microsoft-intune?rtc=1) and [Microsoft Intune documentation](https://docs.microsoft.com/intune/).
 
 For detailed information about managing network connections to Microsoft services using Windows Settings, Group Policies and Registry settings see [Manage connections from Windows 10 operating system components to Microsoft services](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services).
@@ -139,8 +142,8 @@ For Windows 10, the following MDM policies are available in the [Policy CSP](htt
    1. [Defender/AllowCloudProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-allowcloudprotection). Disconnect from the Microsoft Antimalware Protection Service. **Set to 0 (zero)** 
    1. [Defender/SubmitSamplesConsent](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent). Stop sending file samples back to Microsoft. **Set to 2 (two)**
    1. [Defender/EnableSmartScreenInShell](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings#mdm-settings). Turns off SmartScreen in Windows for app and file execution. **Set to 0 (zero)**
-   1. Windows Defender Smartscreen - [Browser/AllowSmartScreen](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen). Disable Windows Defender Smartscreen. **Set to 0 (zero)**
-   1. Windows Defender Smartscreen EnableAppInstallControl - [SmartScreen/EnableAppInstallControl](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-smartscreen#smartscreen-enableappinstallcontrol). Controls whether users are allowed to install apps from places other than the Microsoft Store. **Set to 0 (zero)** 
+   1. Windows Defender SmartScreen - [Browser/AllowSmartScreen](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen). Disable Windows Defender SmartScreen. **Set to 0 (zero)**
+   1. Windows Defender SmartScreen EnableAppInstallControl - [SmartScreen/EnableAppInstallControl](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-smartscreen#smartscreen-enableappinstallcontrol). Controls whether users are allowed to install apps from places other than the Microsoft Store. **Set to 0 (zero)** 
    1. Windows Defender Potentially Unwanted Applications(PUA) Protection - [Defender/PUAProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-puaprotection). Specifies the level of detection for potentially unwanted applications (PUAs). **Set to 1 (one)**
    1. [Defender/SignatureUpdateFallbackOrder](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm). Allows you to define the order in which different definition update sources should be contacted. The OMA-URI for this is: **./Vendor/MSFT/Policy/Config/Defender/SignatureUpdateFallbackOrder**, Data type: **String**, Value: **FileShares**
 1. **Windows Spotlight** - [Experience/AllowWindowsSpotlight](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsspotlight). Disable Windows Spotlight. **Set to 0 (zero)**
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 70e294409e..03b72907ac 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -11,10 +11,10 @@ ms.localizationpriority: high
 audience: ITPro
 author: medgarmedgar
 ms.author: v-medgar
-manager: sanashar
+manager: robsize
 ms.collection: M365-security-compliance
 ms.topic: article
-ms.date: 9/17/2019
+ms.date: 3/25/2020
 ---
 
 # Manage connections from Windows 10 operating system components to Microsoft services
@@ -36,6 +36,12 @@ Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline]
 > - It is recommended that you restart a device after making configuration changes to it. 
 > - The **Get Help** and **Give us Feedback** links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied.
 
+>[!Note]
+>Regarding the Windows Restricted Traffic Limited Functionality Baseline, the 1903 settings (folder) are applicable to 1909 Windows >Enterprise devices. There were no additional settings required for the 1909 release.
+
+>[!Warning] 
+>If a user executes the "Reset this PC" command (Settings -> Update & Security -> Recovery) with the "Keep my files" option (or the >"Remove Everything" option) the Windows Restricted Traffic Limited Functionality Baseline settings will need to be re-applied in order >re-restrict the device. Egress traffic may occur prior to the re-application of the Restricted Traffic Limited Functionality Baseline >settings.
+
 To use Microsoft Intune cloud based device management for restricting traffic please refer to the [Manage connections from Windows 10 operating system components to Microsoft services using Microsoft Intune MDM Server](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm)
 
 We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting **telmhelp**@**microsoft.com**.
diff --git a/windows/security/identity-protection/TOC.md b/windows/security/identity-protection/TOC.md
index b03ec007b8..8dc6b27a55 100644
--- a/windows/security/identity-protection/TOC.md
+++ b/windows/security/identity-protection/TOC.md
@@ -24,6 +24,7 @@
 ### [How Credential Guard works](credential-guard/credential-guard-how-it-works.md)
 ### [Credential Guard Requirements](credential-guard/credential-guard-requirements.md)
 ### [Manage Credential Guard](credential-guard/credential-guard-manage.md)
+### [Hardware readiness tool](credential-guard/dg-readiness-tool.md)
 ### [Credential Guard protection limits](credential-guard/credential-guard-protection-limits.md)
 ### [Considerations when using Credential Guard](credential-guard/credential-guard-considerations.md)
 ### [Credential Guard: Additional mitigations](credential-guard/additional-mitigations.md)
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
index 036ce84b5d..3136a3238c 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@@ -12,7 +12,6 @@ ms.author: dansimp
 manager: dansimp
 ms.collection: M365-identity-device-management
 ms.topic: article
-ms.date: 03/01/2019
 ms.reviewer: 
 ---
 
@@ -86,22 +85,24 @@ You can do this by using either the Control Panel or the Deployment Image Servic
     ```
     dism /image:<WIM file name> /Enable-Feature /FeatureName:IsolatedUserMode
     ```
-> [!NOTE]
-> In Windows 10, version 1607 and later, the Isolated User Mode feature has been integrated into the core operating system. Running the command in step 3 above is therefore no longer required.
+    NOTE: In Windows 10, version 1607 and later, the Isolated User Mode feature has been integrated into the core operating system. Running the command in step 3 above is therefore no longer required.
 
-> [!NOTE]
+> [!TIP]
 > You can also add these features to an online image by using either DISM or Configuration Manager.
 
 #### Enable virtualization-based security and Windows Defender Credential Guard
 
 1.  Open Registry Editor.
+
 2.  Enable virtualization-based security:
     -   Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\DeviceGuard.
     -   Add a new DWORD value named **EnableVirtualizationBasedSecurity**. Set the value of this registry setting to 1 to enable virtualization-based security and set it to 0 to disable it.
     -   Add a new DWORD value named **RequirePlatformSecurityFeatures**. Set the value of this registry setting to 1 to use **Secure Boot** only or set it to 3 to use **Secure Boot and DMA protection**.
+
 3.  Enable Windows Defender Credential Guard:
     -   Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA.
     -   Add a new DWORD value named **LsaCfgFlags**. Set the value of this registry setting to 1 to enable Windows Defender Credential Guard with UEFI lock, set it to 2 to enable Windows Defender Credential Guard without lock, and set it to 0 to disable it.
+
 4.  Close Registry Editor.
 
 
@@ -112,7 +113,7 @@ You can do this by using either the Control Panel or the Deployment Image Servic
 
 ### Enable Windows Defender Credential Guard by using the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool
 
-You can also enable Windows Defender Credential Guard by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](dg_readiness_tool.md).
+You can also enable Windows Defender Credential Guard by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
 
 ```
 DG_Readiness_Tool.ps1 -Enable -AutoReboot
@@ -135,7 +136,7 @@ You can view System Information to check that Windows Defender Credential Guard
 
     ![System Information](images/credguard-msinfo32.png)
 
-You can also check that Windows Defender Credential Guard is running by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
+You can also check that Windows Defender Credential Guard is running by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
 
 ```
 DG_Readiness_Tool_v3.6.ps1 -Ready
@@ -152,8 +153,8 @@ DG_Readiness_Tool_v3.6.ps1 -Ready
 -   You should perform regular reviews of the PCs that have Windows Defender Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for:
     -   **Event ID 13** Windows Defender Credential Guard (LsaIso.exe) was started and will protect LSA credentials.
     -   **Event ID 14** Windows Defender Credential Guard (LsaIso.exe) configuration: 0x1, 0
-        -   The first variable: 0x1 means Windows Defender Credential Guard is configured to run. 0x0 means it’s not configured to run.
-        -   The second variable: 0 means it’s configured to run in protect mode. 1 means it's configured to run in test mode. This variable should always be 0.
+        -   The first variable: 0x1 means Windows Defender Credential Guard is configured to run. 0x0 means it's not configured to run.
+        -   The second variable: 0 means it's configured to run in protect mode. 1 means it's configured to run in test mode. This variable should always be 0.
     -   **Event ID 15** Windows Defender Credential Guard (LsaIso.exe) is configured but the secure kernel is not running; continuing without Windows Defender Credential Guard.
     -   **Event ID 16** Windows Defender Credential Guard (LsaIso.exe) failed to launch: \[error code\]
     -   **Event ID 17** Error reading Windows Defender Credential Guard (LsaIso.exe) UEFI configuration: \[error code\]
@@ -165,9 +166,11 @@ DG_Readiness_Tool_v3.6.ps1 -Ready
 To disable Windows Defender Credential Guard, you can use the following set of procedures or [the Device Guard and Credential Guard hardware readiness tool](#turn-off-with-hardware-readiness-tool). If Credential Guard was enabled with UEFI Lock then you must use the following procedure as the settings are persisted in EFI (firmware) variables and it will require physical presence at the machine to press a function key to accept the change. If Credential Guard was enabled without UEFI Lock then you can turn it off by using Group Policy.
 
 1. If you used Group Policy, disable the Group Policy setting that you used to enable Windows Defender Credential Guard (**Computer Configuration** -&gt; **Administrative Templates** -&gt; **System** -&gt; **Device Guard** -&gt; **Turn on Virtualization Based Security**).
+
 2. Delete the following registry settings:
    - HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA\LsaCfgFlags
    - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\LsaCfgFlags
+
 3. If you also wish to disable virtualization-based security delete the following registry settings:
    - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\EnableVirtualizationBasedSecurity
    - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\RequirePlatformSecurityFeatures
@@ -188,14 +191,18 @@ To disable Windows Defender Credential Guard, you can use the following set of p
    ```
 
 5. Restart the PC.
+
 6. Accept the prompt to disable Windows Defender Credential Guard.
+
 7. Alternatively, you can disable the virtualization-based security features to turn off Windows Defender Credential Guard.
 
-> [!NOTE]
-> The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Windows Defender Credential Guard and virtualization-based security, run the following bcdedit commands after turning off all virtualization-based security Group Policy and registry settings:
-
-    bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
-    bcdedit /set vsmlaunchtype off
+    > [!NOTE]
+    > The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Windows Defender Credential Guard and virtualization-based security, run the following bcdedit commands after turning off all virtualization-based security Group Policy and registry settings:
+    >
+    >```
+    >bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
+    >bcdedit /set vsmlaunchtype off
+    >```
 
 > [!NOTE]
 > Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs. These options will be made available with future Gen 2 VMs.
@@ -206,7 +213,7 @@ For more info on virtualization-based security and Windows Defender Device Guard
 
 #### Disable Windows Defender Credential Guard by using the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool
 
-You can also disable Windows Defender Credential Guard by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
+You can also disable Windows Defender Credential Guard by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
 
 ```
 DG_Readiness_Tool_v3.6.ps1 -Disable -AutoReboot
diff --git a/windows/security/identity-protection/credential-guard/dg_readiness_tool.md b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md
similarity index 99%
rename from windows/security/identity-protection/credential-guard/dg_readiness_tool.md
rename to windows/security/identity-protection/credential-guard/dg-readiness-tool.md
index 0022d48998..6c12907b28 100644
--- a/windows/security/identity-protection/credential-guard/dg_readiness_tool.md
+++ b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md
@@ -12,7 +12,6 @@ ms.author: stsyfuhs
 manager: dansimp
 ms.collection: M365-identity-device-management
 ms.topic: article
-ms.date: 09/18/2019
 ms.reviewer: 
 ---
 # Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool
@@ -960,7 +959,7 @@ function PrintToolVersion
     LogAndConsole ""
     LogAndConsole "###########################################################################"
     LogAndConsole ""
-    LogAndConsole "Readiness Tool Version 3.7 Release. `nTool to check if your device is capable to run Device Guard and Credential Guard."
+    LogAndConsole "Readiness Tool Version 3.7.1 Release. `nTool to check if your device is capable to run Device Guard and Credential Guard."
     LogAndConsole ""
     LogAndConsole "###########################################################################"
     LogAndConsole ""
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
index d1efe88759..7189408b7b 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
@@ -42,7 +42,7 @@ Do not begin your deployment until the hosting servers and infrastructure (not r
 
 ## Deployment and trust models
 
-Windows Hello for Business has two deployment models: Hybrid and On-premises. Each deployment model has two trust models: *Key trust* or *certificate trust*.
+Windows Hello for Business has three deployment models: Cloud, hybrid, and on-premises. Hybrid and on-premises deployment models have two trust models: *Key trust* and *certificate trust*.
 
 Hybrid deployments are for enterprises that use Azure Active Directory. On-premises deployments are for enterprises who exclusively use on-premises Active Directory. Remember that the environments that use Azure Active Directory must use the hybrid deployment model for all domains in that forest.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
index 54e4021adc..4a5e2492fe 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
@@ -154,6 +154,9 @@ These procedures configure NTFS and share permissions on the web server to allow
 ![CDP Share Permissions](images/aadj/cdp-share-permissions.png)
 9. In the **Advanced Sharing** dialog box, click **OK**.
 
+> [!Tip]
+> Make sure that users can access **\\\Server FQDN\sharename**.
+
 #### Disable Caching 
 1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server).
 2. Right-click the **cdp** folder and click **Properties**.  Click the **Sharing** tab.  Click **Advanced Sharing**.
@@ -325,6 +328,9 @@ Sign-in a workstation with access equivalent to a _domain user_.
 14. Click **Save**
 15. Sign-out of the Azure portal.
 
+> [!IMPORTANT]
+> For more details about the actual experience after everything has been configured, please see [Windows Hello for Business and Authentication](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication).
+
 ## Section Review
 > [!div class="checklist"]
 > * Configure Internet Information Services to host CRL distribution point
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
index c7b2eca8b7..9c4dba47c8 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
@@ -122,11 +122,9 @@ Review the [What is Azure Multi-Factor Authentication](https://docs.microsoft.co
 > 
 > If you have one of these subscriptions or licenses, skip the Azure MFA Adapter section. 
 
-#### Azure MFA Provider 
-If your organization uses Azure MFA on a per-consumption model (no licenses), then review the [Create a Multifactor Authentication Provider](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-auth-provider) section to create an Azure MFA Authentication provider and associate it with your Azure tenant. 
 
 #### Configure Azure MFA Settings
-Once you have created your Azure MFA authentication provider and associated it with an Azure tenant, you need to configure the multi-factor authentication settings.  Review the [Configure Azure Multi-Factor Authentication settings](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-whats-next) section to configure your settings.
+Review the [Configure Azure Multi-Factor Authentication settings](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-whats-next) section to configure your settings.
 
 #### Azure MFA User States
 After you have completed configuring your Azure MFA settings, you want to review [How to require two-step verification for a user](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-user-states) to understand user states. User states determine how you enable Azure MFA for your users.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
index 0977f9b6a8..314df80eac 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
@@ -37,7 +37,7 @@ You are ready to configure device registration for your hybrid environment. Hybr
 ## Configure Azure for Device Registration
 Begin configuring device registration to support Hybrid Windows Hello for Business by configuring device registration capabilities in Azure AD. 
 
-To do this, follow the **Configure device settings** steps under [Setting up Azure AD Join in your organization](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-setup/)  
+To do this, follow the **Configure device settings** steps under [Setting up Azure AD Join in your organization](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-setup/).
 
 Next, follow the guidance on the [How to configure hybrid Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-manual) page. In the **Configuration steps** section, identify your configuration at the top of the table (either **Windows current and password hash sync** or **Windows current and federation**) and perform only the steps identified with a check mark.
 
@@ -49,7 +49,7 @@ Next, follow the guidance on the [How to configure hybrid Azure Active Directory
 ## Follow the Windows Hello for Business hybrid key trust deployment guide
 1. [Overview](hello-hybrid-cert-trust.md)
 2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md)
-3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
+3. [New Installation Baseline](hello-hybrid-key-new-install.md)
 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
 5. Configure Azure Device Registration (*You are here*)
 6. [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
index 016bf3f7d8..97c87a6d14 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
@@ -102,8 +102,8 @@ Organizations using older directory synchronization technology, such as DirSync
 <br>
 
 
-## Federation with Azure ##
-You can deploy Windows Hello for Business key trust in non-federated and federated environments.  For non-federated environments, key trust deployments work in environments that have deployed [Password Synchronization with Azure AD Connect](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-implement-password-synchronization) or [Azure Active Directory Pass-through-Authentication](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication).  For federated environments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) 2012 R2 or later. 
+## Federation with Azure
+You can deploy Windows Hello for Business key trust in non-federated and federated environments.  For non-federated environments, key trust deployments work in environments that have deployed [Password Synchronization with Azure AD Connect](https://docs.microsoft.com/azure/active-directory/hybrid/whatis-phs) or [Azure Active Directory Pass-through-Authentication](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication).  For federated environments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) 2012 R2 or later. 
 
 > [!div class="checklist"]
 > * Non-federated environments
diff --git a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
index f663299fb7..04e43174e8 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
@@ -18,9 +18,9 @@ ms.reviewer:
 
 # Smart Card Group Policy and Registry Settings
 
-Applies To: Windows 10, Windows Server 2016
+Applies to: Windows 10, Windows Server 2016
 
-This topic for the IT professional and smart card developer describes the Group Policy settings, registry key settings, local security policy settings, and credential delegation policy settings that are available for configuring smart cards.
+This article for IT professionals and smart card developers describes the Group Policy settings, registry key settings, local security policy settings, and credential delegation policy settings that are available for configuring smart cards.
 
 The following sections and tables list the smart card-related Group Policy settings and registry keys that can be set on a per-computer basis. If you use domain Group Policy Objects (GPOs), you can edit and apply Group Policy settings to local or domain computers.
 
@@ -66,21 +66,23 @@ The following sections and tables list the smart card-related Group Policy setti
 
 ## Primary Group Policy settings for smart cards
 
-The following smart card Group Policy settings are located in Computer Configuration\\Administrative Templates\\Windows Components\\Smart Card.
+The following smart card Group Policy settings are in Computer Configuration\\Administrative Templates\\Windows Components\\Smart Card.
 
 The registry keys are in the following locations:
 
--   HKEY\_LOCAL\_MACHINE\\SOFTWARE\Policies\\Microsoft\\Windows\\ScPnP\\EnableScPnP
+- **HKEY\_LOCAL\_MACHINE\\SOFTWARE\Policies\\Microsoft\\Windows\\ScPnP\\EnableScPnP**
 
--   HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\SmartCardCredentialProvider
+- **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\SmartCardCredentialProvider**
 
--   HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CertProp
+- **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CertProp**
 
-> **Note**&nbsp;&nbsp;Smart card reader registry information is located in HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Cryptography\\Calais\\Readers.<br>Smart card registry information is located in HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Cryptography\\Calais\\SmartCards.
+> [!NOTE]
+> Smart card reader registry information is in **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Cryptography\\Calais\\Readers**.<br>
+Smart card registry information is in **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Cryptography\\Calais\\SmartCards**.
 
-The following table lists the default values for these GPO settings. Variations are documented under the policy descriptions in this topic.
+The following table lists the default values for these GPO settings. Variations are documented under the policy descriptions in this article.
 
-| **Server Type or GPO**    | **Default Value** |
+| **Server type or GPO**    | **Default value** |
 |----------------------------------------------|-------------------|
 | Default Domain Policy     | Not configured    |
 | Default Domain Controller Policy             | Not configured    |
@@ -91,13 +93,14 @@ The following table lists the default values for these GPO settings. Variations
 
 ### Allow certificates with no extended key usage certificate attribute
 
-This policy setting allows certificates without an enhanced key usage (EKU) set to be used for sign in.
+You can use this policy setting to allow certificates without an enhanced key usage (EKU) set to be used for sign in.
 
-> **Note**&nbsp;&nbsp;Enhanced key usage certificate attribute is also known as extended key usage.
+> [!NOTE]
+> Enhanced key usage certificate attribute is also known as extended key usage.
+> 
+> In versions of Windows before Windows Vista, smart card certificates that are used to sign in require an EKU extension with a smart card logon object identifier. This policy setting can be used to modify that restriction.
 
-In versions of Windows prior to Windows Vista, smart card certificates that are used to sign in require an EKU extension with a smart card logon object identifier. This policy setting can be used to modify that restriction.
-
-When this policy setting is enabled, certificates with the following attributes can also be used to sign in with a smart card:
+When this policy setting is turned on, certificates with the following attributes can also be used to sign in with a smart card:
 
 -   Certificates with no EKU
 
@@ -105,7 +108,7 @@ When this policy setting is enabled, certificates with the following attributes
 
 -   Certificates with a Client Authentication EKU
 
-When this policy setting is disabled or not configured, only certificates that contain the smart card logon object identifier can be used to sign in with a smart card.
+When this policy setting isn't turned on, only certificates that contain the smart card logon object identifier can be used to sign in with a smart card.
 
 | **Item**          | **Description**                 |
 |--------------------------------------|-------------------------------------------------------------------------------------------------------------|
@@ -116,68 +119,87 @@ When this policy setting is disabled or not configured, only certificates that c
 
 ### Allow ECC certificates to be used for logon and authentication
 
-This policy setting allows you to control whether elliptic curve cryptography (ECC) certificates on a smart card can be used to sign in to a domain. When this setting is enabled, ECC certificates on a smart card can be used to sign in to a domain. When this setting is disabled or not configured, ECC certificates on a smart card cannot be used to sign in to a domain.
+You can use this policy setting to control whether elliptic curve cryptography (ECC) certificates on a smart card can be used to sign in to a domain. 
+
+When this setting is turned on, ECC certificates on a smart card can be used to sign in to a domain. 
+
+When this setting isn't turned on, ECC certificates on a smart card can't be used to sign in to a domain.
 
 | **Item**          | **Description**                   |
 |--------------------------------------|-------------------------------|
-| Registry key      | EnumerateECCCerts                 |
+| Registry key      | **EnumerateECCCerts**                |
 | Default values    | No changes per operating system versions<br>Disabled and not configured are equivalent   |
 | Policy management | Restart requirement: None<br>Sign off requirement: None<br>Policy conflicts: None      |
-| Notes and resources                  | This policy setting only affects a user's ability to sign in to a domain. ECC certificates on a smart card that are used for other applications, such as document signing, are not affected by this policy setting. <br>If you use an ECDSA key to sign in, you must also have an associated ECDH key to permit sign-in when you are not connected to the network. |
+| Notes and resources                  | This policy setting only affects a user's ability to sign in to a domain. ECC certificates on a smart card that are used for other applications, such as document signing, aren't affected by this policy setting. <br>If you use an ECDSA key to sign in, you must also have an associated ECDH key to permit sign in when you're not connected to the network. |
 
 ### Allow Integrated Unblock screen to be displayed at the time of logon
 
-This policy setting lets you determine whether the integrated unblock feature is available in the sign-in user interface (UI). The feature was introduced as a standard feature in the Credential Security Support Provider in Windows Vista.
+You can use this policy setting to determine whether the integrated unblock feature is available in the sign-in user interface (UI). The feature was introduced as a standard feature in the Credential Security Support Provider in Windows Vista.
 
-When this setting is enabled, the integrated unblock feature is available. When this setting is disabled or not configured, the feature is not available.
+When this setting is turned on, the integrated unblock feature is available. 
+
+When this setting isn't turned on, the feature is not available.
 
 | **Item**          | **Description**    |
 |--------------------------------------|---------------------------------------------------------------------------------------------------------------|
-| Registry key      | AllowIntegratedUnblock                |
+| Registry key      | **AllowIntegratedUnblock**              |
 | Default values    | No changes per operating system versions<br>Disabled and not configured are equivalent       |
 | Policy management | Restart requirement: None<br>Sign off requirement: None<br>Policy conflicts: None          |
-| Notes and resources                  | To use the integrated unblock feature, the smart card must support it. Check with the hardware manufacturer to verify that the smart card supports this feature.<br>You can create a custom message that is displayed when the smart card is blocked by configuring the policy setting [Display string when smart card is blocked](#display-string-when-smart-card-is-blocked). |
+| Notes and resources                  | To use the integrated unblock feature, the smart card must support it. Check with the hardware manufacturer to verify that the smart card supports this feature.<br>You can create a custom message that the user sees when the smart card is blocked by configuring the policy setting [Display string when smart card is blocked](#display-string-when-smart-card-is-blocked). |
 
 ### Allow signature keys valid for Logon
 
-This policy setting lets you allow signature key-based certificates to be enumerated and available for sign in. When this setting is enabled, any certificates available on the smart card with a signature-only key are listed on the sign-in screen. When this setting is disabled or not configured, certificates available on the smart card with a signature-only key are not listed on the sign-in screen.
+You can use this policy setting to allow signature key–based certificates to be enumerated and available for sign in. 
+
+When this setting is turned on, any certificates that are available on the smart card with a signature-only key are listed on the sign-in screen. 
+
+When this setting isn't turned on, certificates available on the smart card with a signature-only key aren't listed on the sign-in screen.
 
 | **Item**          | **Description**                 |
 |--------------------------------------|-------------------------------------------------------------------------------------------------------------|
-| Registry key      | AllowSignatureOnlyKeys          |
+| Registry key      | **AllowSignatureOnlyKeys**|
 | Default values    | No changes per operating system versions<br>Disabled and not configured are equivalent |
 | Policy management | Restart requirement: None<br>Sign off requirement: None<br>Policy conflicts: None    |
 | Notes and resources                  |              |
 
 ### Allow time invalid certificates
 
-This policy setting permits those certificates that are expired or not yet valid to be displayed for sign-in.
+You can use this policy setting to permit certificates that are expired or not yet valid to be displayed for sign in.
 
-Prior to Windows Vista, certificates were required to contain a valid time and to not expire. To be used, the certificate must be accepted by the domain controller. This policy setting only controls which certificates are displayed on the client computer.
+> [!NOTE]
+> Before Windows Vista, certificates were required to contain a valid time and to not expire. For a certificate to be used, it must be accepted by the domain controller. This policy setting only controls which certificates are displayed on the client computer.
 
-When this setting is enabled, certificates are listed on the sign-in screen whether they have an invalid time or their time validity has expired. When this setting is disabled or not configured, certificates that are expired or not yet valid are not listed on the sign-in screen.
+When this setting is turned on, certificates are listed on the sign-in screen whether they have an invalid time, or their time validity has expired.
+
+When this policy setting isn't turned on, certificates that are expired or not yet valid aren't listed on the sign-in screen.
 
 | **Item**          | **Description**                 |
 |--------------------------------------|-------------------------------------------------------------------------------------------------------------|
-| Registry key      | AllowTimeInvalidCertificates    |
+| Registry key      | **AllowTimeInvalidCertificates** |
 | Default values    | No changes per operating system versions<br>Disabled and not configured are equivalent |
 | Policy management | Restart requirement: None<br>Sign off requirement: None<br>Policy conflicts: None    |
 | Notes and resources                  |              |
 
 ### Allow user name hint
 
-This policy setting lets you determine whether an optional field is displayed during sign-in and provides a subsequent elevation process that allows users to enter their user name or user name and domain, which associates a certificate with the user. If this setting is enabled, an optional field is displayed that allows users to enter their user name or user name and domain. If this setting is disabled or not configured, the field is not displayed.
+You can use this policy setting to determine whether an optional field appears during sign in and provides a subsequent elevation process where users can enter their username or username and domain, which associates a certificate with the user. 
+
+When this policy setting is turned on, users see an optional field where they can enter their username or username and domain. 
+
+When this policy setting isn't turned on, users don't see this optional field.
 
 | **Item**          | **Description**                 |
 |--------------------------------------|-------------------------------------------------------------------------------------------------------------|
-| Registry key      | X509HintsNeeded                 |
+| Registry key      | **X509HintsNeeded**|
 | Default values    | No changes per operating system versions<br>Disabled and not configured are equivalent |
 | Policy management | Restart requirement: None<br>Sign off requirement: None<br>Policy conflicts: None    |
 | Notes and resources                  |              |
 
 ### Configure root certificate clean up
 
-This policy setting allows you to manage the cleanup behavior of root certificates. Certificates are verified by using a trust chain, and the trust anchor for the digital certificate is the Root Certification Authority (CA). A CA can issue multiple certificates with the root certificate as the top certificate of the tree structure. A private key is used to sign other certificates. This creates an inherited trustworthiness for all certificates immediately under the root certificate. When this setting is enabled, you can set the following cleanup options:
+You can use this policy setting to manage the cleanup behavior of root certificates. Certificates are verified by using a trust chain, and the trust anchor for the digital certificate is the Root Certification Authority (CA). A CA can issue multiple certificates with the root certificate as the top certificate of the tree structure. A private key is used to sign other certificates. This creates an inherited trustworthiness for all certificates immediately under the root certificate. 
+
+When this policy setting is turned on, you can set the following cleanup options:
 
 -   **No cleanup**. When the user signs out or removes the smart card, the root certificates used during their session persist on the computer.
 
@@ -185,122 +207,168 @@ This policy setting allows you to manage the cleanup behavior of root certificat
 
 -   **Clean up certificates on log off**. When the user signs out of Windows, the root certificates are removed.
 
-When this policy setting is disabled or not configured, root certificates are automatically removed when the user signs out of Windows.
+When this policy setting isn't turned on, root certificates are automatically removed when the user signs out of Windows.
 
 | **Item**          | **Description**                 |
 |--------------------------------------|-------------------------------------------------------------------------------------------------------------|
-| Registry key      | RootCertificateCleanupOption    |
+| Registry key      | **RootCertificateCleanupOption**|
 | Default values    | No changes per operating system versions<br>Disabled and not configured are equivalent |
 | Policy management | Restart requirement: None<br>Sign off requirement: None<br>Policy conflicts: None    |
 | Notes and resources                  |              |
 
 ### Display string when smart card is blocked
 
-When this policy setting is enabled, you can create and manage the displayed message that the user sees when a smart card is blocked. When this setting is disabled or not configured (and the integrated unblock feature is also enabled), the system’s default message is displayed to the user when the smart card is blocked.
+You can use this policy setting to change the default message that a user sees if their smart card is blocked.
+
+When this policy setting is turned on, you can create and manage the displayed message that the user sees when a smart card is blocked. 
+
+When this policy setting isn't turned on (and the integrated unblock feature is also enabled), the user sees the system’s default message when the smart card is blocked.
 
 | **Item**          | **Description**             |
 |--------------------------------------|-------------------------|
-| Registry key      | IntegratedUnblockPromptString                  |
+| Registry key      | **IntegratedUnblockPromptString**      |
 | Default values    | No changes per operating system versions<br>Disabled and not configured are equivalent                |
 | Policy management | Restart requirement: None<br>Sign off requirement: None<br>Policy conflicts: This policy setting is only effective when the [Allow Integrated Unblock screen to be displayed at the time of logon](#allow-integrated-unblock-screen-to-be-displayed-at-the-time-of-logon) policy is enabled. |
 | Notes and resources                  |          |
 
 ### Filter duplicate logon certificates
 
-This policy setting lets you use a filtering process to configure which valid sign-in certificates are displayed. During the certificate renewal period, a user’s smart card can have multiple valid sign-in certificates issued from the same certificate template, which can cause confusion about which certificate to select. This behavior can occur when a certificate is renewed and the old certificate has not expired yet.
+You can use this policy setting to configure which valid sign-in certificates are displayed. 
 
-Two certificates are determined to be the same if they are issued from the same template with the same major version and they are for the same user (this is determined by their UPN). When this policy setting is enabled, filtering occurs so that the user will only see the most current valid certificates from which to select. If this setting is disabled or not configured, all the certificates are displayed to the user.
+> [!NOTE]
+> During the certificate renewal period, a user’s smart card can have multiple valid sign-in certificates issued from the same certificate template, which can cause confusion about which certificate to select. This behavior can occur when a certificate is renewed and the old certificate has not expired yet.
+> 
+> If two certificates are issued from the same template with the same major version and they are for the same user (this is determined by their UPN), they are determined to be the same.  
+
+When this policy setting is turned on, filtering occurs so that the user can select from only the most current valid certificates. 
+
+If this policy setting isn't turned on, all the certificates are displayed to the user.
 
 This policy setting is applied to the computer after the [Allow time invalid certificates](#allow-time-invalid-certificates) policy setting is applied.
 
 | **Item**          | **Description**               |
 |--------------------------------------|--------------------------------------------------------------------------------------------------|
-| Registry key      | FilterDuplicateCerts          |
+| Registry key      | **FilterDuplicateCerts**|
 | Default values    | No changes per operating system versions<br>Disabled and not configured are equivalent                  |
 | Policy management | Restart requirement: None<br>Sign off requirement: None<br>Policy conflicts: None  |
 | Notes and resources                  | If there are two or more of the same certificates on a smart card and this policy setting is enabled, the certificate that is used to sign in to computers running Windows 2000, Windows XP, or Windows Server 2003 will be displayed. Otherwise, the certificate with the most distant expiration time will be displayed. |
 
 ### Force the reading of all certificates from the smart card
 
-This policy setting allows you to manage how Windows reads all certificates from the smart card for sign-in. During sign in, Windows reads only the default certificate from the smart card unless it supports retrieval of all certificates in a single call. This policy setting forces Windows to read all the certificates from the smart card.
+You can use this policy setting to manage how Windows reads all certificates from the smart card for sign in. During sign in, Windows reads only the default certificate from the smart card unless it supports retrieval of all certificates in a single call. This policy setting forces Windows to read all the certificates from the smart card.
 
-When this policy setting is enabled, Windows attempts to read all certificates from the smart card regardless of the CSP feature set. When disabled or not configured, Windows attempts to read only the default certificate from smart cards that do not support retrieval of all certificates in a single call. Certificates other than the default are not available for sign in.
+When this policy setting is turned on, Windows attempts to read all certificates from the smart card, regardless of the CSP feature set. 
+
+When this policy isn't turned on, Windows attempts to read only the default certificate from smart cards that don't support retrieval of all certificates in a single call. Certificates other than the default aren't available for sign in.
 
 | **Item**          | **Description**                 |
 |--------------------------------------|----------------------------------------------------------------------------|
-| Registry key      | ForceReadingAllCertificates     |
+| Registry key      | **ForceReadingAllCertificates** |
 | Default values    | No changes per operating system versions<br>Disabled and not configured are equivalent |
-| Policy management | Restart requirement: None<br>Sign off requirement: None<br>Policy conflicts: None<br><br>**Important**&nbsp;&nbsp;Enabling this policy setting can adversely impact performance during the sign in process in certain situations.  |
+| Policy management | Restart requirement: None<br>Sign off requirement: None<br>Policy conflicts: None<br><br>**Important**: Enabling this policy setting can adversely impact performance during the sign in process in certain situations.  |
 | Notes and resources                  | Contact the smart card vendor to determine if your smart card and associated CSP support the required behavior.                |
 
 ### Notify user of successful smart card driver installation
 
-This policy setting allows you to control whether a confirmation message is displayed to the user when a smart card device driver is installed. When this policy setting is enabled, a confirmation message is displayed when a smart card device driver is installed. When this setting is disabled or not configured, a smart card device driver installation message is not displayed.
+You can use this policy setting to control whether the user sees a confirmation message when a smart card device driver is installed. 
+
+When this policy setting is turned on, the user sees a confirmation message when a smart card device driver is installed. 
+
+When this setting isn't turned on, the user doesn't see a smart card device driver installation message.
 
 | **Item**          | **Description**        |
 |--------------------------------------|------------------------------------------------|
-| Registry key      | ScPnPNotification      |
+| Registry key      | **ScPnPNotification** |
 | Default values    | No changes per operating system versions<br>Disabled and not configured are equivalent           |
 | Policy management | Restart requirement: None<br>Sign off requirement: None<br>Policy conflicts: None              |
 | Notes and resources                  | This policy setting applies only to smart card drivers that have passed the Windows Hardware Quality Labs (WHQL) testing process.        |
 
 ### Prevent plaintext PINs from being returned by Credential Manager
 
-This policy setting prevents Credential Manager from returning plaintext PINs. Credential Manager is controlled by the user on the local computer, and it stores credentials from supported browsers and Windows applications. Credentials are saved in special encrypted folders on the computer under the user’s profile. When this policy setting is enabled, Credential Manager does not return a plaintext PIN. When this setting is disabled or not configured, plaintext PINs can be returned by Credential Manager.
+You can use this policy setting to prevent Credential Manager from returning plaintext PINs. 
+
+> [!NOTE]
+> Credential Manager is controlled by the user on the local computer, and it stores credentials from supported browsers and Windows applications. Credentials are saved in special encrypted folders on the computer under the user’s profile. 
+
+When this policy setting is turned on, Credential Manager doesn't return a plaintext PIN. 
+
+When this setting isn't turned on, Credential Manager can return plaintext PINs.
 
 | **Item**          | **Description**     |
 |--------------------------------------|-----------------------------------------------------------------------------------|
-| Registry key      | DisallowPlaintextPin                   |
+| Registry key      | **DisallowPlaintextPin**|
 | Default values    | No changes per operating system versions<br>Disabled and not configured are equivalent        |
 | Policy management | Restart requirement: None<br>Sign off requirement: None<br>Policy conflicts: None           |
-| Notes and resources                  | If this policy setting is enabled, some smart cards may not work in computers running Windows. Consult the smart card manufacturer to determine whether this policy setting should be enabled. |
+| Notes and resources                  | If this policy setting is enabled, some smart cards might not work in computers running Windows. Consult the smart card manufacturer to determine whether this policy setting should be enabled. |
 
 ### Reverse the subject name stored in a certificate when displaying
 
-When this policy setting is enabled, it causes the display of the subject name to be reversed from the way it is stored in the certificate during the sign-in process.
+You can use this policy setting to control the way the subject name appears during sign in.
+
+> [!NOTE]
+> To help users distinguish one certificate from another, the user principal name (UPN) and the common name are displayed by default. For example, when this setting is enabled, if the certificate subject is CN=User1, OU=Users, DN=example, DN=com and the UPN is user1@example.com, "User1" is displayed with "user1@example.com." If the UPN is not present, the entire subject name is displayed. This setting controls the appearance of that subject name, and it might need to be adjusted for your organization.
+
+When this policy setting is turned on, the subject name during sign in appears reversed from the way that it's stored in the certificate.
+
+When this policy setting isn’t turned on, the subject name appears the same as it’s stored in the certificate.
 
-To help users distinguish one certificate from another, the user principal name (UPN) and the common name are displayed by default. For example, when this setting is enabled, if the certificate subject is CN=User1, OU=Users, DN=example, DN=com and the UPN is user1@example.com, "User1" is displayed with "user1@example.com." If the UPN is not present, the entire subject name is displayed. This setting controls the appearance of that subject name, and it might need to be adjusted for your organization.
 
 | **Item**          | **Description**                 |
 |--------------------------------------|-------------------------------------------------------------------------------------------------------------|
-| Registry key      | ReverseSubject                  |
+| Registry key      | **ReverseSubject** |
 | Default values    | No changes per operating system versions<br>Disabled and not configured are equivalent |
 | Policy management | Restart requirement: None<br>Sign off requirement: None<br>Policy conflicts: None    |
 | Notes and resources                  |              |
 
 ### Turn on certificate propagation from smart card
 
-This policy setting allows you to manage the certificate propagation that occurs when a smart card is inserted. The certificate propagation service applies when a signed-in user inserts a smart card in a reader that is attached to the computer. This action causes the certificate to be read from the smart card. The certificates are then added to the user's Personal store.
+You can use this policy setting to manage the certificate propagation that occurs when a smart card is inserted. 
+> [!NOTE]
+> The certificate propagation service applies when a signed-in user inserts a smart card in a reader that is attached to the computer. This action causes the certificate to be read from the smart card. The certificates are then added to the user's Personal store.
 
-If you enable or do not configure this policy setting, certificate propagation occurs when the user inserts the smart card. When this setting is disabled, certificate propagation does not occur and the certificates will not be made available to applications such as Outlook.
+When this policy setting is turned on, certificate propagation occurs when the user inserts the smart card. 
+
+When this policy setting is turned off, certificate propagation doesn't occur, and the certificates aren't available to applications, like Outlook.
 
 | **Item**          | **Description**    |
 |--------------------------------------|----------------|
-| Registry key      | CertPropEnabled    |
+| Registry key      | **CertPropEnabled**|
 | Default values    | No changes per operating system versions<br>Enabled and not configured are equivalent        |
 | Policy management | Restart requirement: None<br>Sign off requirement: None<br>Policy conflicts: This policy setting must be enabled to allow the [Turn on root certificate propagation from smart card](#turn-on-root-certificate-propagation-from-smart-card) setting to work when it is enabled. |
 | Notes and resources                  | |
 
 ### Turn on root certificate propagation from smart card
 
-This policy setting allows you to manage the root certificate propagation that occurs when a smart card is inserted. The certificate propagation service applies when a signed-in user inserts a smart card in a reader that is attached to the computer. This action causes the certificate to be read from the smart card. The certificates are then added to the user's Personal store. When this policy setting is enabled or not configured, root certificate propagation occurs when the user inserts the smart card.
+You can use this policy setting to manage the root certificate propagation that occurs when a smart card is inserted. 
+
+> [!NOTE]
+> The certificate propagation service applies when a signed-in user inserts a smart card in a reader that is attached to the computer. This action causes the certificate to be read from the smart card. The certificates are then added to the user's Personal store. 
+
+When this policy setting is turned on, root certificate propagation occurs when the user inserts the smart card.
+
+When this policy setting isn’t turned on, root certificate propagation doesn’t occur when the user inserts the smart card.
 
 | **Item**          | **Description**   |
 |--------------------------------------|---------------------------------------------------------------------------------------------------------|
-| Registry key      | EnableRootCertificate Propagation    |
+| Registry key      | **EnableRootCertificate Propagation** |
 | Default values    | No changes per operating system versions<br>Enabled and not configured are equivalent       |
 | Policy management | Restart requirement: None<br>Sign off requirement: None<br>Policy conflicts: For this policy setting to work, the [Turn on certificate propagation from smart card](#turn-on-certificate-propagation-from-smart-card) policy setting must also be enabled. |
 | Notes and resources                  |                   |
 
 ### Turn on Smart Card Plug and Play service
 
-This policy setting allows you to control whether Smart Card Plug and Play is enabled. This means that your users can use smart cards from vendors who have published their drivers through Windows Update without needing special middleware. These drivers will be downloaded in the same way as drivers for other devices in Windows. If an appropriate driver is not available from Windows Update, a PIV-compliant minidriver that is included with any of the supported versions of Windows is used for these cards.
+You can use this policy setting to control whether Smart Card Plug and Play is enabled. 
 
-When the Smart Card Plug and Play policy setting is enabled or not configured, and the system attempts to install a smart card device driver the first time a smart card is inserted in a smart card reader. If this policy setting is disabled a device driver is not installed when a smart card is inserted in a smart card reader.
+> [!NOTE]
+> Your users can use smart cards from vendors who have published their drivers through Windows Update without needing special middleware. These drivers will be downloaded in the same way as drivers for other devices in Windows. If an appropriate driver isn't available from Windows Update, a PIV-compliant mini driver that's included with any of the supported versions of Windows is used for these cards.
+
+When this policy setting is turned on, the system attempts to install a smart card device driver the first time a smart card is inserted in a smart card reader. 
+
+When this policy setting isn't turned on, a device driver isn't installed when a smart card is inserted in a smart card reader.
 
 | **Item**          | **Description**        |
 |--------------------------------------|------------------------------------------------|
-| Registry key      | EnableScPnP            |
+| Registry key      | **EnableScPnP** |
 | Default values    | No changes per operating system versions<br>Enabled and not configured are equivalent            |
 | Policy management | Restart requirement: None<br>Sign off requirement: None<br>Policy conflicts: None              |
 | Notes and resources                  | This policy setting applies only to smart card drivers that have passed the Windows Hardware Quality Labs (WHQL) testing process.        |
@@ -309,9 +377,9 @@ When the Smart Card Plug and Play policy setting is enabled or not configured, a
 
 The following registry keys can be configured for the base cryptography service provider (CSP) and the smart card key storage provider (KSP). The following tables list the keys. All keys use the DWORD type.
 
-The registry keys for the Base CSP are located in the registry in HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base Smart Card Crypto Provider.
+The registry keys for the Base CSP are in the registry in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base Smart Card Crypto Provider**.
 
-The registry keys for the smart card KSP are located in HKEY\_LOCAL\_MACHINE\\SYSTEM\\ControlSet001\\Control\\Cryptography\\Providers\\Microsoft Smart Card Key Storage Provider.
+The registry keys for the smart card KSP are in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\ControlSet001\\Control\\Cryptography\\Providers\\Microsoft Smart Card Key Storage Provider**.
 
 **Registry keys for the base CSP and smart card KSP**
 
@@ -320,7 +388,7 @@ The registry keys for the smart card KSP are located in HKEY\_LOCAL\_MACHINE\\SY
 | **AllowPrivateExchangeKeyImport**  | A non-zero value allows RSA exchange (for example, encryption) private keys to be imported for use in key archival scenarios.<br>Default value: 00000000           |
 | **AllowPrivateSignatureKeyImport** | A non-zero value allows RSA signature private keys to be imported for use in key archival scenarios.<br>Default value: 00000000                 |
 | **DefaultPrivateKeyLenBits**       | Defines the default length for private keys, if desired.<br>Default value: 00000400<br>Default key generation parameter: 1024-bit keys        |
-| **RequireOnCardPrivateKeyGen**     | This key sets the flag that requires on-card private key generation (default). If this value is set, a key generated on a host can be imported into the smart card. This is used for smart cards that do not support on-card key generation or where key escrow is required.<br>Default value: 00000000 |
+| **RequireOnCardPrivateKeyGen**     | This key sets the flag that requires on-card private key generation (default). If this value is set, a key generated on a host can be imported into the smart card. This is used for smart cards that don't support on-card key generation or where key escrow is required.<br>Default value: 00000000 |
 | **TransactionTimeoutMilliseconds** | Default timeout values allow you to specify whether transactions that take an excessive amount of time will fail.<br>Default value: 000005dc1500<br>The default timeout for holding transactions to the smart card is 1.5 seconds.           |
 
 **Additional registry keys for the smart card KSP**
@@ -332,14 +400,14 @@ The registry keys for the smart card KSP are located in HKEY\_LOCAL\_MACHINE\\SY
 
 ## CRL checking registry keys
 
-The following table lists the keys and the corresponding values to turn off certificate revocation list (CRL) checking at the Key Distribution Center (KDC) or client. To manage CRL checking, you need to configure settings for both the KDC and the client.
+The following table lists the keys and the corresponding values to turn off certificate revocation list (CRL) checking at the Key Distribution Center (KDC) or client. To manage CRL checking, you must configure settings for both the KDC and the client.
 
 **CRL checking registry keys**
 
 | **Registry Key**         | **Details**                 |
 |------------|-----------------------------|
-| HKEY\_LOCAL\_MACHINE\\SYSTEM\\CCS\\Services\\Kdc\\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors   | Type = DWORD<br>Value = 1 |
-| HKEY\_LOCAL\_MACHINE\\SYSTEM\\CCS\\Control\\LSA\\Kerberos\\Parameters\\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors | Type = DWORD<br>Value = 1 |
+| **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CCS\\Services\\Kdc\\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors**| Type = DWORD<br>Value = 1 |
+| **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CCS\\Control\\LSA\\Kerberos\\Parameters\\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors**| Type = DWORD<br>Value = 1 |
 
 ## Additional smart card Group Policy settings and registry keys
 
@@ -349,40 +417,41 @@ In a smart card deployment, additional Group Policy settings can be used to enha
 
 -   Interactive logon: Do not require CTRL+ALT+DEL (not recommended)
 
-The following smart card-related Group Policy settings are located in Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options.
+The following smart card-related Group Policy settings are in Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options.
 
 **Local security policy settings**
 
-| Group Policy Setting and Registry Key    |  Default   | Description   |
+| Group Policy setting and registry key    |  Default   | Description   |
 |------------------------------------------|------------|---------------|
-| Interactive logon: Require smart card<br><br>scforceoption          |  Disabled        | This security policy setting requires users to sign in to a computer by using a smart card.<br><br>**Enabled**  Users can only sign in to the computer by using a smart card.<br>**Disabled**  Users can sign in to the computer by using any method.         |
-| Interactive logon: Smart card removal behavior<br><br>scremoveoption | This policy setting is not defined, which means that the system treats it as **No Action**. | This setting determines what happens when the smart card for a signed-in user is removed from the smart card reader. The options are:<br>**No Action**<br>**Lock Workstation**: The workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session.<br>**Force Logoff**: The user is automatically signed out when the smart card is removed.<br>**Disconnect if a Remote Desktop Services session**: Removal of the smart card disconnects the session without signing out the user. This allows the user to reinsert the smart card and resume the session later, or at another computer that is equipped with a smart card reader, without having to sign in again. If the session is local, this policy setting functions identically to the **Lock Workstation** option.<br><br>**Note**&nbsp;&nbsp;Remote Desktop Services was called Terminal Services in previous versions of Windows Server.  |
+| Interactive logon: Require smart card<br><br>**scforceoption**   |  Disabled        | This security policy setting requires users to sign in to a computer by using a smart card.<br><br>**Enabled**  Users can sign in to the computer only by using a smart card.<br>**Disabled**  Users can sign in to the computer by using any method.         |
+| Interactive logon: Smart card removal behavior<br><br>**scremoveoption** | This policy setting isn't defined, which means that the system treats it as **No Action**. | This setting determines what happens when the smart card for a signed-in user is removed from the smart card reader. The options are:<br>**No Action**<br>**Lock Workstation**: The workstation is locked when the smart card is removed, so users can leave the area, take their smart card with them, and still maintain a protected session.<br>**Force Logoff**: The user is automatically signed out when the smart card is removed.<br>**Disconnect if a Remote Desktop Services session**: Removal of the smart card disconnects the session without signing out the user. The user can reinsert the smart card and resume the session later, or at another computer that's equipped with a smart card reader, without having to sign in again. If the session is local, this policy setting functions identically to the **Lock Workstation** option.<br><br>**Note**: In earlier versions of Windows Server, Remote Desktop Services was called Terminal Services.  |
 
 From the Local Security Policy Editor (secpol.msc), you can edit and apply system policies to manage credential delegation for local or domain computers.
 
-The following smart card-related Group Policy settings are located in Computer Configuration\\Administrative Templates\\System\\Credentials Delegation.
+The following smart card-related Group Policy settings are in Computer Configuration\\Administrative Templates\\System\\Credentials Delegation.
 
-Registry keys are located in HKEY\_LOCAL\_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\Credssp\\PolicyDefaults.
+Registry keys are in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\Credssp\\PolicyDefaults**.
 
-> **Note**&nbsp;&nbsp;In the following table, fresh credentials are those that you are prompted for when running an application.
+> [!NOTE]
+> In the following table, fresh credentials are those that you are prompted for when running an application.
 
 **Credential delegation policy settings**
 
 
-|                                        Group Policy Setting and Registry Key                                         |    Default     |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
+|                                        Group Policy setting and registry key                                         |    Default     |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
 |----------------------------------------------------------------------------------------------------------------------|----------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-|                         **Allow Delegating Fresh Credentials**<br><br>AllowFreshCredentials                          | Not Configured | This policy setting applies: <br>When server authentication was achieved through a trusted X509 certificate or Kerberos protocol.<br>To applications that use the CredSSP component (for example, Remote Desktop Services).<br><br>**Enabled**: You can specify the servers where the user's fresh credentials can be delegated. <br>**Not Configured**: After proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Services running on any computer.<br>**Disabled**: Delegation of fresh credentials to any computer is not permitted.<br><br>**Note**&nbsp;&nbsp;This policy setting can be set to one or more service principal names (SPNs). The SPN represents the target server where the user credentials can be delegated. A single wildcard character is permitted when specifying the SPN, for example:<br>Use \*TERMSRV/\*\* for Remote Desktop Session Host (RD Session Host) running on any computer. <br>Use *TERMSRV/host.humanresources.fabrikam.com* for RD Session Host running on the host.humanresources.fabrikam.com computer.<br>Use *TERMSRV/\*.humanresources.fabrikam.com* for RD Session Host running on all computers in .humanresources.fabrikam.com |
-| **Allow Delegating Fresh Credentials with NTLM-only Server Authentication**<br><br>AllowFreshCredentialsWhenNTLMOnly | Not Configured |                                                                                                                                                                            This policy setting applies:<br>When server authentication was achieved by using NTLM.<br>To applications that use the CredSSP component (for example, Remote Desktop).<br><br>**Enabled**: You can specify the servers where the user's fresh credentials can be delegated.<br>**Not Configured**: After proper mutual authentication, delegation of fresh credentials is permitted to RD Session Host running on any computer (TERMSRV/\*).<br>**Disabled**: Delegation of fresh credentials is not permitted to any computer.<br><br>**Note**&nbsp;&nbsp;This policy setting can be set to one or more SPNs. The SPN represents the target server where the user credentials can be delegated. A single wildcard character (\*) is permitted when specifying the SPN.<br>See the **Allow Delegating Fresh Credentials** policy setting description for examples.                                                                                                                                                                            |
-|                          **Deny Delegating Fresh Credentials**<br><br>DenyFreshCredentials                           | Not Configured |                                                                                                                                                                                                                                                                                                 This policy setting applies to applications that use the CredSSP component (for example, Remote Desktop).<br><br>**Enabled**: You can specify the servers where the user's fresh credentials cannot be delegated.<br>**Disabled** or **Not Configured**: A server is not specified.<br><br>**Note**&nbsp;&nbsp;This policy setting can be set to one or more SPNs. The SPN represents the target server where the user credentials cannot be delegated. A single wildcard character (\*) is permitted when specifying the SPN.<br>See the **Allow Delegating Fresh Credentials** policy setting description for examples.                                                                                                                                                                                                                                                                                                 |
+|                         Allow Delegating Fresh Credentials<br><br>**AllowFreshCredentials**  | Not configured | This policy setting applies: <br>When server authentication was achieved through a trusted X509 certificate or Kerberos protocol.<br>To applications that use the CredSSP component (for example, Remote Desktop Services).<br><br>**Enabled**: You can specify the servers where the user's fresh credentials can be delegated. <br>**Not configured**: After proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Services running on any computer.<br>**Disabled**: Delegation of fresh credentials to any computer isn't permitted.<br><br>**Note**: This policy setting can be set to one or more service principal names (SPNs). The SPN represents the target server where the user credentials can be delegated. A single wildcard character is permitted when specifying the SPN, for example:<br>Use \*TERMSRV/\*\* for Remote Desktop Session Host (RD Session Host) running on any computer. <br>Use *TERMSRV/host.humanresources.fabrikam.com* for RD Session Host running on the host.humanresources.fabrikam.com computer.<br>Use *TERMSRV/\*.humanresources.fabrikam.com* for RD Session Host running on all computers in .humanresources.fabrikam.com |
+| Allow Delegating Fresh Credentials with NTLM-only Server Authentication<br><br>**AllowFreshCredentialsWhenNTLMOnly** | Not configured |                                                                                                                                                                            This policy setting applies:<br>When server authentication was achieved by using NTLM.<br>To applications that use the CredSSP component (for example, Remote Desktop).<br><br>**Enabled**: You can specify the servers where the user's fresh credentials can be delegated.<br>**Not configured**: After proper mutual authentication, delegation of fresh credentials is permitted to RD Session Host running on any computer (TERMSRV/\*).<br>**Disabled**: Delegation of fresh credentials isn't permitted to any computer.<br><br>**Note**: This policy setting can be set to one or more SPNs. The SPN represents the target server where the user credentials can be delegated. A single wildcard character (\*) is permitted when specifying the SPN.<br>See the **Allow Delegating Fresh Credentials** policy setting description for examples.                                                                                                                                                                            |
+|                          Deny Delegating Fresh Credentials<br><br>**DenyFreshCredentials** | Not configured |                                                                                                                                                                                                                                                                                                 This policy setting applies to applications that use the CredSSP component (for example, Remote Desktop).<br><br>**Enabled**: You can specify the servers where the user's fresh credentials can't be delegated.<br>**Disabled** or **Not configured**: A server is not specified.<br><br>**Note**: This policy setting can be set to one or more SPNs. The SPN represents the target server where the user credentials can't be delegated. A single wildcard character (\*) is permitted when specifying the SPN.<br>For examples, see the "Allow delegating fresh credentials" policy setting.                                                                                                                                                                                                                                                                                                 |
 
-If you are using Remote Desktop Services with smart card logon, you cannot delegate default and saved credentials. The registry keys in the following table, which are located at HKEY\_LOCAL\_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\Credssp\\PolicyDefaults, and the corresponding Group Policy settings are ignored.
+If you're using Remote Desktop Services with smart card logon, you can't delegate default and saved credentials. The registry keys in the following table, which are at **HKEY\_LOCAL\_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\Credssp\\PolicyDefaults**, and the corresponding Group Policy settings are ignored.
 
 | **Registry key** | **Corresponding Group Policy setting**                 |
 |-------------------------------------|---------------------------------------------------------------------------|
-| AllowDefaultCredentials             | Allow Delegating Default Credentials                   |
-| AllowDefaultCredentialsWhenNTLMOnly | Allow Delegating Default Credentials with NTLM-only Server Authentication |
-| AllowSavedCredentials               | Allow Delegating Saved Credentials  |
-| AllowSavedCredentialsWhenNTLMOnly   | Allow Delegating Saved Credentials with NTLM-only Server Authentication   |
+| **AllowDefaultCredentials**             | Allow Delegating Default Credentials                   |
+| **AllowDefaultCredentialsWhenNTLMOnly** | Allow Delegating Default Credentials with NTLM-only Server Authentication |
+| **AllowSavedCredentials** | Allow Delegating Saved Credentials  |
+| **AllowSavedCredentialsWhenNTLMOnly** | Allow Delegating Saved Credentials with NTLM-only Server Authentication   |
 
 ## See also
 
diff --git a/windows/security/information-protection/TOC.md b/windows/security/information-protection/TOC.md
index c3c19ee400..6d79db4dc3 100644
--- a/windows/security/information-protection/TOC.md
+++ b/windows/security/information-protection/TOC.md
@@ -38,7 +38,7 @@
 
 ## [Encrypted Hard Drive](encrypted-hard-drive.md)
 
-## [Kernel DMA Protection for Thunderbolt™ 3](kernel-dma-protection-for-thunderbolt.md)
+## [Kernel DMA Protection for Thunderbolt&trade; 3](kernel-dma-protection-for-thunderbolt.md)
 
 ## [Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection\protect-enterprise-data-using-wip.md)
 ### [Create a WIP policy using Microsoft Intune](windows-information-protection\overview-create-wip-policy.md)
@@ -47,8 +47,8 @@
 ##### [Associate and deploy a VPN policy for WIP using the Azure portal for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune-azure.md)
 #### [Create and verify an EFS Data Recovery Agent (DRA) certificate](windows-information-protection\create-and-verify-an-efs-dra-certificate.md)
 #### [Determine the Enterprise Context of an app running in WIP](windows-information-protection\wip-app-enterprise-context.md)
-### [Create a WIP policy using Microsoft Endpoint Configuration Manager](windows-information-protection\overview-create-wip-policy-sccm.md)
-#### [Create and deploy a WIP policy using Microsoft Endpoint Configuration Manager](windows-information-protection\create-wip-policy-using-sccm.md)
+### [Create a WIP policy using Microsoft Endpoint Configuration Manager](windows-information-protection\overview-create-wip-policy-configmgr.md)
+#### [Create and deploy a WIP policy using Microsoft Endpoint Configuration Manager](windows-information-protection\create-wip-policy-using-configmgr.md)
 #### [Create and verify an EFS Data Recovery Agent (DRA) certificate](windows-information-protection\create-and-verify-an-efs-dra-certificate.md)
 #### [Determine the Enterprise Context of an app running in WIP](windows-information-protection\wip-app-enterprise-context.md)
 ### [Mandatory tasks and settings required to turn on WIP](windows-information-protection\mandatory-settings-for-wip.md)
diff --git a/windows/security/information-protection/bitlocker/images/sccm-imageconfig.jpg b/windows/security/information-protection/bitlocker/images/configmgr-imageconfig.jpg
similarity index 100%
rename from windows/security/information-protection/bitlocker/images/sccm-imageconfig.jpg
rename to windows/security/information-protection/bitlocker/images/configmgr-imageconfig.jpg
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
index 2f83a67ca2..18236c1ddf 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
@@ -111,7 +111,7 @@ list volume
 
 If the status of any of the volumes is not healthy or if the recovery partition is missing, you may have to reinstall Windows. Before you do this, check the configuration of the Windows image that you are using for provisioning. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from Microsoft Endpoint Configuration Manager).
 
-![Windows image configuration in Microsoft Endpoint Configuration Manager](./images/sccm-imageconfig.jpg)
+![Windows image configuration in Microsoft Endpoint Configuration Manager](./images/configmgr-imageconfig.jpg)
 
 #### Step 2: Verify the status of WinRE
 
@@ -171,7 +171,7 @@ To verify the BIOS mode, use the System Information app. To do this, follow thes
 
 You receive an error message that resembles the following:
 
-> **Error:** BitLocker cannot use Secure Boot for integrity because the UEFI variable ‘SecureBoot’ could not be read. A required privilege is not held by the client.
+> **Error:** BitLocker cannot use Secure Boot for integrity because the UEFI variable 'SecureBoot' could not be read. A required privilege is not held by the client.
 
 ### Cause
 
diff --git a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
index d2a77a72e2..2bcfcf6622 100644
--- a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
+++ b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
@@ -23,12 +23,12 @@ ms.reviewer:
 - Windows 10, version 1607 and later
 - Windows 10 Mobile, version 1607 and later
 
-If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your organization. For the purposes of this section, we’ll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you.
+If you don't already have an EFS DRA certificate, you'll need to create and extract one from your system before you can use Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your organization. For the purposes of this section, we'll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you.
 
 The recovery process included in this topic only works for desktop devices. WIP deletes the data on Windows 10 Mobile devices.   
 
 >[!IMPORTANT]
->If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/library/cc875821.aspx).<br><br>If your DRA certificate has expired, you won’t be able to encrypt your files with it. To fix this, you'll need to create a new certificate, using the steps in this topic, and then deploy it through policy.
+>If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/library/cc875821.aspx).<br><br>If your DRA certificate has expired, you won't be able to encrypt your files with it. To fix this, you'll need to create a new certificate, using the steps in this topic, and then deploy it through policy.
 
 ## Manually create an EFS DRA certificate
 
@@ -47,16 +47,16 @@ The recovery process included in this topic only works for desktop devices. WIP
     >[!Important]
     >Because the private keys in your DRA .pfx files can be used to decrypt any WIP file, you must protect them accordingly. We highly recommend storing these files offline, keeping copies on a smart card with strong protection for normal use and master copies in a secured physical location.
 
-4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as [Microsoft Intune](create-wip-policy-using-intune-azure.md) or [Microsoft Endpoint Configuration Manager](create-wip-policy-using-sccm.md).
+4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as [Microsoft Intune](create-wip-policy-using-intune-azure.md) or [Microsoft Endpoint Configuration Manager](create-wip-policy-using-configmgr.md).
 
 > [!NOTE]
 > This certificate can be used in Intune for policies both _with_ device enrollment (MDM) and _without_ device enrollment (MAM).
 
 ## Verify your data recovery certificate is correctly set up on a WIP client computer
 
-1. Find or create a file that's encrypted using Windows Information Protection. For example, you could open an app on your allowed app list, and then create and save a file so it’s encrypted by WIP. 
+1. Find or create a file that's encrypted using Windows Information Protection. For example, you could open an app on your allowed app list, and then create and save a file so it's encrypted by WIP. 
 
-2. Open an app on your protected app list, and then create and save a file so that it’s encrypted by WIP.
+2. Open an app on your protected app list, and then create and save a file so that it's encrypted by WIP.
 
 3. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command:
 
@@ -89,7 +89,7 @@ It's possible that you might revoke data from an unenrolled device only to later
    
    <code>Robocopy "%localappdata%\Microsoft\EDP\Recovery" "<i>new_location</i>" * /EFSRAW</code>
 
-   Where "*new_location*" is in a different directory. This can be on the employee’s device or on a shared folder on a computer that runs Windows 8 or Windows Server 2012 or newer and can be accessed while you're logged in as a data recovery agent.
+   Where "*new_location*" is in a different directory. This can be on the employee's device or on a shared folder on a computer that runs Windows 8 or Windows Server 2012 or newer and can be accessed while you're logged in as a data recovery agent.
 
    To start Robocopy in S mode, open Task Manager. Click **File** > **Run new task**, type the command, and click **Create this task with administrative privileges**.
    
@@ -109,12 +109,12 @@ It's possible that you might revoke data from an unenrolled device only to later
 
 4. Ask the employee to lock and unlock the device.
 
-   The Windows Credential service automatically recovers the employee’s previously revoked keys from the `Recovery\Input` location.
+   The Windows Credential service automatically recovers the employee's previously revoked keys from the `Recovery\Input` location.
 
 ## Auto-recovery of encryption keys
 Starting with Windows 10, version 1709, WIP includes a data recovery feature that lets your employees auto-recover access to work files if the encryption key is lost and the files are no longer accessible. This typically happens if an employee reimages the operating system partition, removing the WIP key info, or if a device is reported as lost and you mistakenly target the wrong device for unenrollment.
 
-To help make sure employees can always access files, WIP creates an auto-recovery key that’s backed up to their Azure Active Directory (Azure AD) identity.
+To help make sure employees can always access files, WIP creates an auto-recovery key that's backed up to their Azure Active Directory (Azure AD) identity.
 
 The employee experience is based on sign in with an Azure AD work account. The employee can either:
 
@@ -147,7 +147,7 @@ After signing in, the necessary WIP key info is automatically downloaded and emp
 
 - [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune-azure.md)
 
-- [Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-sccm.md)
+- [Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-configmgr.md)
 
 - [Creating a Domain-Based Recovery Agent](https://msdn.microsoft.com/library/cc875821.aspx#EJAA)
 
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
similarity index 78%
rename from windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md
rename to windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
index 9d1178639c..a5baa19809 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
@@ -25,10 +25,10 @@ ms.date: 01/09/2020
 - Windows 10 Mobile, version 1607 and later
 - Microsoft Endpoint Configuration Manager
 
-Microsoft Endpoint Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network.
+Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network.
 
 ## Add a WIP policy
-After you’ve installed and set up Configuration Manager for your organization, you must create a configuration item for WIP, which in turn becomes your WIP policy.
+After you've installed and set up Configuration Manager for your organization, you must create a configuration item for WIP, which in turn becomes your WIP policy.
 
 >[!TIP]
 > Review the [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) article before creating a new configuration item to avoid common issues.
@@ -37,16 +37,16 @@ After you’ve installed and set up Configuration Manager for your organization,
 
 1.  Open the Configuration Manager console, click the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node.
 
-    ![Configuration Manager, Configuration Items screen](images/wip-sccm-addpolicy.png)
+    ![Configuration Manager, Configuration Items screen](images/wip-configmgr-addpolicy.png)
 
 2.  Click the **Create Configuration Item** button.<p>
 The **Create Configuration Item Wizard** starts.
 
-    ![Create Configuration Item wizard, define the configuration item and choose the configuration type](images/wip-sccm-generalscreen.png)
+    ![Create Configuration Item wizard, define the configuration item and choose the configuration type](images/wip-configmgr-generalscreen.png)
 
 3.  On the **General Information screen**, type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
 
-4.  In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use Microsoft Endpoint Configuration Manager for device management, and then click **Next**.
+4.  In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use Configuration Manager for device management, and then click **Next**.
 
     -   **Settings for devices managed with the Configuration Manager client:** Windows 10
 
@@ -56,25 +56,25 @@ The **Create Configuration Item Wizard** starts.
 
 5.  On the **Supported Platforms** screen, click the **Windows 10** box, and then click **Next**.
 
-    ![Create Configuration Item wizard, choose the supported platforms for the policy](images/wip-sccm-supportedplat.png)
+    ![Create Configuration Item wizard, choose the supported platforms for the policy](images/wip-configmgr-supportedplat.png)
 
 6.  On the **Device Settings** screen, click **Windows Information Protection**, and then click **Next**.
 
-    ![Create Configuration Item wizard, choose the Windows Information Protection settings](images/wip-sccm-devicesettings.png)
+    ![Create Configuration Item wizard, choose the Windows Information Protection settings](images/wip-configmgr-devicesettings.png)
 
 The **Configure Windows Information Protection settings** page appears, where you'll configure your policy for your organization.
 
 ## Add app rules to your policy
 
-During the policy-creation process in Microsoft Endpoint Configuration Manager, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
+During the policy-creation process in Configuration Manager, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
 
 The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file.
 
 >[!IMPORTANT]
->Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.<p>Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
+>Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.<p>Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App rules** list. If you don't get this statement, it's possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
 
 ### Add a store app rule to your policy
-For this example, we’re going to add Microsoft OneNote, a store app, to the **App Rules** list.
+For this example, we're going to add Microsoft OneNote, a store app, to the **App Rules** list.
 
 **To add a store app**
 
@@ -82,13 +82,13 @@ For this example, we’re going to add Microsoft OneNote, a store app, to the **
 
     The **Add app rule** box appears.
 
-    ![Create Configuration Item wizard, add a universal store app](images/wip-sccm-adduniversalapp.png)
+    ![Create Configuration Item wizard, add a universal store app](images/wip-configmgr-adduniversalapp.png)
 
-2.  Add a friendly name for your app into the **Title** box. In this example, it’s *Microsoft OneNote*.
+2.  Add a friendly name for your app into the **Title** box. In this example, it's *Microsoft OneNote*.
 
 3.  Click **Allow** from the **Windows Information Protection mode** drop-down list.
 
-    Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section.
+    Allow turns on WIP, helping to protect that app's corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section.
 
 4.  Pick **Store App** from the **Rule template** drop-down list.
 
@@ -122,7 +122,7 @@ If you don't know the publisher or product name, you can find them for both desk
 4. Copy the `publisherCertificateName` value and paste them into the **Publisher Name** box, copy the `packageIdentityName` value into the **Product Name** box of Intune.
 
    > [!IMPORTANT]
-   > The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.<p>For example:<p>
+   > The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that's using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as "CN=" followed by the `windowsPhoneLegacyId`.<p>For example:<p>
    > ```json
    >     {
    >         "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
@@ -150,7 +150,7 @@ If you don't know the publisher or product name, you can find them for both desk
 8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune.
 
    > [!IMPORTANT]
-   > The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
+   > The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that's using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as "CN=" followed by the `windowsPhoneLegacyId`.
    > For example:<p>
    > ```json
    >     {
@@ -159,20 +159,20 @@ If you don't know the publisher or product name, you can find them for both desk
    > ```
 
 ### Add a desktop app rule to your policy
-For this example, we’re going to add Internet Explorer, a desktop app, to the **App Rules** list.
+For this example, we're going to add Internet Explorer, a desktop app, to the **App Rules** list.
 
 **To add a desktop app to your policy**
 1.  From the **App rules** area, click **Add**.
 
     The **Add app rule** box appears.
 
-    ![Create Configuration Item wizard, add a classic desktop app](images/wip-sccm-adddesktopapp.png)
+    ![Create Configuration Item wizard, add a classic desktop app](images/wip-configmgr-adddesktopapp.png)
 
-2.  Add a friendly name for your app into the **Title** box. In this example, it’s *Internet Explorer*.
+2.  Add a friendly name for your app into the **Title** box. In this example, it's *Internet Explorer*.
 
 3.  Click **Allow** from the **Windows Information Protection mode** drop-down list.
 
-    Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section.
+    Allow turns on WIP, helping to protect that app's corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section.
 
 4.  Pick **Desktop App** from the **Rule template** drop-down list.
 
@@ -186,7 +186,7 @@ For this example, we’re going to add Internet Explorer, a desktop app, to the
             <th>Manages</th>
         </tr>
         <tr>
-            <td>All fields left as “*”</td>
+            <td>All fields left as "*"</td>
             <td>All files signed by any publisher. (Not recommended.)</td>
         </tr>
         <tr>
@@ -215,7 +215,7 @@ For this example, we’re going to add Internet Explorer, a desktop app, to the
         </tr>
     </table>
 
-If you’re unsure about what to include for the publisher, you can run this PowerShell command:
+If you're unsure about what to include for the publisher, you can run this PowerShell command:
 
 ```ps1
 Get-AppLockerFileInformation -Path "<path of the exe>"
@@ -232,7 +232,7 @@ Path                   Publisher
 Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter in the **Publisher Name** box.
 
 ### Add an AppLocker policy file
-For this example, we’re going to add an AppLocker XML file to the **App Rules** list. You’ll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content.
+For this example, we're going to add an AppLocker XML file to the **App Rules** list. You'll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content.
 
 **To create an app rule and xml file using the AppLocker tool**
 1.  Open the Local Security Policy snap-in (SecPol.msc).
@@ -257,7 +257,7 @@ For this example, we’re going to add an AppLocker XML file to the **App Rules*
 
     ![Create Packaged app Rules wizard, showing the Publisher](images/intune-applocker-publisher.png)
 
-7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we’re using Microsoft Photos.
+7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we're using Microsoft Photos.
 
     ![Create Packaged app Rules wizard, showing the Select applications page](images/intune-applocker-select-apps.png)
 
@@ -277,7 +277,7 @@ For this example, we’re going to add an AppLocker XML file to the **App Rules*
 
 11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**.
 
-    The policy is saved and you’ll see a message that says 1 rule was exported from the policy.
+    The policy is saved and you'll see a message that says 1 rule was exported from the policy.
 
     **Example XML file**<br>
     This is the XML file that AppLocker creates for Microsoft Photos.
@@ -299,7 +299,7 @@ For this example, we’re going to add an AppLocker XML file to the **App Rules*
         </RuleCollection>
     </AppLockerPolicy>
     ```
-12. After you’ve created your XML file, you need to import it by using Microsoft Endpoint Configuration Manager.
+12. After you've created your XML file, you need to import it by using Configuration Manager.
 
 **To import your Applocker policy file app rule using Configuration Manager**
 
@@ -307,13 +307,13 @@ For this example, we’re going to add an AppLocker XML file to the **App Rules*
 
     The **Add app rule** box appears.
 
-    ![Create Configuration Item wizard, add an AppLocker policy](images/wip-sccm-addapplockerfile.png)
+    ![Create Configuration Item wizard, add an AppLocker policy](images/wip-configmgr-addapplockerfile.png)
 
-2.  Add a friendly name for your app into the **Title** box. In this example, it’s *Allowed app list*.
+2.  Add a friendly name for your app into the **Title** box. In this example, it's *Allowed app list*.
 
 3.  Click **Allow** from the **Windows Information Protection mode** drop-down list.
 
-    Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section.
+    Allow turns on WIP, helping to protect that app's corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section.
 
 4.  Pick the **AppLocker policy file** from the **Rule template** drop-down list.
 
@@ -332,13 +332,13 @@ If you're running into compatibility issues where your app is incompatible with
 
     The **Add app rule** box appears.
 
-2.  Add a friendly name for your app into the **Title** box. In this example, it’s *Exempt apps list*.
+2.  Add a friendly name for your app into the **Title** box. In this example, it's *Exempt apps list*.
 
 3.  Click **Exempt** from the **Windows Information Protection mode** drop-down list.
 
-    Be aware that when you exempt apps, they’re allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-app-rules-to-your-policy) section of this topic.
+    Be aware that when you exempt apps, they're allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-app-rules-to-your-policy) section of this topic.
 
-4.  Fill out the rest of the app rule info, based on the type of rule you’re adding:
+4.  Fill out the rest of the app rule info, based on the type of rule you're adding:
 
     - **Store app.** Follow the **Publisher** and **Product name** instructions in the [Add a store app rule to your policy](#add-a-store-app-rule-to-your-policy) section of this topic.
 
@@ -360,13 +360,13 @@ We recommend that you start with **Silent** or **Override** while verifying with
 |-----|------------|
 |Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
 |Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. |
-|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.|
-|Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.<p>After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.|
+|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would've been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.|
+|Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.<p>After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn't automatically reapplied if you turn WIP protection back on.|
 
-![Create Configuration Item wizard, choose your WIP-protection level](images/wip-sccm-appmgmt.png)
+![Create Configuration Item wizard, choose your WIP-protection level](images/wip-configmgr-appmgmt.png)
 
 ## Define your enterprise-managed identity domains
-Corporate identity, usually expressed as your primary internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you’ve marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies.
+Corporate identity, usually expressed as your primary internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you've marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies.
 
 You can specify multiple domains owned by your enterprise by separating them with the "|" character. For example, (contoso.com|newcontoso.com). With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list.
 
@@ -374,16 +374,16 @@ You can specify multiple domains owned by your enterprise by separating them wit
 
 - Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`.
 
-    ![Create Configuration Item wizard, Add the primary Internet domain for your enterprise identity](images/wip-sccm-corp-identity.png)
+    ![Create Configuration Item wizard, Add the primary Internet domain for your enterprise identity](images/wip-configmgr-corp-identity.png)
 
 ## Choose where apps can access enterprise data
 After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network.
 
-There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).
+There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise's range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).
 
 >[!IMPORTANT]
 >Every WIP policy should include policy that defines your enterprise network locations.<br>
->Classless Inter-Domain Routing (CIDR) notation isn’t supported for WIP configurations.
+>Classless Inter-Domain Routing (CIDR) notation isn't supported for WIP configurations.
 
 **To define where your protected apps can find and send enterprise data on you network**
 
@@ -393,7 +393,7 @@ There are no default locations included with WIP, you must add each of your netw
 
 2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table.
 
-   ![Add or edit corporate network definition box, Add your enterprise network locations](images/wip-sccm-add-network-domain.png)
+   ![Add or edit corporate network definition box, Add your enterprise network locations](images/wip-configmgr-add-network-domain.png)
 
    <table>
        <tr>
@@ -404,7 +404,7 @@ There are no default locations included with WIP, you must add each of your netw
        <tr>
            <td>Enterprise Cloud Resources</td>
            <td><strong>With proxy:</strong> contoso.sharepoint.com,contoso.internalproxy1.com|<br>contoso.visualstudio.com,contoso.internalproxy2.com<p><strong>Without proxy:</strong> contoso.sharepoint.com|contoso.visualstudio.com</td>
-           <td>Specify the cloud resources to be treated as corporate and protected by WIP.<p>For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.<p>If you have multiple resources, you must separate them using the &quot;|&quot; delimiter. If you don’t use proxy servers, you must also include the &quot;,&quot; delimiter just before the &quot;|&quot;. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;</code>.<p><strong>Important</strong><br>In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the <code>/&#42;AppCompat&#42;/</code> string to the setting. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;|/&#42;AppCompat&#42;/</code>.</td>
+           <td>Specify the cloud resources to be treated as corporate and protected by WIP.<p>For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.<p>If you have multiple resources, you must separate them using the &quot;|&quot; delimiter. If you don't use proxy servers, you must also include the &quot;,&quot; delimiter just before the &quot;|&quot;. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;</code>.<p><strong>Important</strong><br>In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can't tell whether it's attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the <code>/&#42;AppCompat&#42;/</code> string to the setting. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;|/&#42;AppCompat&#42;/</code>.</td>
        </tr>
        <tr>
            <td>Enterprise Network Domain Names (Required)</td>
@@ -414,12 +414,12 @@ There are no default locations included with WIP, you must add each of your netw
        <tr>
            <td>Proxy servers</td>
            <td>proxy.contoso.com:80;proxy2.contoso.com:443</td>
-           <td>Specify the proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.<br><br>This list shouldn’t include any servers listed in your Internal proxy servers list. Internal proxy servers must be used only for WIP-protected (enterprise) traffic.<br><br>If you have multiple resources, you must separate them using the &quot;;&quot; delimiter.</td>
+           <td>Specify the proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you're connecting to are enterprise resources.<br><br>This list shouldn't include any servers listed in your Internal proxy servers list. Internal proxy servers must be used only for WIP-protected (enterprise) traffic.<br><br>If you have multiple resources, you must separate them using the &quot;;&quot; delimiter.</td>
        </tr>
        <tr>
            <td>Internal proxy servers</td>
            <td>contoso.internalproxy1.com;contoso.internalproxy2.com</td>
-           <td>Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.<br><br>This list shouldn’t include any servers listed in your Proxy servers list. Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.<br><br>If you have multiple resources, you must separate them using the &quot;;&quot; delimiter.</td><br/>    </tr>
+           <td>Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you're connecting to are enterprise resources.<br><br>This list shouldn't include any servers listed in your Proxy servers list. Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.<br><br>If you have multiple resources, you must separate them using the &quot;;&quot; delimiter.</td><br/>    </tr>
        <tr>
            <td>Enterprise IPv4 Range (Required)</td>
            <td><strong>Starting IPv4 Address:</strong> 3.4.0.1<br><strong>Ending IPv4 Address:</strong> 3.4.255.254<br><strong>Custom URI:</strong> 3.4.0.1-3.4.255.254,<br>10.0.0.1-10.255.255.254</td>
@@ -442,7 +442,7 @@ There are no default locations included with WIP, you must add each of your netw
 
 4. Decide if you want to Windows to look for additional network settings and if you want to show the WIP icon on your corporate files while in File Explorer.
 
-   ![Create Configuration Item wizard, Add whether to search for additional network settings](images/wip-sccm-optsettings.png)
+   ![Create Configuration Item wizard, Add whether to search for additional network settings](images/wip-configmgr-optsettings.png)
 
    - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network. Not configured is the default option.
 
@@ -452,16 +452,16 @@ There are no default locations included with WIP, you must add each of your netw
 
 5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy.
 
-   ![Create Configuration Item wizard, Add a data recovery agent (DRA) certificate](images/wip-sccm-dra.png)
+   ![Create Configuration Item wizard, Add a data recovery agent (DRA) certificate](images/wip-configmgr-dra.png)
 
-   After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data. 
+   After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees' local device drive. If somehow the employees' local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data. 
 
    For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md).
 
 ## Choose your optional WIP-related settings
-After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional WIP settings.
+After you've decided where your protected apps can access enterprise data on your network, you'll be asked to decide if you want to add any optional WIP settings.
 
-![Create Configuration Item wizard, Choose any additional, optional settings](images/wip-sccm-additionalsettings.png)
+![Create Configuration Item wizard, Choose any additional, optional settings](images/wip-configmgr-additionalsettings.png)
 
 **To set your optional settings**
 1.  Choose to set any or all of the optional settings:
@@ -478,13 +478,13 @@ After you've decided where your protected apps can access enterprise data on you
 
         - **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps.
 
-    - **Revoke local encryption keys during the unenrollment process.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:
+    - **Revoke local encryption keys during the unenrollment process.** Determines whether to revoke a user's local encryption keys from a device when it's unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:
 
         - **Yes, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment.
 
-        - **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you’re migrating between Mobile Device Management (MDM) solutions.
+        - **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you're migrating between Mobile Device Management (MDM) solutions.
 
-    - **Allow Azure RMS.** Enables secure sharing of files by using removable media such as USB drives. For more information about how RMS works with WIP, see [Create a WIP policy using Intune](create-wip-policy-using-intune-azure.md). To confirm what templates your tenant has, run [Get-AadrmTemplate](https://docs.microsoft.com/powershell/module/aadrm/get-aadrmtemplate) from the [AADRM PowerShell module](https://docs.microsoft.com/azure/information-protection/administer-powershell). If you don’t specify a template, WIP uses a key from a default RMS template that everyone in the tenant will have access to.
+    - **Allow Azure RMS.** Enables secure sharing of files by using removable media such as USB drives. For more information about how RMS works with WIP, see [Create a WIP policy using Intune](create-wip-policy-using-intune-azure.md). To confirm what templates your tenant has, run [Get-AadrmTemplate](https://docs.microsoft.com/powershell/module/aadrm/get-aadrmtemplate) from the [AADRM PowerShell module](https://docs.microsoft.com/azure/information-protection/administer-powershell). If you don't specify a template, WIP uses a key from a default RMS template that everyone in the tenant will have access to.
 
 2. After you pick all of the settings you want to include, click **Summary**.
 
@@ -494,12 +494,12 @@ After you've finished configuring your policy, you can review all of your info o
 **To view the Summary screen**
 - Click the **Summary** button to review your policy choices, and then click **Next** to finish and to save your policy.
 
-    ![Create Configuration Item wizard, Summary screen for all of your policy choices](images/wip-sccm-summaryscreen.png)
+    ![Create Configuration Item wizard, Summary screen for all of your policy choices](images/wip-configmgr-summaryscreen.png)
 
     A progress bar appears, showing you progress for your policy. After it's done, click **Close** to return to the **Configuration Items** page.
 
 ## Deploy the WIP policy
-After you’ve created your WIP policy, you'll need to deploy it to your organization's devices. For info about your deployment options, see these topics:
+After you've created your WIP policy, you'll need to deploy it to your organization's devices. For info about your deployment options, see these topics:
 - [Operations and Maintenance for Compliance Settings in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=708224)
 
 - [How to Create Configuration Baselines for Compliance Settings in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=708225)
diff --git a/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md b/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md
index 47d4db6ed7..684b78d8e2 100644
--- a/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md
+++ b/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md
@@ -82,7 +82,7 @@ When you create a sensitivity label, you can specify that the label be added to
 
 ![Sensitivity labels](images/sensitivity-label-auto-label.png)
 
-A default set of [sensitive information types](https://docs.microsoft.com/office365/securitycompliance/what-the-sensitive-information-types-look-for) in Microsoft 365 compliance center includes credit card numbers, phone numbers, driver’s license numbers, and so on.
+A default set of [sensitive information types](https://docs.microsoft.com/office365/securitycompliance/what-the-sensitive-information-types-look-for) in Microsoft 365 compliance center includes credit card numbers, phone numbers, driver's license numbers, and so on.
 You can also [create a custom sensitive information type](https://docs.microsoft.com/office365/securitycompliance/create-a-custom-sensitive-information-type), which can include any keyword or expression that you want to evaluate. 
 
 ### Protection
@@ -110,7 +110,7 @@ You can see sensitive information types in Microsoft 365 compliance under **Clas
 - Auto labelling requires Windows 10, version 1903
 - Devices need to be onboarded to [Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection), which scans content for a label and applies WIP policy
 - [Sensitivity labels](https://docs.microsoft.com/office365/securitycompliance/labels) need to be configured in Microsoft 365 compliance center
-- WIP policy needs to be applied to endpoint devices by using [Intune](create-wip-policy-using-intune-azure.md) or [Microsoft Endpoint Configuration Manager](overview-create-wip-policy-sccm.md)
+- WIP policy needs to be applied to endpoint devices by using [Intune](create-wip-policy-using-intune-azure.md) or [Microsoft Endpoint Configuration Manager](overview-create-wip-policy-configmgr.md)
 
 
 
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-add-network-domain.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-add-network-domain.png
similarity index 100%
rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-add-network-domain.png
rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-add-network-domain.png
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-addapplockerfile.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-addapplockerfile.png
similarity index 100%
rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-addapplockerfile.png
rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-addapplockerfile.png
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-adddesktopapp.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-adddesktopapp.png
similarity index 100%
rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-adddesktopapp.png
rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-adddesktopapp.png
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-additionalsettings.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-additionalsettings.png
similarity index 100%
rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-additionalsettings.png
rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-additionalsettings.png
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-addpolicy.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-addpolicy.png
similarity index 100%
rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-addpolicy.png
rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-addpolicy.png
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-adduniversalapp.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-adduniversalapp.png
similarity index 100%
rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-adduniversalapp.png
rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-adduniversalapp.png
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-appmgmt.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-appmgmt.png
similarity index 100%
rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-appmgmt.png
rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-appmgmt.png
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-corp-identity.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-corp-identity.png
similarity index 100%
rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-corp-identity.png
rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-corp-identity.png
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-devicesettings.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-devicesettings.png
similarity index 100%
rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-devicesettings.png
rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-devicesettings.png
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-dra.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-dra.png
similarity index 100%
rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-dra.png
rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-dra.png
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-generalscreen.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-generalscreen.png
similarity index 100%
rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-generalscreen.png
rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-generalscreen.png
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-network-domain.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-network-domain.png
similarity index 100%
rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-network-domain.png
rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-network-domain.png
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-optsettings.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-optsettings.png
similarity index 100%
rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-optsettings.png
rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-optsettings.png
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-summaryscreen.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-summaryscreen.png
similarity index 100%
rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-summaryscreen.png
rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-summaryscreen.png
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-supportedplat.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-supportedplat.png
similarity index 100%
rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-supportedplat.png
rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-supportedplat.png
diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
index 8b5a188647..3fc752f3ca 100644
--- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
+++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
@@ -53,7 +53,7 @@ This table provides info about the most common problems you might encounter whil
     </tr>
     <tr>
         <td>WIP is designed for use by a single user per device.</td>
-        <td>A secondary user on a device might experience app compat issues when unenlightened apps start to automatically encrypt for all users. Additionally, only the initial, enrolled user’s content can be revoked during the unenrollment process.</td>
+        <td>A secondary user on a device might experience app compatibility issues when unenlightened apps start to automatically encrypt for all users. Additionally, only the initial, enrolled user’s content can be revoked during the unenrollment process.</td>
         <td>We recommend only having one user per managed device.</td>
     </tr>
     <tr>
@@ -121,17 +121,25 @@ This table provides info about the most common problems you might encounter whil
     <tr>
         <td>Only enlightened apps can be managed without device enrollment
         </td>
-        <td>If a user enrolls a device for Mobile Application Management (MAM) without device enrollment, only enlightened apps will be managed. This is by design to prevent personal files from being unintenionally encrypted by unenlighted apps. Unenlighted apps that need to access work using MAM need to be re-compiled as LOB apps or managed by using MDM with device enrollment.</td>
+        <td>If a user enrolls a device for Mobile Application Management (MAM) without device enrollment, only enlightened apps will be managed. This is by design to prevent personal files from being unintentionally encrypted by unenlighted apps. Unenlighted apps that need to access work using MAM need to be re-compiled as LOB apps or managed by using MDM with device enrollment.</td>
         <td>If all apps need to be managed, enroll the device for MDM.
         </td>
     </tr>
     <tr>
-        <td>By design, files in the Windows directory (%windir% or C:/Windows) cannot be encrypted because they need to be accessed by any user. If a file in the Windows directory gets encypted by one user, other users can&#39;t access it.<br/>        </td>
+        <td>By design, files in the Windows directory (%windir% or C:/Windows) cannot be encrypted because they need to be accessed by any user. If a file in the Windows directory gets encrypted by one user, other users can&#39;t access it.<br/>        </td>
         <td>Any attempt to encrypt a file in the Windows directory will return a file access denied error. But if you copy or drag and drop an encrypted file to the Windows directory, it will retain encryption to honor the intent of the owner. 
         </td>
         <td>If you need to save an encrypted file in the Windows directory, create and encrypt the file in a different directory and copy it.
         </td>
     </tr>
+    <tr>
+        <td>Microsoft Office Outlook offline data files (PST and OST files) are not marked as <strong>Work</strong> files, and are therefore not protected.
+        </td>
+        <td>If Microsoft Office Outlook is set to work in cached mode (default setting), or if some emails are stored in a local PST file, the data is unprotected. 
+        </td>
+        <td>It is recommended to use Microsoft Office Outlook in Online mode, or to use encryption to protect OST and PST files manually.
+        </td>
+    </tr>
 </table>
 
 > [!NOTE]
diff --git a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-sccm.md b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
similarity index 88%
rename from windows/security/information-protection/windows-information-protection/overview-create-wip-policy-sccm.md
rename to windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
index fc7e101613..a1e662c65e 100644
--- a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-sccm.md
+++ b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
@@ -28,6 +28,6 @@ Microsoft Endpoint Configuration Manager helps you create and deploy your enterp
 ## In this section
 |Topic |Description |
 |------|------------|
-|[Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-sccm.md) |Microsoft Endpoint Configuration Manager helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
+|[Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-configmgr.md) |Microsoft Endpoint Configuration Manager helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
 |[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. |
 |[Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md) |Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP). |
diff --git a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
index 7cb66960c1..961744bbf6 100644
--- a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
+++ b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
@@ -56,7 +56,7 @@ You can try any of the processes included in these scenarios, but you should foc
         <td>Create work documents in enterprise-allowed apps.</td>
         <td><strong>For desktop:</strong><br><br>
             <ul>
-                <li>Start an unenlightened but allowed app, such as a line-of-business app, and then create a new document, saving your changes.<br>Make sure the document is encrypted to your Enterprise Identity. This might take a few minutes and require you to close and re-open the file.<br><br><strong>Important</strong><br>Certain file types like <code>.exe</code> and <code>.dll</code>, along with certain file paths, such as <code>%windir%</code> and <code>%programfiles%</code> are excluded from automatic encryption.<br><br>For more info about your Enterprise Identity and adding apps to your allowed apps list, see either <a href="create-wip-policy-using-intune-azure.md" data-raw-source="[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune-azure.md)">Create a Windows Information Protection (WIP) policy using Microsoft Intune</a> or <a href="create-wip-policy-using-sccm.md" data-raw-source="[Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-sccm.md)">Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager</a>, based on your deployment system.</li>
+                <li>Start an unenlightened but allowed app, such as a line-of-business app, and then create a new document, saving your changes.<br>Make sure the document is encrypted to your Enterprise Identity. This might take a few minutes and require you to close and re-open the file.<br><br><strong>Important</strong><br>Certain file types like <code>.exe</code> and <code>.dll</code>, along with certain file paths, such as <code>%windir%</code> and <code>%programfiles%</code> are excluded from automatic encryption.<br><br>For more info about your Enterprise Identity and adding apps to your allowed apps list, see either <a href="create-wip-policy-using-intune-azure.md" data-raw-source="[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune-azure.md)">Create a Windows Information Protection (WIP) policy using Microsoft Intune</a> or <a href="create-wip-policy-using-configmgr.md" data-raw-source="[Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-configmgr.md)">Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager</a>, based on your deployment system.</li>
             </ul>
             <strong>For mobile:</strong><br><br>
             <ol>
@@ -113,7 +113,7 @@ You can try any of the processes included in these scenarios, but you should foc
             <ol>
                 <li>Start Windows Journal and Internet Explorer 11, creating, editing, and saving files in both apps.<br>Make sure that all of the files you worked with are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.</li>
                 <li>Open File Explorer and make sure your modified files are appearing with a <strong>Lock</strong> icon.</li>
-                <li>Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the allowed apps list.<br><br><strong>Note</strong><br>Most Windows-signed components like File Explorer (when running in the user’s context), should have access to enterprise data.<br><br>A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don&#39;t have access by default, but can be added to your allowed apps list.</li>
+                <li>Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the allowed apps list.<br><br><strong>Note</strong><br>Most Windows-signed components like File Explorer (when running in the user's context), should have access to enterprise data.<br><br>A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don&#39;t have access by default, but can be added to your allowed apps list.</li>
             </ol>
         </td>
     </tr>
@@ -172,17 +172,7 @@ You can try any of the processes included in these scenarios, but you should foc
             </ul>
         </td>
     </tr>
-    <tr>
-        <td>Stop Google Drive from syncing WIP protected files and folders.</td>
-        <td>
-            <ul>
-                <li>In silent configuration, add Google Drive to Protected Apps and set it to Deny. This way, Google Drive will not sync WIP protected files and folders.</li>
-                <li>Google Drive details</li>
-                Publisher=O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US
-                File=GOOGLEDRIVESYNC.EXE
-            </ul>
-        </td>
-    </tr>
+    
 </table>
 
 >[!NOTE]
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index 2ac8e45d32..cc66e6e688 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -6,105 +6,345 @@
 ### [What's new in Microsoft Defender ATP](microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md)
 ### [Preview features](microsoft-defender-atp/preview.md)
 ### [Data storage and privacy](microsoft-defender-atp/data-storage-privacy.md)
+### [Portal overview](microsoft-defender-atp/portal-overview.md)
 ### [Microsoft Defender ATP for US Government Community Cloud High customers](microsoft-defender-atp/commercial-gov.md)
 
 ## [Evaluate capabilities](microsoft-defender-atp/evaluation-lab.md)
 
-## [Deployment strategy](microsoft-defender-atp/deployment-strategy.md)
+## [Plan deployment](microsoft-defender-atp/deployment-strategy.md)
 
 
 ## [Deployment guide]()
 ### [Deployment phases](microsoft-defender-atp/deployment-phases.md)
-
 ### [Phase 1: Prepare](microsoft-defender-atp/prepare-deployment.md)
-
-### [Phase 2: Setup](microsoft-defender-atp/production-deployment.md)
-
+### [Phase 2: Set up](microsoft-defender-atp/production-deployment.md)
 ### [Phase 3: Onboard](microsoft-defender-atp/onboarding.md)
 
 
 
 
 ## [Security administration]()
-### [Threat & Vulnerability Management overview](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)
-### [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md)
-### [What's in the dashboard and what it means for my organization](microsoft-defender-atp/tvm-dashboard-insights.md)
-### [Exposure score](microsoft-defender-atp/tvm-exposure-score.md)
-### [Configuration score](microsoft-defender-atp/configuration-score.md)
-### [Security recommendation](microsoft-defender-atp/tvm-security-recommendation.md)
-### [Remediation and exception](microsoft-defender-atp/tvm-remediation.md)
-### [Software inventory](microsoft-defender-atp/tvm-software-inventory.md)
-### [Weaknesses](microsoft-defender-atp/tvm-weaknesses.md)
-### [Scenarios](microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md)
+### [Threat & Vulnerability Management]()
+#### [Overview of Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)
+#### [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md)
+#### [What's in the dashboard and what it means for my organization](microsoft-defender-atp/tvm-dashboard-insights.md)
+#### [Exposure score](microsoft-defender-atp/tvm-exposure-score.md)
+#### [Configuration score](microsoft-defender-atp/configuration-score.md)
+#### [Security recommendations](microsoft-defender-atp/tvm-security-recommendation.md)
+#### [Remediation and exception](microsoft-defender-atp/tvm-remediation.md)
+#### [Software inventory](microsoft-defender-atp/tvm-software-inventory.md)
+#### [Weaknesses](microsoft-defender-atp/tvm-weaknesses.md)
+#### [Scenarios](microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md)
+
+### [Attack surface reduction]()
+#### [Overview of attack surface reduction](microsoft-defender-atp/overview-attack-surface-reduction.md)
+#### [Attack surface reduction evaluation](microsoft-defender-atp/evaluate-attack-surface-reduction.md)
+#### [Attack surface reduction configuration settings](microsoft-defender-atp/configure-attack-surface-reduction.md)
+#### [Attack surface reduction FAQ](microsoft-defender-atp/attack-surface-reduction-faq.md)
+
+
+#### [Attack surface reduction controls]()
+##### [Attack surface reduction rules](microsoft-defender-atp/attack-surface-reduction.md)
+##### [Enable attack surface reduction rules](microsoft-defender-atp/enable-attack-surface-reduction.md)
+##### [Customize attack surface reduction rules](microsoft-defender-atp/customize-attack-surface-reduction.md)
+
+#### [Hardware-based isolation]()
+##### [Hardware-based isolation in Windows 10](microsoft-defender-atp/overview-hardware-based-isolation.md)
+##### [Hardware-based isolation evaluation](windows-defender-application-guard/test-scenarios-wd-app-guard.md)
+
+##### [Application isolation]()
+###### [Application guard overview](windows-defender-application-guard/wd-app-guard-overview.md)
+###### [System requirements](windows-defender-application-guard/reqs-wd-app-guard.md)
+###### [Install Windows Defender Application Guard](windows-defender-application-guard/install-wd-app-guard.md)
+
+##### [Application control](windows-defender-application-control/windows-defender-application-control.md)
+###### [Audit Application control policies](windows-defender-application-control/audit-windows-defender-application-control-policies.md)
+
+##### [System isolation](windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md)
+
+##### [System integrity](windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md)
+ 
+
+#### [Device control]()
+##### [Control USB devices](device-control/control-usb-devices-using-intune.md)
+
+##### [Device Guard]()
+###### [Code integrity](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
 
 
 
+#### [Exploit protection]()
+##### [Protect devices from exploits](microsoft-defender-atp/exploit-protection.md)
+##### [Exploit protection evaluation](microsoft-defender-atp/evaluate-exploit-protection.md)
 
 
+#### [Network protection]()
+##### [Protect your network](microsoft-defender-atp/network-protection.md)
+##### [Network protection evaluation](microsoft-defender-atp/evaluate-network-protection.md)
+
+ 
+#### [Web protection]()
+##### [Web protection overview](microsoft-defender-atp/web-protection-overview.md)
+##### [Web threat protection]()
+###### [Web threat protection overview](microsoft-defender-atp/web-threat-protection.md)
+###### [Monitor web security](microsoft-defender-atp/web-protection-monitoring.md)
+###### [Respond to web threats](microsoft-defender-atp/web-protection-response.md)
+##### [Web content filtering](microsoft-defender-atp/web-content-filtering.md)
+ 
+#### [Controlled folder access]()
+##### [Protect folders](microsoft-defender-atp/controlled-folders.md)
+##### [Controlled folder access evaluation](microsoft-defender-atp/evaluate-controlled-folder-access.md)
+
+
+
+#### [Network firewall]()
+##### [Network firewall overview](windows-firewall/windows-firewall-with-advanced-security.md)
+##### [Network firewall evaluation](windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md)
+
+
+### [Next-generation protection]()
+#### [Next-generation protection overview](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
+#### [Evaluate next-generation protection](windows-defender-antivirus/evaluate-windows-defender-antivirus.md)
+
+#### [Configure next-generation protection]()
+##### [Configure Windows Defender Antivirus features](windows-defender-antivirus/configure-windows-defender-antivirus-features.md)
+   
+##### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
+###### [Enable cloud-delivered protection](windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md)
+###### [Specify the cloud-delivered protection level](windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md)
+###### [Configure and validate network connections](windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md)
+###### [Prevent security settings changes with tamper protection](windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md)
+###### [Enable Block at first sight](windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md)
+###### [Configure the cloud block timeout period](windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md)
+   
+##### [Configure behavioral, heuristic, and real-time protection]()
+###### [Configuration overview](windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md)
+###### [Detect and block Potentially Unwanted Applications](windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md)
+###### [Enable and configure always-on protection and monitoring](windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md)
+   
+##### [Antivirus on Windows Server 2016](windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md)
+   
+##### [Antivirus compatibility]()
+###### [Compatibility charts](windows-defender-antivirus/windows-defender-antivirus-compatibility.md)
+###### [Use limited periodic antivirus scanning](windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md)
+   
+##### [Deploy, manage updates, and report on antivirus]()
+###### [Preparing to deploy](windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md)
+###### [Deploy and enable antivirus](windows-defender-antivirus/deploy-windows-defender-antivirus.md)
+####### [Deployment guide for VDI environments](windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md)
+   
+###### [Report on antivirus protection]()
+####### [Review protection status and alerts](windows-defender-antivirus/report-monitor-windows-defender-antivirus.md)
+####### [Troubleshoot antivirus reporting in Update Compliance](windows-defender-antivirus/troubleshoot-reporting.md)
+   
+###### [Manage updates and apply baselines]()
+####### [Learn about the different kinds of updates](windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md)
+####### [Manage protection and security intelligence updates](windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md)
+####### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md)
+####### [Manage updates for endpoints that are out of date](windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md)
+####### [Manage event-based forced updates](windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md)
+####### [Manage updates for mobile devices and VMs](windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
+   
+##### [Customize, initiate, and review the results of scans and remediation]()
+###### [Configuration overview](windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md)
+   
+###### [Configure and validate exclusions in antivirus scans]()
+####### [Exclusions overview](windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md)
+####### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md)
+####### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md)
+####### [Configure antivirus exclusions Windows Server 2016](windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md)
+   
+###### [Configure scanning antivirus options](windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md)
+###### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md)
+###### [Configure scheduled scans](windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md)
+###### [Configure and run scans](windows-defender-antivirus/run-scan-windows-defender-antivirus.md)
+###### [Review scan results](windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md)
+###### [Run and review the results of an offline scan](windows-defender-antivirus/windows-defender-offline.md)
+   
+##### [Restore quarantined files](windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md)
+   
+##### [Manage antivirus in your business]()
+###### [Management overview](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md)
+###### [Use Group Policy settings to configure and manage antivirus](windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md)
+###### [Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure and manage antivirus](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md)
+###### [Use PowerShell cmdlets to configure and manage antivirus](windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md)
+###### [Use Windows Management Instrumentation (WMI) to configure and manage antivirus](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md)
+###### [Use the mpcmdrun.exe commandline tool to configure and manage antivirus](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md)
+   
+##### [Manage scans and remediation]()
+###### [Management overview](windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md)
+   
+###### [Configure and validate exclusions in antivirus scans]()
+####### [Exclusions overview](windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md)
+####### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md)
+####### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md)
+####### [Configure antivirus exclusions on Windows Server 2016](windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md)
+   
+###### [Configure scanning options](windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md)
+
+##### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md)
+###### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md)
+###### [Configure scheduled scans](windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md)
+###### [Configure and run scans](windows-defender-antivirus/run-scan-windows-defender-antivirus.md)
+###### [Review scan results](windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md)
+###### [Run and review the results of an offline scan](windows-defender-antivirus/windows-defender-offline.md)
+###### [Restore quarantined files](windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md)
+   
+##### [Manage next-generation protection in your business]()
+###### [Handle false positives/negatives in Windows Defender Antivirus](windows-defender-antivirus/antivirus-false-positives-negatives.md)
+###### [Management overview](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md)
+###### [Use Microsoft Intune and Microsoft Endpoint Configuration Manager to manage next generation protection](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md)
+###### [Use Group Policy settings to manage next generation protection](windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md)
+###### [Use PowerShell cmdlets to manage next generation protection](windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md)
+###### [Use Windows Management Instrumentation (WMI) to manage next generation protection](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md)
+###### [Use the mpcmdrun.exe command line tool to manage next generation protection](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md)
+
+
+#### [Better together: Windows Defender Antivirus and Microsoft Defender ATP](windows-defender-antivirus/why-use-microsoft-antivirus.md)
+#### [Better together: Windows Defender Antivirus and Office 365](windows-defender-antivirus/office-365-windows-defender-antivirus.md)
+
+
+### [Microsoft Defender Advanced Threat Protection for Mac](microsoft-defender-atp/microsoft-defender-atp-mac.md)
+#### [What's New](microsoft-defender-atp/mac-whatsnew.md)
+
+#### [Deploy]()
+##### [Microsoft Intune-based deployment](microsoft-defender-atp/mac-install-with-intune.md)
+##### [JAMF-based deployment](microsoft-defender-atp/mac-install-with-jamf.md)
+##### [Deployment with a different Mobile Device Management (MDM) system](microsoft-defender-atp/mac-install-with-other-mdm.md)
+##### [Manual deployment](microsoft-defender-atp/mac-install-manually.md)
+#### [Update](microsoft-defender-atp/mac-updates.md)
+
+#### [Configure]()
+##### [Configure and validate exclusions](microsoft-defender-atp/mac-exclusions.md)
+##### [Set preferences](microsoft-defender-atp/mac-preferences.md)
+##### [Detect and block Potentially Unwanted Applications](microsoft-defender-atp/mac-pua.md)
+
+#### [Troubleshoot]()
+##### [Troubleshoot installation issues](microsoft-defender-atp/mac-support-install.md)
+##### [Troubleshoot performance issues](microsoft-defender-atp/mac-support-perf.md)
+##### [Troubleshoot kernel extension issues](microsoft-defender-atp/mac-support-kext.md)
+##### [Troubleshoot license issues](microsoft-defender-atp/mac-support-license.md)
+
+#### [Privacy](microsoft-defender-atp/mac-privacy.md)
+#### [Resources](microsoft-defender-atp/mac-resources.md)
+
+
+### [Microsoft Defender Advanced Threat Protection for Linux](microsoft-defender-atp/microsoft-defender-atp-linux.md)
+#### [What's New](microsoft-defender-atp/linux-whatsnew.md)
+#### [Deploy]()
+##### [Manual deployment](microsoft-defender-atp/linux-install-manually.md)
+##### [Puppet based deployment](microsoft-defender-atp/linux-install-with-puppet.md)
+##### [Ansible based deployment](microsoft-defender-atp/linux-install-with-ansible.md)
+
+#### [Update](microsoft-defender-atp/linux-updates.md)
+
+
+#### [Configure]()
+##### [Configure and validate exclusions](microsoft-defender-atp/linux-exclusions.md)
+##### [Static proxy configuration](microsoft-defender-atp/linux-static-proxy-configuration.md)
+##### [Set preferences](microsoft-defender-atp/linux-preferences.md)
+
+#### [Troubleshoot]()
+##### [Troubleshoot installation issues](microsoft-defender-atp/linux-support-install.md)
+##### [Troubleshoot cloud connectivity issues](microsoft-defender-atp/linux-support-connectivity.md)
+##### [Troubleshoot performance issues](microsoft-defender-atp/linux-support-perf.md)
+
+
+#### [Resources](microsoft-defender-atp/linux-resources.md)
+
+### [Configure and manage Microsoft Threat Experts capabilities](microsoft-defender-atp/configure-microsoft-threat-experts.md)
+
 ## [Security operations]()
-### [Portal overview](microsoft-defender-atp/portal-overview.md)
-### [Security operations dashboard](microsoft-defender-atp/security-operations-dashboard.md)
 
 
-### [Incidents queue]()
-#### [View and organize the Incidents queue](microsoft-defender-atp/view-incidents-queue.md)
-#### [Manage incidents](microsoft-defender-atp/manage-incidents.md)
-#### [Investigate incidents](microsoft-defender-atp/investigate-incidents.md)
 
-### [Alerts queue]()
-#### [View and organize the Alerts queue](microsoft-defender-atp/alerts-queue.md)
-#### [Manage alerts](microsoft-defender-atp/manage-alerts.md)
-#### [Investigate alerts](microsoft-defender-atp/investigate-alerts.md)
-#### [Investigate files](microsoft-defender-atp/investigate-files.md)
-#### [Investigate machines](microsoft-defender-atp/investigate-machines.md)
-#### [Investigate an IP address](microsoft-defender-atp/investigate-ip.md)
-#### [Investigate a domain](microsoft-defender-atp/investigate-domain.md)
-##### [Investigate connection events that occur behind forward proxies](microsoft-defender-atp/investigate-behind-proxy.md)
-#### [Investigate a user account](microsoft-defender-atp/investigate-user.md)
+### [Endpoint detection and response]()
+#### [Endpoint detection and response overview](microsoft-defender-atp/overview-endpoint-detection-response.md)
+#### [Security operations dashboard](microsoft-defender-atp/security-operations-dashboard.md)
+#### [Incidents queue]()
+##### [View and organize the Incidents queue](microsoft-defender-atp/view-incidents-queue.md)
+##### [Manage incidents](microsoft-defender-atp/manage-incidents.md)
+##### [Investigate incidents](microsoft-defender-atp/investigate-incidents.md)
+ 
+#### [Alerts queue]()
+##### [View and organize the Alerts queue](microsoft-defender-atp/alerts-queue.md)
+##### [Manage alerts](microsoft-defender-atp/manage-alerts.md)
+##### [Investigate alerts](microsoft-defender-atp/investigate-alerts.md)
+##### [Investigate files](microsoft-defender-atp/investigate-files.md)
+##### [Investigate machines](microsoft-defender-atp/investigate-machines.md)
+##### [Investigate an IP address](microsoft-defender-atp/investigate-ip.md)
+##### [Investigate a domain](microsoft-defender-atp/investigate-domain.md)
+###### [Investigate connection events that occur behind forward proxies](microsoft-defender-atp/investigate-behind-proxy.md)
+##### [Investigate a user account](microsoft-defender-atp/investigate-user.md)
+ 
+#### [Machines list]()
+##### [View and organize the Machines list](microsoft-defender-atp/machines-view-overview.md)
+##### [Manage machine group and tags](microsoft-defender-atp/machine-tags.md)
+ 
+#### [Take response actions]()
+##### [Take response actions on a machine]()
+###### [Response actions on machines](microsoft-defender-atp/respond-machine-alerts.md)
+###### [Manage tags](microsoft-defender-atp/respond-machine-alerts.md#manage-tags)
+###### [Initiate an automated investigation](microsoft-defender-atp/respond-machine-alerts.md#initiate-automated-investigation)
+###### [Initiate Live Response session](microsoft-defender-atp/respond-machine-alerts.md#initiate-live-response-session)
+###### [Collect investigation package](microsoft-defender-atp/respond-machine-alerts.md#collect-investigation-package-from-machines)
+###### [Run antivirus scan](microsoft-defender-atp/respond-machine-alerts.md#run-windows-defender-antivirus-scan-on-machines)
+###### [Restrict app execution](microsoft-defender-atp/respond-machine-alerts.md#restrict-app-execution)
+###### [Isolate machines from the network](microsoft-defender-atp/respond-machine-alerts.md#isolate-machines-from-the-network)
+###### [Consult a threat expert](microsoft-defender-atp/respond-machine-alerts.md#consult-a-threat-expert)
+###### [Check activity details in Action center](microsoft-defender-atp/respond-machine-alerts.md#check-activity-details-in-action-center)
+ 
+##### [Take response actions on a file]()
+###### [Response actions on files](microsoft-defender-atp/respond-file-alerts.md)
+###### [Stop and quarantine files in your network](microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network)
+###### [Restore file from quarantine](microsoft-defender-atp/respond-file-alerts.md#restore-file-from-quarantine)
+###### [Add indicators to block or allow a file](microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file)
+###### [Consult a threat expert](microsoft-defender-atp/respond-file-alerts.md#consult-a-threat-expert)
+###### [Check activity details in Action center](microsoft-defender-atp/respond-file-alerts.md#check-activity-details-in-action-center)
+###### [Download or collect file](microsoft-defender-atp/respond-file-alerts.md#download-or-collect-file)
+###### [Deep analysis](microsoft-defender-atp/respond-file-alerts.md#deep-analysis)
+###### [Submit files for analysis](microsoft-defender-atp/respond-file-alerts.md#submit-files-for-analysis)
+###### [View deep analysis reports](microsoft-defender-atp/respond-file-alerts.md#view-deep-analysis-reports)
+###### [Troubleshoot deep analysis](microsoft-defender-atp/respond-file-alerts.md#troubleshoot-deep-analysis)
 
-### [Machines list]()
-#### [View and organize the Machines list](microsoft-defender-atp/machines-view-overview.md)
-#### [Manage machine group and tags](microsoft-defender-atp/machine-tags.md)
+#### [View and approve remediation actions](microsoft-defender-atp/manage-auto-investigation.md)
+##### [View details and results of automated investigations](microsoft-defender-atp/auto-investigation-action-center.md)
 
-### [Take response actions]()
-#### [Take response actions on a machine]()
-##### [Response actions on machines](microsoft-defender-atp/respond-machine-alerts.md)
-##### [Manage tags](microsoft-defender-atp/respond-machine-alerts.md#manage-tags)
-##### [Initiate an automated investigation](microsoft-defender-atp/respond-machine-alerts.md#initiate-automated-investigation)
-##### [Initiate Live Response session](microsoft-defender-atp/respond-machine-alerts.md#initiate-live-response-session)
-##### [Collect investigation package](microsoft-defender-atp/respond-machine-alerts.md#collect-investigation-package-from-machines)
-##### [Run antivirus scan](microsoft-defender-atp/respond-machine-alerts.md#run-windows-defender-antivirus-scan-on-machines)
-##### [Restrict app execution](microsoft-defender-atp/respond-machine-alerts.md#restrict-app-execution)
-##### [Isolate machines from the network](microsoft-defender-atp/respond-machine-alerts.md#isolate-machines-from-the-network)
-##### [Consult a threat expert](microsoft-defender-atp/respond-machine-alerts.md#consult-a-threat-expert)
-##### [Check activity details in Action center](microsoft-defender-atp/respond-machine-alerts.md#check-activity-details-in-action-center)
-
-#### [Take response actions on a file]()
-##### [Response actions on files](microsoft-defender-atp/respond-file-alerts.md)
-##### [Stop and quarantine files in your network](microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network)
-##### [Restore file from quarantine](microsoft-defender-atp/respond-file-alerts.md#restore-file-from-quarantine)
-##### [Add indicators to block or allow a file](microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file)
-##### [Consult a threat expert](microsoft-defender-atp/respond-file-alerts.md#consult-a-threat-expert)
-##### [Check activity details in Action center](microsoft-defender-atp/respond-file-alerts.md#check-activity-details-in-action-center)
-##### [Download or collect file](microsoft-defender-atp/respond-file-alerts.md#download-or-collect-file)
-##### [Deep analysis](microsoft-defender-atp/respond-file-alerts.md#deep-analysis)
-##### [Submit files for analysis](microsoft-defender-atp/respond-file-alerts.md#submit-files-for-analysis)
-##### [View deep analysis reports](microsoft-defender-atp/respond-file-alerts.md#view-deep-analysis-reports)
-##### [Troubleshoot deep analysis](microsoft-defender-atp/respond-file-alerts.md#troubleshoot-deep-analysis)
-
-### [View and approve remediation actions](microsoft-defender-atp/manage-auto-investigation.md)
-#### [View details and results of automated investigations](microsoft-defender-atp/auto-investigation-action-center.md)
+#### [Investigate entities using Live response]()
+##### [Investigate entities on machines](microsoft-defender-atp/live-response.md)
+##### [Live response command examples](microsoft-defender-atp/live-response-command-examples.md)
 
 
-### [Investigate entities using Live response]()
-#### [Investigate entities on machines](microsoft-defender-atp/live-response.md)
-#### [Live response command examples](microsoft-defender-atp/live-response-command-examples.md)
 
-### [Threat analytics](microsoft-defender-atp/threat-analytics.md)
+
+
+##### [Shadow protection?](windows-defender-antivirus/shadow-protection.md)
+
+#### [Use sensitivity labels to prioritize incident response](microsoft-defender-atp/information-protection-investigation.md)
+
+#### [Reporting]()
+##### [Power BI - How to use API - Samples](microsoft-defender-atp/api-power-bi.md)
+##### [Create and build Power BI reports using Microsoft Defender ATP data connectors (deprecated)](microsoft-defender-atp/powerbi-reports.md)
+##### [Threat protection reports](microsoft-defender-atp/threat-protection-reports.md)
+#### [Machine health and compliance reports](microsoft-defender-atp/machine-reports.md)
+
+
+#### [Custom detections]()
+##### [Understand custom detections](microsoft-defender-atp/overview-custom-detections.md)
+##### [Create and manage detection rules](microsoft-defender-atp/custom-detection-rules.md)
+
+
+
+
+
+
+### [Automated investigation and response]()
+#### [Overview of AIR](microsoft-defender-atp/automated-investigations.md)
 
 ### [Advanced hunting]()
 #### [Advanced hunting overview](microsoft-defender-atp/advanced-hunting-overview.md)
 #### [Learn the query language](microsoft-defender-atp/advanced-hunting-query-language.md)
+#### [Work with query results](microsoft-defender-atp/advanced-hunting-query-results.md)
 #### [Use shared queries](microsoft-defender-atp/advanced-hunting-shared-queries.md)
 #### [Advanced hunting schema reference]()
 ##### [Understand the schema](microsoft-defender-atp/advanced-hunting-schema-reference.md)
@@ -127,17 +367,13 @@
 
 ### [Microsoft Threat Experts](microsoft-defender-atp/microsoft-threat-experts.md)
 
-### [Reporting]()
-#### [Power BI - How to use API - Samples](microsoft-defender-atp/api-power-bi.md)
-#### [Create and build Power BI reports using Microsoft Defender ATP data connectors (deprecated)](microsoft-defender-atp/powerbi-reports.md)
-#### [Threat protection reports](microsoft-defender-atp/threat-protection-reports.md)
-#### [Machine health and compliance reports](microsoft-defender-atp/machine-reports.md)
+### [Threat analytics](microsoft-defender-atp/threat-analytics.md)
+
+
+
 
 
 
-### [Custom detections]()
-#### [Understand custom detections](microsoft-defender-atp/overview-custom-detections.md)
-#### [Create and manage detection rules](microsoft-defender-atp/custom-detection-rules.md)
 
 
 
@@ -173,168 +409,6 @@
 #### [Increase compliance to the security baseline](microsoft-defender-atp/configure-machines-security-baseline.md)
 #### [Optimize ASR rule deployment and detections](microsoft-defender-atp/configure-machines-asr.md)
 
-### [Manage capabilities]()
-
-#### [Configure attack surface reduction]()
-##### [Attack surface reduction configuration settings](microsoft-defender-atp/configure-attack-surface-reduction.md)
-
-#### [Hardware-based isolation]()
-##### [System isolation](windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md)
-
-##### [Application isolation]()
-###### [Install Windows Defender Application Guard](windows-defender-application-guard/install-wd-app-guard.md)
-###### [Application control](windows-defender-application-control/windows-defender-application-control.md)
-
-##### [Device control]()
-###### [Control USB devices](device-control/control-usb-devices-using-intune.md)
-
-###### [Device Guard]()
-####### [Code integrity](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
-
-####### [Memory integrity]()
-######## [Understand memory integrity](device-guard/memory-integrity.md)
-######## [Hardware qualifications](device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
-######## [Enable HVCI](device-guard/enable-virtualization-based-protection-of-code-integrity.md)
-
-##### [Exploit protection]()
-###### [Enable exploit protection](microsoft-defender-atp/enable-exploit-protection.md)
-###### [Import/export configurations](microsoft-defender-atp/import-export-exploit-protection-emet-xml.md)
-
-##### [Network protection](microsoft-defender-atp/enable-network-protection.md)
-##### [Controlled folder access](microsoft-defender-atp/enable-controlled-folders.md)
-
-##### [Attack surface reduction controls]()
-###### [Enable attack surface reduction rules](microsoft-defender-atp/enable-attack-surface-reduction.md)
-###### [Customize attack surface reduction](microsoft-defender-atp/customize-attack-surface-reduction.md)
-
-##### [Network firewall](windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md)
-
-#### [Configure next-generation protection]()
-##### [Configure Windows Defender Antivirus features](windows-defender-antivirus/configure-windows-defender-antivirus-features.md)
-
-##### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
-###### [Enable cloud-delivered protection](windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md)
-###### [Specify the cloud-delivered protection level](windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md)
-###### [Configure and validate network connections](windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md)
-###### [Prevent security settings changes with tamper protection](windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md)
-###### [Enable Block at first sight](windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md)
-###### [Configure the cloud block timeout period](windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md)
-
-##### [Configure behavioral, heuristic, and real-time protection]()
-###### [Configuration overview](windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md)
-###### [Detect and block Potentially Unwanted Applications](windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md)
-###### [Enable and configure always-on protection and monitoring](windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md)
-
-##### [Antivirus on Windows Server 2016](windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md)
-
-##### [Antivirus compatibility]()
-###### [Compatibility charts](windows-defender-antivirus/windows-defender-antivirus-compatibility.md)
-###### [Use limited periodic antivirus scanning](windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md)
-
-##### [Deploy, manage updates, and report on antivirus]()
-###### [Preparing to deploy](windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md)
-###### [Deploy and enable antivirus](windows-defender-antivirus/deploy-windows-defender-antivirus.md)
-####### [Deployment guide for VDI environments](windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md)
-
-###### [Report on antivirus protection]()
-####### [Review protection status and alerts](windows-defender-antivirus/report-monitor-windows-defender-antivirus.md)
-####### [Troubleshoot antivirus reporting in Update Compliance](windows-defender-antivirus/troubleshoot-reporting.md)
-
-###### [Manage updates and apply baselines]()
-####### [Learn about the different kinds of updates](windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md)
-####### [Manage protection and security intelligence updates](windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md)
-####### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md)
-####### [Manage updates for endpoints that are out of date](windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md)
-####### [Manage event-based forced updates](windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md)
-####### [Manage updates for mobile devices and VMs](windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
-
-##### [Customize, initiate, and review the results of scans and remediation]()
-###### [Configuration overview](windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md)
-
-###### [Configure and validate exclusions in antivirus scans]()
-####### [Exclusions overview](windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md)
-####### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md)
-####### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md)
-####### [Configure antivirus exclusions Windows Server 2016](windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md)
-
-###### [Configure scanning antivirus options](windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md)
-###### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md)
-###### [Configure scheduled scans](windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md)
-###### [Configure and run scans](windows-defender-antivirus/run-scan-windows-defender-antivirus.md)
-###### [Review scan results](windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md)
-###### [Run and review the results of an offline scan](windows-defender-antivirus/windows-defender-offline.md)
-
-##### [Restore quarantined files](windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md)
-
-##### [Manage antivirus in your business]()
-###### [Management overview](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md)
-###### [Use Group Policy settings to configure and manage antivirus](windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md)
-###### [Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure and manage antivirus](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md)
-###### [Use PowerShell cmdlets to configure and manage antivirus](windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md)
-###### [Use Windows Management Instrumentation (WMI) to configure and manage antivirus](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md)
-###### [Use the mpcmdrun.exe commandline tool to configure and manage antivirus](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md)
-
-##### [Manage scans and remediation]()
-###### [Management overview](windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md)
-
-###### [Configure and validate exclusions in antivirus scans]()
-####### [Exclusions overview](windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md)
-####### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md)
-####### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md)
-####### [Configure antivirus exclusions on Windows Server 2016](windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md)
-
-###### [Configure scanning options](windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md)
-
-##### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md)
-###### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md)
-###### [Configure scheduled scans](windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md)
-###### [Configure and run scans](windows-defender-antivirus/run-scan-windows-defender-antivirus.md)
-###### [Review scan results](windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md)
-###### [Run and review the results of an offline scan](windows-defender-antivirus/windows-defender-offline.md)
-###### [Restore quarantined files](windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md)
-
-##### [Manage next-generation protection in your business]()
-###### [Handle false positives/negatives in Windows Defender Antivirus](windows-defender-antivirus/antivirus-false-positives-negatives.md)
-###### [Management overview](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md)
-###### [Use Microsoft Intune and Microsoft Endpoint Configuration Manager to manage next generation protection](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md)
-###### [Use Group Policy settings to manage next generation protection](windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md)
-###### [Use PowerShell cmdlets to manage next generation protection](windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md)
-###### [Use Windows Management Instrumentation (WMI) to manage next generation protection](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md)
-###### [Use the mpcmdrun.exe command line tool to manage next generation protection](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md)
-
-#### [Microsoft Defender Advanced Threat Protection for Mac](microsoft-defender-atp/microsoft-defender-atp-mac.md)
-##### [What's New](microsoft-defender-atp/mac-whatsnew.md)
-##### [Deploy]()
-###### [Microsoft Intune-based deployment](microsoft-defender-atp/mac-install-with-intune.md)
-###### [JAMF-based deployment](microsoft-defender-atp/mac-install-with-jamf.md)
-###### [Deployment with a different Mobile Device Management (MDM) system](microsoft-defender-atp/mac-install-with-other-mdm.md)
-###### [Manual deployment](microsoft-defender-atp/mac-install-manually.md)
-##### [Update](microsoft-defender-atp/mac-updates.md)
-##### [Configure]()
-###### [Configure and validate exclusions](microsoft-defender-atp/mac-exclusions.md)
-###### [Set preferences](microsoft-defender-atp/mac-preferences.md)
-###### [Detect and block Potentially Unwanted Applications](microsoft-defender-atp/mac-pua.md)
-##### [Troubleshoot]()
-###### [Troubleshoot performance issues](microsoft-defender-atp/mac-support-perf.md)
-###### [Troubleshoot kernel extension issues](microsoft-defender-atp/mac-support-kext.md)
-##### [Privacy](microsoft-defender-atp/mac-privacy.md)
-##### [Resources](microsoft-defender-atp/mac-resources.md)
-
-
-#### [Microsoft Defender Advanced Threat Protection for Linux](microsoft-defender-atp/microsoft-defender-atp-linux.md)
-##### [Deploy]()
-###### [Manual deployment](microsoft-defender-atp/linux-install-manually.md)
-###### [Puppet based deployment](microsoft-defender-atp/linux-install-with-puppet.md)
-###### [Ansible based deployment](microsoft-defender-atp/linux-install-with-ansible.md)
-##### [Update](microsoft-defender-atp/linux-updates.md)
-##### [Configure]()
-###### [Static proxy configuration](microsoft-defender-atp/linux-static-proxy-configuration.md)
-###### [Set preferences](microsoft-defender-atp/linux-preferences.md)
-##### [Resources](microsoft-defender-atp/linux-resources.md)
-
-
-#### [Configure and manage Microsoft Threat Experts capabilities](microsoft-defender-atp/configure-microsoft-threat-experts.md)
-
 ### [Configure portal settings]()
 #### [Set up preferences](microsoft-defender-atp/preferences-setup.md)
 #### [General]()
@@ -369,57 +443,10 @@
 ### [Configure integration with other Microsoft solutions]()
 #### [Configure conditional access](microsoft-defender-atp/configure-conditional-access.md)
 #### [Configure Microsoft Cloud App Security integration](microsoft-defender-atp/microsoft-cloud-app-security-config.md)
-#### [Configure information protection in Windows](microsoft-defender-atp/information-protection-in-windows-config.md)
-
 
 
 
 ## Reference
-### [Capabilities]()
-#### [Threat & Vulnerability Management]()
-##### [Next-generation capabilities](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)
-##### [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md)
-
-#### [Attack surface reduction]()
-##### [Overview of attack surface reduction](microsoft-defender-atp/overview-attack-surface-reduction.md)
-##### [Hardware-based isolation]()
-###### [Hardware-based isolation in Windows 10](microsoft-defender-atp/overview-hardware-based-isolation.md)
-###### [Application isolation]()
-####### [Application guard overview](windows-defender-application-guard/wd-app-guard-overview.md)
-####### [System requirements](windows-defender-application-guard/reqs-wd-app-guard.md)
- 
-###### [System integrity](windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md)
- 
-##### [Application control](windows-defender-application-control/windows-defender-application-control.md)
-##### [Exploit protection](microsoft-defender-atp/exploit-protection.md)
-##### [Network protection](microsoft-defender-atp/network-protection.md)
- 
-##### [Web protection]()
-###### [Web protection overview](microsoft-defender-atp/web-protection-overview.md)
-######  [Web threat protection]()
-####### [Web threat protection overview](microsoft-defender-atp/web-threat-protection.md)
-####### [Monitor web security](microsoft-defender-atp/web-protection-monitoring.md)
-#######[Respond to web threats](microsoft-defender-atp/web-protection-response.md)
-###### [Web content filtering](microsoft-defender-atp/web-content-filtering.md)
- 
-##### [Controlled folder access](microsoft-defender-atp/controlled-folders.md)
-##### [Attack surface reduction](microsoft-defender-atp/attack-surface-reduction.md)
-##### [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md)
-
-#### [Next-generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
-##### [Better together: Windows Defender Antivirus and Microsoft Defender ATP](windows-defender-antivirus/why-use-microsoft-antivirus.md)
-##### [Better together: Windows Defender Antivirus and Office 365](windows-defender-antivirus/office-365-windows-defender-antivirus.md)
-##### [Shadow protection](windows-defender-antivirus/shadow-protection.md)
-
-
-
-#### [Endpoint detection and response](microsoft-defender-atp/overview-endpoint-detection-response.md)
-
-#### [Overview of AIR](microsoft-defender-atp/automated-investigations.md)
-
-
-
-
 ### [Management and APIs]()
 #### [Overview of management and APIs](microsoft-defender-atp/management-apis.md)
 
@@ -457,9 +484,10 @@
 ####### [Get machine related alerts](microsoft-defender-atp/get-machine-related-alerts.md)
 ####### [Get installed software](microsoft-defender-atp/get-installed-software.md)
 ####### [Get discovered vulnerabilities](microsoft-defender-atp/get-discovered-vulnerabilities.md)
-####### [Get security recommendation](microsoft-defender-atp/get-security-recommendations.md)
+####### [Get security recommendations](microsoft-defender-atp/get-security-recommendations.md)
 ####### [Add or Remove machine tags](microsoft-defender-atp/add-or-remove-machine-tags.md)
 ####### [Find machines by IP](microsoft-defender-atp/find-machines-by-ip.md)
+####### [Get missing KBs](microsoft-defender-atp/get-missing-kbs-machine.md)
 
 ###### [Machine Action]()
 ####### [Machine Action methods and properties](microsoft-defender-atp/machineaction.md)
@@ -521,6 +549,7 @@
 ####### [List software version distribution](microsoft-defender-atp/get-software-ver-distribution.md)
 ####### [List machines by software](microsoft-defender-atp/get-machines-by-software.md)
 ####### [List vulnerabilities by software](microsoft-defender-atp/get-vuln-by-software.md)
+####### [Get missing KBs](microsoft-defender-atp/get-missing-kbs-software.md)
 
 ###### [Vulnerability]()
 ####### [Vulnerability methods and properties](microsoft-defender-atp/vulnerability.md)
@@ -588,27 +617,8 @@
 
 ### [Information protection in Windows overview]()
 #### [Windows integration](microsoft-defender-atp/information-protection-in-windows-overview.md)
-#### [Use sensitivity labels to prioritize incident response](microsoft-defender-atp/information-protection-investigation.md)
-
-
-### [Evaluate Microsoft Defender ATP]()
-#### [Attack surface reduction and next-generation capability evaluation]()
-##### [Attack surface reduction and nex-generation evaluation overview](microsoft-defender-atp/evaluate-atp.md)
-##### [Hardware-based isolation](windows-defender-application-guard/test-scenarios-wd-app-guard.md)
-##### [Application control](windows-defender-application-control/audit-windows-defender-application-control-policies.md)
-##### [Exploit protection](microsoft-defender-atp/evaluate-exploit-protection.md)
-##### [Network Protection](microsoft-defender-atp/evaluate-network-protection.md)
-##### [Controlled folder access](microsoft-defender-atp/evaluate-controlled-folder-access.md)
-##### [Attack surface reduction](microsoft-defender-atp/evaluate-attack-surface-reduction.md)
-##### [Network firewall](windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md)
-##### [Evaluate next-generation protection](windows-defender-antivirus/evaluate-windows-defender-antivirus.md)
-
-
-
-### [Access the Windows Defender Security Center Community Center](microsoft-defender-atp/community.md)
-
-
 
+### [Access the Microsoft Defender ATP Community Center](microsoft-defender-atp/community.md)
 
 ### [Helpful resources](microsoft-defender-atp/helpful-resources.md)
 
@@ -693,6 +703,9 @@
 #### [Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md)
 #### [Set up and use Windows Defender SmartScreen on individual devices](windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md)
 
+### [Windows Sandbox](windows-sandbox/windows-sandbox-overview.md)
+#### [Windows Sandbox architecture](windows-sandbox/windows-sandbox-architecture.md)
+#### [Windows Sandbox configuration](windows-sandbox/windows-sandbox-configure-using-wsb-file.md)
 
 ### [Windows Defender Device Guard: virtualization-based security and WDAC](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
 
diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
index f15fee7c4d..a18783d92c 100644
--- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
+++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
@@ -23,25 +23,26 @@ ms.date: 07/25/2018
 -   Windows 10
 
 You can apply audit policies to individual files and folders on your computer by setting the permission type to record successful access attempts or failed access attempts in the security log.
-To complete this procedure, you must be logged on as a member of the built-in Administrators group or you must have been granted the **Manage auditing and security log** right.
+
+To complete this procedure, you must be signed in as a member of the built-in Administrators group or have **Manage auditing and security log** rights.
 
 **To apply or modify auditing policy settings for a local file or folder**
 
-1.  Right-click the file or folder that you want to audit, click **Properties**, and then click the **Security** tab.
-2.  Click **Advanced**.
-3.  In the **Advanced Security Settings** dialog box, click the **Auditing** tab, and then click **Continue**.
+1.  Select and hold (or right-click) the file or folder that you want to audit, select **Properties**, and then select the **Security** tab.
+2.  Select **Advanced**.
+3.  In the **Advanced Security Settings** dialog box, select the **Auditing** tab, and then select **Continue**.
 4.  Do one of the following:
-    -   To set up auditing for a new user or group, click **Add**. Click **Select a principal**, type the name of the user or group that you want, and then click **OK**.
-    -   To remove auditing for an existing group or user, click the group or user name, click **Remove**, click **OK**, and then skip the rest of this procedure.
-    -   To view or change auditing for an existing group or user, click its name, and then click **Edit.**
+    -   To set up auditing for a new user or group, select **Add**. Select **Select a principal**, type the name of the user or group that you want, and then select **OK**.
+    -   To remove auditing for an existing group or user, select the group or user name, select **Remove**, select **OK**, and then skip the rest of this procedure.
+    -   To view or change auditing for an existing group or user, select its name, and then select **Edit.**
 5.  In the **Type** box, indicate what actions you want to audit by selecting the appropriate check boxes:
-    -   To audit successful events, click **Success.**
-    -   To audit failure events, click **Fail.**
-    -   To audit all events, click **All.**
+    -   To audit successful events, select **Success.**
+    -   To audit failure events, select **Fail.**
+    -   To audit all events, select **All.**
 
  
 
-6.  In the **Applies to** box, select the object(s) that the audit of events will apply to. These include:
+6.  In the **Applies to** box, select the object(s) to which the audit of events will apply. These include:
  
     -   **This folder only**
     -   **This folder, subfolders and files**
@@ -55,16 +56,18 @@ To complete this procedure, you must be logged on as a member of the built-in Ad
     -   **Read and execute**
     -   **List folder contents**
     -   **Read**
-    -   Additionally, you can choose **Full control**, **Modify**, and/or **Write** permissions with your selected audit combination.
+    -   Additionally, with your selected audit combination, you can select any combination of the following permissions:
+          - **Full control**
+          - **Modify**
+          - **Write**
     
-    
-
-> **Important:**  Before setting up auditing for files and folders, you must enable [object access auditing](basic-audit-object-access.md) by defining auditing policy settings for the object access event category. If you do not enable object access auditing, you will receive an error message when you set up auditing for files and folders, and no files or folders will be audited.
+> [!IMPORTANT]    
+> Before you set up auditing for files and folders, you must enable [object access auditing](basic-audit-object-access.md). To do this, define auditing policy settings for the object access event category. If you don't enable object access auditing, you'll receive an error message when you set up auditing for files and folders, and no files or folders will be audited.
  
 ## Additional considerations
 
--   After object access auditing is enabled, view the security log in Event Viewer to review the results of your changes.
+-   After you turn on object access auditing, view the security log in Event Viewer to review the results of your changes.
 -   You can set up file and folder auditing only on NTFS drives.
--   Because the security log is limited in size, select the files and folders to be audited carefully. Also, consider the amount of disk space that you want to devote to the security log. The maximum size for the security log is defined in Event Viewer.
+-   Because the security log is limited in size, carefully select the files and folders to be audited. Also, consider the amount of disk space that you want to devote to the security log. The maximum size for the security log is defined in Event Viewer.
  
  
diff --git a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md
index 94499439b0..e6131584e5 100644
--- a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md
+++ b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md
@@ -22,38 +22,39 @@ ms.date: 04/19/2017
 **Applies to**
 -   Windows 10
 
-This topic for the IT professional describes how to monitor changes to the central access policies that are associated with files and folders when you are using advanced security auditing options to monitor dynamic access control objects.
+This article for IT professionals describes how to monitor changes to the central access policies that are associated with files and folders when you're using advanced security auditing options to monitor dynamic access control objects.
 
-This security audit policy and the event that it records are generated when the central access policy that is associated with a file or folder is changed. This security audit policy is useful when an administrator wants to monitor potential changes on some, but not all, files and folders on a file server.
+This security audit policy and the event that it records are generated when the central access policy that's associated with a file or folder is changed. This security audit policy is useful when an administrator wants to monitor potential changes on some, but not all, files and folders on a file server.
 
-For info about monitoring potential central access policy changes for an entire file server, see [Monitor the central access policies that apply on a file server](monitor-the-central-access-policies-that-apply-on-a-file-server.md).
+For information about monitoring potential central access policy changes for an entire file server, see [Monitor the central access policies that apply on a file server](monitor-the-central-access-policies-that-apply-on-a-file-server.md).
 
 Use the following procedures to configure settings to monitor central access policies that are associated with files. These procedures assume that you have configured and deployed Dynamic Access Control in your network. For more information about how to configure and deploy Dynamic Access Control, see [Dynamic Access Control: Scenario Overview](https://technet.microsoft.com/library/hh831717.aspx).
 
->**Note:**  Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
+> [!NOTE]
+> Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
  
 **To configure settings to monitor central access policies associated with files or folders**
 
 1.  Sign in to your domain controller by using domain administrator credentials.
-2.  In Server Manager, point to **Tools**, and then click **Group Policy Management**.
-3.  In the console tree, right-click the flexible access Group Policy Object, and then click **Edit**.
+2.  In Server Manager, point to **Tools**, and then select **Group Policy Management**.
+3.  In the console tree, right-click the flexible access Group Policy Object, and then select **Edit**.
 4.  Double-click **Computer Configuration**, double-click **Security Settings**, double-click **Advanced Audit Policy Configuration**, double-click **Policy Change**, and then double-click **Audit Authorization Policy Change**.
-5.  Select the **Configure the following audit events** check box, select the **Success** check box (and the **Failure** check box, if desired), and then click **OK**.
-6.  Enable auditing for a file or folder as described in the following procedure.
+5.  Select the **Configure the following audit events** check box, select the **Success** check box (and the **Failure** check box, if desired), and then select **OK**.
+6.  Turn on auditing for a file or folder as described in the following procedure.
 
-**To enable auditing for a file or folder**
+**To turn on auditing for a file or folder**
 
-1.  Sign in as a member of the local administrators group on the computer that contains the files or folders that you want to audit.
-2.  Right-click the file or folder, click **Properties**, and then click the **Security** tab.
-3.  Click **Advanced**, click the **Auditing** tab, and then click **Continue**.
+1.  Sign in as a member of the local administrator's group on the computer that contains the files or folders that you want to audit.
+2.  Right-click the file or folder, select **Properties**, and then select the **Security** tab.
+3.  Select **Advanced**, select the **Auditing** tab, and then select **Continue**.
 
-    If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
+    If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then select **Yes**.
 
-4.  Click **Add**, click **Select a principal**, type a user name or group name in the format **contoso\\user1**, and then click **OK**.
+4.  Select **Add**, select **Select a principal**, type a user name or group name in the format **contoso\\user1**, and then select **OK**.
 5.  In the **Auditing Entry for** dialog box, select the permissions that you want to audit, such as **Full Control** or **Delete**.
-6.  Click **OK** four times to complete the configuration of the object SACL.
-7.  Open a File Explorer window and select or create a file or folder to audit.
-8.  Open an elevated command prompt, and run the following command:
+6.  To complete the configuration of the object SACL, select **OK** four times.
+7.  Open a File Explorer window, and then select or create a file or folder to audit.
+8.  Open an elevated command prompt, and then run the following command:
 
     `gpupdate /force`
 
@@ -61,15 +62,16 @@ After you configure settings to monitor changes to the central access policies t
 
 **To verify that changes to central access policies associated with files and folders are monitored**
 
-1.  Sign in as a member of the local administrators group on the computer that contains the files or folders that you want to audit.
-2.  Open a File Explorer window and select the file or folder that you configured for auditing in the previous procedure.
-3.  Right-click the file or folder, click **Properties**, click the **Security** tab, and then click **Advanced**.
-4.  Click the **Central Policy** tab, click **Change**, and select a different central access policy (if one is available) or select **No Central Access Policy**, and then click **OK** twice.
-    >**Note:**  You must select a setting that is different than your original setting to generate the audit event.
+1.  Sign in as a member of the local administrator's group on the computer that contains the files or folders that you want to audit.
+2.  Open a File Explorer window, and then select the file or folder that you configured for auditing in the previous procedure.
+3.  Right-click the file or folder, select **Properties**, select the **Security** tab, and then select **Advanced**.
+4.  Select the **Central Policy** tab, select **Change**, select a different central access policy (if one is available) or select **No Central Access Policy**, and then select **OK** twice.
+    > [!NOTE]
+    > You must select a setting that is different than your original setting to generate the audit event.
      
-5.  In Server Manager, click **Tools**, and then click **Event Viewer**.
-6.  Expand **Windows Logs**, and then click **Security**.
-7.  Look for event 4913, which is generated when the central access policy that is associated with a file or folder is changed. This event includes the security identifiers (SIDs) of the old and new central access policies.
+5.  In Server Manager, select **Tools**, and then select **Event Viewer**.
+6.  Expand **Windows Logs**, and then select **Security**.
+7.  Look for event 4913, which is generated when the central access policy that's associated with a file or folder changes. This event includes the security identifiers (SIDs) of the old and new central access policies.
 
 ### Related resource
 
diff --git a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
index e88b1b13e8..725e9d2023 100644
--- a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
@@ -42,7 +42,7 @@ The following tables provide more information about the hardware, firmware, and
 | Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots.  |
 | Firmware: **Secure firmware update process**      | UEFI firmware must support secure firmware update found under the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies).  | UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
 | Software: **HVCI compatible drivers**       | See the Filter.Driver.DeviceGuard.DriverCompatibility requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Filter driver download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies). | [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode.  |
-| Software: Qualified **Windows operating system**  | Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise<br><blockquote><p><strong>Important:</strong><br> Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.</p></blockquote> | Support for VBS and for management features that simplify configuration of Windows Defender Device Guard. |
+| Software: Qualified **Windows operating system**  | Windows 10 Enterprise, Windows 10 Pro, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise<br><blockquote><p><strong>Important:</strong><br> Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.</p></blockquote> | Support for VBS and for management features that simplify configuration of Windows Defender Device Guard. |
 
 > **Important**&nbsp;&nbsp;The following tables list additional qualifications for improved security. You can use Windows Defender Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting these additional qualifications to significantly strengthen the level of security that Windows Defender Device Guard can provide.
 
@@ -75,6 +75,6 @@ The following tables describe additional hardware and firmware qualifications, a
 
 | Protections for Improved Security          | Description                                        | Security benefits |
 |---------------------------------------------|----------------------------------------------------|------|
-| Firmware: **VBS enablement of NX protection for UEFI runtime services** | • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.<br>• UEFI runtime service must meet these requirements: <br>&nbsp;&nbsp;&nbsp;&nbsp;• Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. <br>&nbsp;&nbsp;&nbsp;&nbsp;• PE sections need to be page-aligned in memory (not required for in non-volitile storage).<br>&nbsp;&nbsp;&nbsp;&nbsp;• The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;• All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both <br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;• No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable. <br><blockquote><p><strong>Notes:</strong><br>• This only applies to UEFI runtime service memory, and not UEFI boot service memory. <br>• This protection is applied by VBS on OS page tables.</p></blockquote><br> Please also note the following: <br>• Do not use sections that are both writeable and exceutable<br>• Do not attempt to directly modify executable system memory<br>• Do not use dynamic code  | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware.   |
+| Firmware: **VBS enablement of NX protection for UEFI runtime services** | • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.<br>• UEFI runtime service must meet these requirements: <br>&nbsp;&nbsp;&nbsp;&nbsp;• Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. <br>&nbsp;&nbsp;&nbsp;&nbsp;• PE sections need to be page-aligned in memory (not required for in non-volitile storage).<br>&nbsp;&nbsp;&nbsp;&nbsp;• The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;• All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both <br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;• No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable. <br><blockquote><p><strong>Notes:</strong><br>• This only applies to UEFI runtime service memory, and not UEFI boot service memory. <br>• This protection is applied by VBS on OS page tables.</p></blockquote><br> Please also note the following: <br>• Do not use sections that are both writeable and executable<br>• Do not attempt to directly modify executable system memory<br>• Do not use dynamic code  | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware.   |
 | Firmware: **Firmware support for SMM protection** | The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.| • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware.<br>• Blocks additional security attacks against SMM.  |
 
diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md
index 728fac1163..35ac0e33f0 100644
--- a/windows/security/threat-protection/index.md
+++ b/windows/security/threat-protection/index.md
@@ -31,7 +31,7 @@ ms.topic: conceptual
 </tr>
 <tr>
 <td colspan="7">
-<a href="#apis"><center><b>Centratlized configuration and administration, APIs</a></b></center></td>
+<a href="#apis"><center><b>Centralized configuration and administration, APIs</a></b></center></td>
 </tr>
 <tr>
 <td colspan="7"><a href="#mtp"><center><b>Microsoft Threat Protection</a></center></b></td>
@@ -42,9 +42,9 @@ ms.topic: conceptual
 <a name="tvm"></a>
 
 **[Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)**<br>
-This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. 
+This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
 
-- [Risk-based Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md) 
+- [Risk-based Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)
 - [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md)
 - [What's in the dashboard and what it means for my organization](microsoft-defender-atp/tvm-dashboard-insights.md)
 - [Exposure score](microsoft-defender-atp/tvm-exposure-score.md)
@@ -97,7 +97,7 @@ Endpoint detection and response capabilities are put in place to detect, investi
 <a name="ai"></a>
 
 **[Automated investigation and remediation](microsoft-defender-atp/automated-investigations.md)**<br>
-In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. 
+In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
 
 - [Automated investigation and remediation](microsoft-defender-atp/automated-investigations.md)
 - [View details and results of automated investigations](microsoft-defender-atp/auto-investigation-action-center.md)
@@ -116,7 +116,7 @@ Microsoft Defender ATP includes a configuration score to help you dynamically as
 <a name="mte"></a>
 
 **[Microsoft Threat Experts](microsoft-defender-atp/microsoft-threat-experts.md)**<br>
-Microsoft Defender ATP's new managed threat hunting service provides proactive hunting, prioritization and additional context and insights that further empower Security Operation Centers (SOCs) to identify and respond to threats quickly and accurately. 
+Microsoft Defender ATP's new managed threat hunting service provides proactive hunting, prioritization and additional context and insights that further empower Security Operation Centers (SOCs) to identify and respond to threats quickly and accurately.
 
 - [Targeted attack notification](microsoft-defender-atp/microsoft-threat-experts.md)
 - [Experts-on-demand](microsoft-defender-atp/microsoft-threat-experts.md)
@@ -139,7 +139,7 @@ Integrate Microsoft Defender Advanced Threat Protection into your existing workf
 - Office 365 ATP
 - Azure ATP
 - Azure Security Center
-- Skype for Business 
+- Skype for Business
 - Microsoft Cloud App Security
 
 <a name="mtp"></a>
diff --git a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md
index 0c3ce01531..fcd89c3a81 100644
--- a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md
+++ b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md
@@ -26,17 +26,22 @@ Microsoft Defender Advanced Threat Protection ([Microsoft Defender ATP](https://
 
 Windows Defender Antivirus is the [next generation protection](https://www.youtube.com/watch?v=Xy3MOxkX_o4) capability in the [Microsoft Defender ATP Windows 10 security stack](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) that addresses the latest and most sophisticated threats today. In some cases, customers might not even know they were protected because a cyberattack is stopped [milliseconds after a campaign starts](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign). That's because Windows Defender Antivirus and other [endpoint protection platform (EPP)](https://www.microsoft.com/security/blog/2019/08/23/gartner-names-microsoft-a-leader-in-2019-endpoint-protection-platforms-magic-quadrant/) capabilities in Microsoft Defender ATP detect and stops malware at first sight with [machine learning](https://cloudblogs.microsoft.com/microsoftsecure/2018/06/07/machine-learning-vs-social-engineering), [artificial intelligence](https://cloudblogs.microsoft.com/microsoftsecure/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak), behavioral analysis, and other advanced technologies.
 <br><br>
-![String of images showing scores](./images/Transparency-report-November1.png)
 
 **Download the latest transparency report: [Examining industry test results, November 2019](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp)**
 
-### AV-TEST: Protection score of 6.0/6.0 in the latest test
+### AV-TEST: Protection score of 5.5/6.0 in the latest test
 
 The AV-TEST Product Review and Certification Report tests on three categories: protection, performance, and usability. The following scores are for the Protection category which has two scores: Real-World Testing and the AV-TEST reference set (known as "Prevalent Malware").
 
-- July — August 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/august-2019/microsoft-windows-defender-antivirus-4.18-193215/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp) <sup>**Latest**</sup>
+- January - February 2020 AV-TEST Business User test: [Protection score 5.5/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/february-2020/microsoft-windows-defender-antivirus-4.18-200614/) <sup>**Latest**</sup>
 
-    Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, detecting 100% of 13,889 malware samples used. This industry-leading antivirus solution has consistently achieved a perfect Protection score in all AV-TEST cycles in the past 14 months.
+    Windows Defender Antivirus achieved an overall Protection score of 5.5/6.0, with 21,008 malware samples used.
+
+- November - December 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/december-2019/microsoft-windows-defender-antivirus-4.18-195015/)
+
+- September - October 2019 AV-TEST Business User test: [Protection score 5.5/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/october-2019/microsoft-windows-defender-antivirus-4.18-194115/)
+
+- July — August 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/august-2019/microsoft-windows-defender-antivirus-4.18-193215/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp)
 
 - May — June 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/june-2019/microsoft-windows-defender-antivirus-4.18-192415/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl)
 
@@ -48,13 +53,15 @@ The AV-TEST Product Review and Certification Report tests on three categories: p
 
 - September — October 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/october-2018/microsoft-windows-defender-antivirus-4.18-184174/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWqOqD)
 
-### AV-Comparatives: Protection rating of 99.9% in the latest test
+### AV-Comparatives: Protection rating of 99.6% in the latest test
 
 Business Security Test consists of three main parts: the Real-World Protection Test that mimics online malware attacks, the Malware Protection Test where the malware enters the system from outside the internet (for example by USB), and the Performance Test that looks at the impact on the system's performance.
 
-- Business Security Test 2019 (August — September): [Real-World Protection Rate 99.9%](https://www.av-comparatives.org/tests/business-security-test-august-september-2019-factsheet/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp) <sup>**Latest**</sup>
+- Business Security Test 2019 (August — November): [Real-World Protection Rate 99.6%](https://www.av-comparatives.org/tests/business-security-test-2019-august-november/) <sup>**Latest**</sup>
 
-    Windows Defender Antivirus has scored consistently high in Real-World Protection Rates over the past year, with 99.9% in the latest test.
+    Windows Defender Antivirus has scored consistently high in Real-World Protection Rates over the past year, with 99.6% in the latest test.
+
+- Business Security Test 2019 Factsheet (August — September): [Real-World Protection Rate 99.9%](https://www.av-comparatives.org/tests/business-security-test-august-september-2019-factsheet/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp) 
 
 - Business Security Test 2019 (March — June): [Real-World Protection Rate 99.9%](https://www.av-comparatives.org/tests/business-security-test-2019-march-june/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl)
 
@@ -66,9 +73,11 @@ Business Security Test consists of three main parts: the Real-World Protection T
 
 SE Labs tests a range of solutions used by products and services to detect and/or protect against attacks, including endpoint software, network appliances, and cloud services.
 
-- Enterprise Endpoint Protection July — September 2019: [AAA award](https://selabs.uk/download/enterprise/epp/2019/jul-sep-2019-enterprise.pdf) <sup>**pdf**</sup> | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp)
+- Enterprise Endpoint Protection October — December 2019: [AAA award](https://selabs.uk/download/enterprise/epp/2019/oct-dec-2019-enterprise.pdf) <sup>**pdf**</sup> 
 
-    Microsoft's next-gen protection was named one of the leading products, stopping all targeted attacks and all but one public threat.
+    Microsoft's next-gen protection was named one of the leading products, stopping all targeted attacks and all but two public threats.
+
+- Enterprise Endpoint Protection July — September 2019: [AAA award](https://selabs.uk/download/enterprise/epp/2019/jul-sep-2019-enterprise.pdf) <sup>**pdf**</sup> | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp)
 
 - Enterprise Endpoint Protection April — June 2019: [AAA award](https://selabs.uk/download/enterprise/epp/2019/apr-jun-2019-enterprise.pdf) <sup>**pdf**</sup> | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl)
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
index 2326198e30..798540594f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
@@ -118,7 +118,7 @@ To receive contextual machine integration in Azure ATP, you'll also need to enab
 
 1. Login to the [Azure portal](https://portal.atp.azure.com/) with a Global Administrator or Security Administrator role.
 
-2. Click **Create a workspace** or use your primary workspace.
+2. Click **Create your instance**.
 
 3. Toggle the Integration setting to **On** and click **Save**.
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
index 7ce887afa8..7209a654db 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
@@ -15,7 +15,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 10/08/2019
 ---
 
 # Advanced hunting query best practices
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md
index 9134afc574..8956d5c3a9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md
@@ -15,7 +15,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 10/08/2019
 ---
 
 # DeviceEvents
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md
index 82bc19d642..53faa19f58 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md
@@ -15,7 +15,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 10/08/2019
 ---
 
 # DeviceFileEvents
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md
index fe1f719c73..b9c338f0c1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md
@@ -15,7 +15,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 10/08/2019
 ---
 
 # DeviceImageLoadEvents
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md
index f05d8d0382..e51b88cf9a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md
@@ -15,7 +15,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 10/08/2019
 ---
 
 # DeviceInfo
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md
index 689d68d6e6..9814bdbe14 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md
@@ -15,7 +15,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 10/08/2019
 ---
 
 # DeviceLogonEvents
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md
index fb91c21fd2..17ba4f7f0d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md
@@ -15,7 +15,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 10/08/2019
 ---
 
 # DeviceNetworkEvents
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md
index ba7cf147bf..2e84b08364 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md
@@ -15,7 +15,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 10/08/2019
 ---
 
 # DeviceNetworkInfo
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md
index 7b656947ec..6fdba4c948 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md
@@ -15,7 +15,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 10/08/2019
 ---
 
 # DeviceProcessEvents
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md
index 8dfc835e93..c0b36b2df8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md
@@ -15,7 +15,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 10/08/2019
 ---
 
 # DeviceRegistryEvents
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md
index 5e5df96421..0a28ea14cd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md
@@ -1,7 +1,7 @@
 ---
-title: Overview of advanced hunting
+title: Overview of advanced hunting in Microsoft Defender ATP
 description: Use threat hunting capabilities in Microsoft Defender ATP to build queries that find threats and weaknesses in your network
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, custom detections, schema, kusto
+keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp, search, query, telemetry, custom detections, schema, kusto
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
@@ -15,7 +15,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 10/08/2019
 ---
 
 # Proactively hunt for threats with advanced hunting
@@ -39,38 +38,19 @@ You can also go through each of the following steps to ramp up your advanced hun
 | Learning goal | Description | Resource |
 |--|--|--|
 | **Get a feel for the language** | Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/azure/kusto/query/), supporting the same syntax and operators. Start learning the query language by running your first query. | [Query language overview](advanced-hunting-query-language.md) |
+| **Learn how to use the query results** | Learn about charts and various ways you can view or export your results. Explore how you can quickly tweak queries and drill down to get richer information. | [Work with query results](advanced-hunting-query-results.md) |
 | **Understand the schema** | Get a good, high-level understanding of the tables in the schema and their columns. This will help you determine where to look for data and how to construct your queries. | [Schema reference](advanced-hunting-schema-reference.md) |
 | **Use predefined queries** | Explore collections of predefined queries covering different threat hunting scenarios. | [Shared queries](advanced-hunting-shared-queries.md) |
-| **Learn about custom detections** | Understand how you can use advanced hunting queries to trigger alerts and apply response actions automatically. | [Custom detections overview](overview-custom-detections.md) |  
+| **Learn about custom detections** | Understand how you can use advanced hunting queries to trigger alerts and apply response actions automatically. | - [Custom detections overview](overview-custom-detections.md)<br>- [Custom detection rules](custom-detection-rules.md) |  
 
 ## Get help as you write queries
 Take advantage of the following functionality to write queries faster:
-- **Autosuggest** — as you write queries, advanced hunting provides suggestions. 
+- **Autosuggest** — as you write queries, advanced hunting provides suggestions from IntelliSense. 
 - **Schema reference** — a schema reference that includes the list of tables and their columns is provided next to your working area. For more information, hover over an item. Double-click an item to insert it to the query editor.
 
-## Drilldown from query results
-To view more information about entities, such as machines, files, users, IP addresses, and URLs, in your query results, simply click the entity identifier. This opens a detailed profile page for the selected entity in Microsoft Defender Security Center.
-
-## Tweak your queries from the results
-Right-click a value in the result set to quickly enhance your query. You can use the options to:
-
-- Explicitly look for the selected value (`==`)
-- Exclude the selected value from the query (`!=`)
-- Get more advanced operators for adding the value to your query, such as `contains`, `starts with` and `ends with` 
-
-![Image of Microsoft Defender ATP advanced hunting result set](images/atp-advanced-hunting-results-filter.png)
-
-## Filter the query results
-The filters displayed to the right provide a summary of the result set. Each column has its own section that lists the distinct values found for that column and the number of instances.
-
-Refine your query by selecting the "+" or "-" buttons next to the values that you want to include or exclude.
-
-![Image of advanced hunting filter](images/atp-filter-advanced-hunting.png)
-
-Once you apply the filter to modify the query and then run the query, the results are updated accordingly.
-
 ## Related topics
 - [Learn the query language](advanced-hunting-query-language.md)
+- [Work with query results](advanced-hunting-query-results.md)
 - [Use shared queries](advanced-hunting-shared-queries.md)
 - [Understand the schema](advanced-hunting-schema-reference.md)
 - [Apply query best practices](advanced-hunting-best-practices.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md
index 85f9a0c799..3570732cf5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md
@@ -15,7 +15,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 10/08/2019
 ---
 
 # Learn the advanced hunting query language
@@ -32,64 +31,87 @@ Advanced hunting is based on the [Kusto query language](https://docs.microsoft.c
 In Microsoft Defender Security Center, go to **Advanced hunting** to run your first query. Use the following example:
 
 ```kusto
-// Finds PowerShell execution events that could involve a download.
-DeviceProcessEvents  
+// Finds PowerShell execution events that could involve a download
+union DeviceProcessEvents, DeviceNetworkEvents
 | where Timestamp > ago(7d)
-| where FileName in ("powershell.exe", "POWERSHELL.EXE", "powershell_ise.exe", "POWERSHELL_ISE.EXE") 
-| where ProcessCommandLine has "Net.WebClient"
-        or ProcessCommandLine has "DownloadFile"
-        or ProcessCommandLine has "Invoke-WebRequest"
-        or ProcessCommandLine has "Invoke-Shellcode"
-        or ProcessCommandLine contains "http:"
-| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine
+// Pivoting on PowerShell processes
+| where FileName in~ ("powershell.exe", "powershell_ise.exe")
+// Suspicious commands
+| where ProcessCommandLine has_any("WebClient",
+    "DownloadFile",
+    "DownloadData",
+    "DownloadString",
+    "WebRequest",
+    "Shellcode",
+    "http",
+    "https")
+| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, 
+FileName, ProcessCommandLine, RemoteIP, RemoteUrl, RemotePort, RemoteIPType
 | top 100 by Timestamp
 ```
 
 This is how it will look like in advanced hunting.
 
-![Image of Microsoft Defender ATP advanced hunting query](images/advanced-hunting-query-example.png)
+![Image of Microsoft Defender ATP advanced hunting query](images/advanced-hunting-query-example-2.png)
 
-### Describe the query and specify the table to search
-The query starts with a short comment describing what it is for. This helps if you later decide to save your query and share it with others in your organization.
+
+### Describe the query and specify the tables to search
+A short comment has been added to the beginning of the query to describe what it is for. This helps if you later decide to save the query and share it with others in your organization. 
 
 ```kusto
-// Finds PowerShell execution events that could involve a download.
-DeviceProcessEvents
+// Finds PowerShell execution events that could involve a download
 ```
 
-The query itself will typically start with a table name followed by a series of elements started by a pipe (`|`). In this example, we start by adding  with the table name `DeviceProcessEvents` and add piped elements as needed.
+The query itself will typically start with a table name followed by a series of elements started by a pipe (`|`). In this example, we start by creating a union of two tables,  `DeviceProcessEvents` and `DeviceNetworkEvents`, and add piped elements as needed.
 
+```kusto
+union DeviceProcessEvents, DeviceNetworkEvents
+```
 ### Set the time range
-The first piped element is a time filter scoped within the previous seven days. Keeping the time range as narrow as possible ensures that queries perform well, return manageable results, and don't time out.
+The first piped element is a time filter scoped to the previous seven days. Keeping the time range as narrow as possible ensures that queries perform well, return manageable results, and don't time out.
 
 ```kusto
 | where Timestamp > ago(7d)
 ```
-### Search for specific executable files
-The time range is immediately followed by a search for files representing the PowerShell application.
 
-```kusto
-| where FileName in ("powershell.exe", "POWERSHELL.EXE", "powershell_ise.exe", "POWERSHELL_ISE.EXE")
+### Check specific processes
+The time range is immediately followed by a search for process file names representing the PowerShell application.
+
 ```
-### Search for specific command lines
-Afterwards, the query looks for command lines that are typically used with PowerShell to download files.
-
-```kusto
-| where ProcessCommandLine has "Net.WebClient"
-        or ProcessCommandLine has "DownloadFile"
-        or ProcessCommandLine has "Invoke-WebRequest"
-        or ProcessCommandLine has "Invoke-Shellcode"
-        or ProcessCommandLine contains "http:"
+// Pivoting on PowerShell processes
+| where FileName in~ ("powershell.exe", "powershell_ise.exe")
 ```
-### Select result columns and length 
-Now that your query clearly identifies the data you want to locate, you can add elements that define what the results look like. `project` returns specific columns and `top` limits the number of results, making the results well-formatted and reasonably large and easy to process.
+
+### Search for specific command strings
+Afterwards, the query looks for strings in command lines that are typically used to download files using PowerShell.
 
 ```kusto
-| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine
+// Suspicious commands
+| where ProcessCommandLine has_any("WebClient",
+    "DownloadFile",
+    "DownloadData",
+    "DownloadString",
+    "WebRequest",
+    "Shellcode",
+    "http",
+    "https")
+```
+
+### Customize result columns and length 
+Now that your query clearly identifies the data you want to locate, you can add elements that define what the results look like. `project` returns specific columns, and `top` limits the number of results. These operators help ensure the results are well-formatted and reasonably large and easy to process.
+
+```kusto
+| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, 
+FileName, ProcessCommandLine, RemoteIP, RemoteUrl, RemotePort, RemoteIPType
 | top 100 by Timestamp
 ```
 
-Click **Run query** to see the results. You can expand the screen view so you can focus on your hunting query and the results.
+Click **Run query** to see the results. Select the expand icon at the top right of the query editor to focus on your hunting query and the results. 
+
+![Image of the Expand control in the advanced hunting query editor](images/advanced-hunting-expand.png)
+
+>[!TIP]
+>You can view query results as charts and quickly adjust filters. For guidance, [read about working with query results](advanced-hunting-query-results.md)
 
 ## Learn common query operators for advanced hunting
 
@@ -137,6 +159,7 @@ For detailed information about the query language, see [Kusto query language doc
 
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
+- [Work with query results](advanced-hunting-query-results.md)
 - [Understand the schema](advanced-hunting-schema-reference.md)
 - [Apply query best practices](advanced-hunting-best-practices.md)
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md
new file mode 100644
index 0000000000..2ac9237205
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md
@@ -0,0 +1,142 @@
+---
+title: Work with advanced hunting query results in Microsoft Defender ATP
+description: Make the most of the query results returned by advanced hunting in Microsoft Defender ATP
+keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, visualization, chart, filters, drill down
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: lomayor
+author: lomayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+---
+
+# Work with advanced hunting query results
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
+
+[!INCLUDE [Prerelease information](../../includes/prerelease.md)]
+
+While you can construct your [advanced hunting](advanced-hunting-overview.md) queries to return very precise information, you can also work with the query results to gain further insight and investigate specific activities and indicators. You can take the following actions on your query results:
+
+- View results as a table or chart
+- Export tables and charts
+- Drill down to detailed entity information
+- Tweak your queries directly from the results or apply filters
+
+## View query results as a table or chart
+By default, advanced hunting displays query results as tabular data. You can also display the same data as a chart. Advanced hunting supports the following views:
+
+| View type | Description |
+| -- | -- |
+| **Table** | Displays the query results in tabular format |
+| **Column chart** | Renders a series of unique items on the x-axis as vertical bars whose heights represent numeric values from another field |
+| **Stacked column chart** | Renders a series of unique items on the x-axis as stacked vertical bars whose heights represent numeric values from one or more other fields |
+| **Pie chart** | Renders sectional pies representing unique items. The size of each pie represents numeric values from another field. |
+| **Donut chart** | Renders sectional arcs representing unique items. The length of each arc represents numeric values from another field. |
+| **Line chart** | Plots numeric values for a series of unique items and connects the plotted values |
+| **Scatter chart** | Plots numeric values for a series of unique items |
+| **Area chart** | Plots numeric values for a series of unique items and fills the sections below the plotted values |
+
+### Construct queries for effective charts
+When rendering charts, advanced hunting automatically identifies columns of interest and the numeric values to aggregate. To get meaningful charts, construct your queries to return the specific values you want to see visualized. Here are some sample queries and the resulting charts.
+
+#### Alerts by severity
+Use the `summarize` operator to obtain a numeric count of the values you want to chart. The query below uses the `summarize` operator to get the number of alerts by severity.
+
+```kusto
+DeviceAlertEvents
+| summarize Total = count() by Severity
+```
+When rendering the results, a column chart displays each severity value as a separate column:
+
+![Image of advanced hunting query results displayed as a column chart](images/advanced-hunting-column-chart.jpg)
+*Query results for alerts by severity displayed as a column chart*
+
+#### Alert severity by operating system
+You could also use the `summarize` operator to prepare results for charting values from multiple fields. For example, you might want to understand how alert severities are distributed across operating systems (OS). 
+
+The query below uses a `join` operator to pull in OS information from the `DeviceInfo` table, and then uses `summarize` to count values in both the `OSPlatform` and `Severity` columns:
+
+```kusto
+DeviceAlertEvents
+| join DeviceInfo on DeviceId
+| summarize Count = count() by OSPlatform, Severity
+```
+These results are best visualized using a stacked column chart:
+
+![Image of advanced hunting query results displayed as a stacked chart](images/advanced-hunting-stacked-chart.jpg)
+*Query results for alerts by OS and severity displayed as a stacked chart*
+
+#### Top ten machine groups with alerts
+If you're dealing with a list of values that isn’t finite, you can use the `Top` operator to chart only the values with the most instances. For example, to get the top ten machine groups with the most alerts, use the query below:
+
+```kusto
+DeviceAlertEvents
+| join DeviceInfo on DeviceId
+| summarize Count = count() by MachineGroup
+| top 10 by Count
+```
+Use the pie chart view to effectively show distribution across the top groups:
+
+![Image of advanced hunting query results displayed as a pie chart](images/advanced-hunting-pie-chart.jpg)
+*Pie chart showing distribution of alerts across machine groups*
+
+#### Malware detections over time
+Using the `summarize` operator with the `bin()` function, you can check for events involving a particular indicator over time. The query below counts detections of an EICAR test file at 30 minute intervals to show spikes in detections of that file:
+
+```kusto
+DeviceEvents
+| where ActionType == "AntivirusDetection"
+| where SHA1 == "3395856ce81f2b7382dee72602f798b642f14140"
+| summarize Detections = count() by bin(Timestamp, 30m)
+```
+The line chart below clearly highlights time periods with more detections of the test malware: 
+
+![Image of advanced hunting query results displayed as a line chart](images/advanced-hunting-line-chart.jpg)
+*Line chart showing the number of detections of a test malware over time*
+
+
+## Export tables and charts
+After running a query, select **Export** to save the results to local file. Your chosen view determines how the results are exported:
+
+- **Table view** — the query results are exported in tabular form as a Microsoft Excel workbook
+- **Any chart** — the query results are exported as a JPEG image of the rendered chart
+
+## Drill down from query results
+To view more information about entities, such as machines, files, users, IP addresses, and URLs, in your query results, simply click the entity identifier. This opens a detailed profile page for the selected entity.
+
+## Tweak your queries from the results
+Right-click a value in the result set to quickly enhance your query. You can use the options to:
+
+- Explicitly look for the selected value (`==`)
+- Exclude the selected value from the query (`!=`)
+- Get more advanced operators for adding the value to your query, such as `contains`, `starts with` and `ends with` 
+
+![Image of advanced hunting result set](images/advanced-hunting-results-filter.png)
+
+## Filter the query results
+The filters displayed to the right provide a summary of the result set. Each column has its own section that lists the distinct values found for that column and the number of instances.
+
+Refine your query by selecting the `+` or `-` buttons on the values that you want to include or exclude and then selecting **Run query**.
+
+![Image of advanced hunting filter](images/advanced-hunting-filter.png)
+
+Once you apply the filter to modify the query and then run the query, the results are updated accordingly.
+
+## Related topics
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [Learn the query language](advanced-hunting-query-language.md)
+- [Use shared queries](advanced-hunting-shared-queries.md)
+- [Understand the schema](advanced-hunting-schema-reference.md)
+- [Apply query best practices](advanced-hunting-best-practices.md)
+- [Custom detections overview](overview-custom-detections.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
index 6e13b372ef..e90dbf5e55 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
@@ -55,4 +55,5 @@ Table and column names are also listed within the Microsoft Defender Security Ce
 
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
+- [Work with query results](advanced-hunting-query-results.md)
 - [Learn the query language](advanced-hunting-query-language.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md
index b24bb4db00..de3d5741a4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md
@@ -15,7 +15,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 10/08/2019
 ---
 
 # Use shared queries in advanced hunting
diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
index 9d9bea3f59..6255da37f0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
@@ -15,7 +15,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 04/24/2018
+ms.date: 03/27/2020
 ---
 
 # View and organize the Microsoft Defender Advanced Threat Protection Alerts queue
@@ -27,6 +27,9 @@ ms.date: 04/24/2018
 
 The **Alerts queue** shows a list of alerts that were flagged from machines in your network. By default, the queue displays alerts seen in the last 30 days in a grouped view, with the most recent alerts showing at the top of the list, helping you see the most recent alerts first.
 
+>[!NOTE]
+>The alerts queue is significantly reduced with automated investigation and remediation, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. When an alert contains a supported entity for automated investigation (for example, a file) in a machine that has a supported operating system for it, an automated investigation and remediation can start. For more information on automated investigations, see [Overview of Automated investigations](automated-investigations.md).
+
 There are several options you can choose from to customize the alerts queue view. 
 
 On the top navigation you can:
@@ -45,10 +48,10 @@ You can apply the following filters to limit the list of alerts and get a more f
 
 Alert severity | Description
 :---|:---
-High </br>(Red) | Threats often associated with advanced persistent threats (APT). These alerts indicate a high risk due to the severity of damage they can inflict on machines.
-Medium </br>(Orange) | Threats rarely observed in the organization, such as anomalous registry change, execution of suspicious files, and observed behaviors typical of attack stages.
-Low </br>(Yellow) | Threats associated with prevalent malware and hack-tools that do not necessarily indicate an advanced threat targeting the organization.
-Informational </br>(Grey) | Informational alerts are those that might not be considered harmful to the network but might be good to keep track of.
+High </br>(Red) | Alerts commonly seen associated with advanced persistent threats (APT). These alerts indicate a high risk due to the severity of damage they can inflict on machines. Some examples of these are credential theft tools activities, ransomware activities not associated with any group, tampering with security sensors, or any malicious activities indicative of a human adversary.
+Medium </br>(Orange) | Alerts from endpoint detection and response post-breach behaviors that might be a part of an advanced persistent threat (APT). This includes observed behaviors typical of attack stages, anomalous registry change, execution of suspicious files, and so forth. Although some might be part of internal security testing, it requires investigation as it might also be a part of an advanced attack.
+Low </br>(Yellow) | Alerts on threats associated with prevalent malware, hack-tools, non-malware hack tools, such as running exploration commands, clearing logs, etc., that often do not indicate an advanced threat targeting the organization. It could also come from an isolated security tool testing by a user in your organization.
+Informational </br>(Grey) | Alerts that might not be considered harmful to the network but can drive organizational security awareness on potential security issues.
 
 #### Understanding alert severity
 It is important to understand that the Windows Defender Antivirus (Windows Defender AV) and Microsoft Defender ATP alert severities are different because they represent different scopes.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md
new file mode 100644
index 0000000000..9f14575d2d
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md
@@ -0,0 +1,130 @@
+---
+title: Attack surface reduction frequently asked questions (FAQ)
+description: Find answers to frequently asked questions about Microsoft Defender ATP's attack surface reduction rules.
+keywords: Attack surface reduction rules, asr, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, Microsoft Defender Advanced Threat Protection, Microsoft Defender ATP
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro
+author: martyav
+ms.author: v-maave
+ms.reviewer: 
+manager: dansimp
+ms.custom: asr
+---
+
+# Attack surface reduction frequently asked questions (FAQ)
+
+**Applies to:**
+
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+**Is attack surface reduction (ASR) part of Windows?**
+
+ASR was originally a feature of the suite of exploit guard features introduced as a major update to Windows Defender Antivirus, in Windows 10 version 1709. Windows Defender Antivirus is the native antimalware component of Windows. However, please note that the full ASR feature-set is only available with a Windows enterprise license. Also note that ASR rule exclusions are managed separately from Windows Defender Antivirus exclusions.
+
+**Do I need to have an enterprise license to run ASR rules?**
+
+The full set of ASR rules and features are only supported if you have an enterprise license for Windows 10. A limited number of rules may work without an enterprise license, if you have Microsoft 365 Business, set Windows Defender Antivirus as your primary security solution, and enable the rules through PowerShell. However, ASR usage without an enterprise license is not officially supported and the full feature-set of ASR will not be available.
+
+**Is ASR supported if I have an E3 license?**
+
+Yes. ASR is supported for Windows Enterprise E3 and above. See [Use attack surface reduction rules in Windows 10 Enterprise E3](attack-surface-reduction-rules-in-windows-10-enterprise-e3.md) for more details.
+
+**Which features are supported with an E5 license?**
+
+All of the rules supported with E3 are also supported with E5.
+
+E5 also added greater integration with Microsoft Defender ATP. With E5, you can [use Microsoft Defender ATP to monitor and review analytics](https://docs.microsoft.com/microsoft-365/security/mtp/monitor-devices?view=o365-worldwide#monitor-and-manage-asr-rule-deployment-and-detections) on alerts in real-time, fine-tune rule exclusions, configure ASR rules, and view lists of event reports.
+
+**What are the the currently supported ASR rules??**
+
+ASR currently supports all of the rules below:
+
+* [Block executable content from email client and webmail](attack-surface-reduction.md#block-executable-content-from-email-client-and-webmail)
+* [Block all Office applications from creating child processes](attack-surface-reduction.md#block-all-office-applications-from-creating-child-processes)
+* [Block Office applications from creating executable content](attack-surface-reduction.md#block-office-applications-from-creating-executable-content)
+* [Block Office applications from injecting code into other processes](attack-surface-reduction.md#block-office-applications-from-injecting-code-into-other-processes)
+* [Block JavaScript or VBScript from launching downloaded executable content](attack-surface-reduction.md##block-javascript-or-vbscript-from-launching-downloaded-executable-content)
+* [Block execution of potentially obfuscated scripts](attack-surface-reduction.md#block-execution-of-potentially-obfuscated-scripts)
+* [Block Win32 API calls from Office macro](attack-surface-reduction.md#block-win32-api-calls-from-office-macros)
+* [Use advanced protection against ransomware](attack-surface-reduction.md#use-advanced-protection-against-ransomware)<!-- Note: Because the following link contains characters the validator is not expecting, it throws a warning that the bookmark does not exist. This is a false positive; the link correctly targets the heading, Block credential stealing from the Windows local security authority subsystem (lsass.exe), when selected -->
+* [Block credential stealing from the Windows local security authority subsystem (lsass.exe)](attack-surface-reduction.md#block-credential-stealing-from-the-windows-local-security-authority-subsystem)
+* [Block process creations originating from PSExec and WMI commands](attack-surface-reduction.md#block-process-creations-originating-from-psexec-and-wmi-commands)
+* [Block untrusted and unsigned processes that run from USB](attack-surface-reduction.md#block-untrusted-and-unsigned-processes-that-run-from-usb)
+* [Block executable files from running unless they meet a prevalence, age, or trusted list criteria](attack-surface-reduction.md#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion)
+* [Block Office communication applications from creating child processes](attack-surface-reduction.md#block-office-communication-application-from-creating-child-processes)
+* [Block Adobe Reader from creating child processes](attack-surface-reduction.md#block-adobe-reader-from-creating-child-processes)
+* [Block persistence through WMI event subscription](attack-surface-reduction.md#block-persistence-through-wmi-event-subscription)
+
+**What are some good recommendations for getting started with ASR?**
+
+It is generally best to first test how ASR rules will impact your organization before enabling them, by running them in audit mode for a brief period of time. While you are running the rules in audit mode, you can identify any line-of-business applications that might get blocked erroneously, and exclude them from ASR.
+
+Larger organizations should consider rolling out ASR rules in "rings," by auditing and enabling rules in increasingly-broader subsets of devices. You can arrange your organization's devices into rings by using Intune or a Group Policy management tool.
+
+**How long should I test an ASR rule in audit mode before enabling it?**
+
+You should keep the rule in audit mode for about 30 days. This amount of time gives you a good baseline for how the rule will operate once it goes live throughout your organization. During the audit period, you can identify any line-of-business applications that might get blocked by the rule, and configure the rule to exclude them.
+
+**I'm making the switch from a third-party security solution to Microsoft Defender ATP. Is there an "easy" way to export rules from another security solution to ASR?**
+
+Rather than attempting to import sets of rules from another security solution, it is, in most cases, easier and safer to start with the baseline recommendations suggested for your organization by Microsoft Defender ATP, then use tools such as audit mode, monitoring, and analytics to configure your new solution to suit your unique needs. The default configuration for most ASR rules, combined with Defender's real-time protection, will protect against a large number of exploits and vulnerabilities.
+
+From within Microsoft Defender ATP, you can update your defenses with custom indicators, to allow and block certain software behaviors. ASR also allows for some customization of rules, in the form of file and folder exclusions. As a general rule, it is best to audit a rule for a period of time, and configure exclusions for any line-of-business applications that might get blocked.
+
+**Does ASR support file or folder exclusions that include system variables and wildcards in the path?**
+
+Yes. See [Excluding files and folders from ASR rules](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for more details on excluding files or folders from ASR rules, and [Configure and validate exclusions based on file extension and folder location](../windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) for more on using system variables and wildcards in excluded file paths.
+
+**Do ASR rules cover all applications by default?**
+
+It depends on the rule. Most ASR rules cover the behavior of Microsoft Office products and services, such as Word, Excel, PowerPoint, and OneNote, or Outlook. Certain ASR rules, such as *Block execution of potentially obfuscated scripts*, are more general in scope.
+
+**Does ASR support third-party security solutions?**
+
+ASR uses Microsoft Defender Antivirus to block applications. It is not possible to configure ASR to use another security solution for blocking at this time.
+
+**I have an E5 license and enabled some ASR rules in conjunction with Microsoft Defender ATP. Is it possible for an ASR event to not show up at all in Microsoft Defender ATP's event timeline?**
+
+Whenever a notification is triggered locally by an ASR rule, a report on the event is also sent to the Microsoft Defender ATP portal. If you're having trouble finding the event, you can filter the events timeline using the search box. You can also view ASR events by visiting **Go to attack surface management**, from the **Configuration management** icon in the Security Center taskbar. The attack surface management page includes a tab for report detections, which includes a full list of ASR rule events reported to Microsoft Defender ATP.
+
+**I applied a rule using GPO. Now when I try to check the indexing options for the rule in Microsoft Outlook, I get a message stating, 'Access denied'.**
+
+Try opening the indexing options directly from Windows 10.
+
+1. Select the **Search** icon on the Windows taskbar.
+
+1. Enter **Indexing options** into the search box.
+
+**Are the criteria used by the rule, *Block executable files from running unless they meet a prevalence, age, or trusted list criterion*, configurable by an admin?**
+
+No. The criteria used by this rule are maintained by Microsoft cloud protection, to keep the trusted list constantly up-to-date with data gathered from around the world. Local admins do not have write access to alter this data. If you are looking to configure this rule to tailor it for your enterprise, you can add certain applications to the exclusions list to prevent the rule from being triggered.
+
+**I enabled the ASR rule, *Block executable files from running unless they meet a prevalence, age, or trusted list criterion*. After some time, I updated a piece of software, and the rule is now blocking it, even though it didn't before. Did something go wrong?**
+
+This rule relies upon each application having a known reputation, as measured by prevalence, age, or inclusion on a list of trusted apps. The rule's decision to block or allow an application is ultimately determined by Microsoft cloud protection's assessment of these criteria.
+
+Usually, cloud protection can determine that a new version of an application is similar enough to previous versions that it does not need to be re-assessed at length. However, it might take some time for the app to build reputation after switching versions, particularly after a major update. In the meantime, you can add the application to the exclusions list, to prevent this rule from blocking important applications. If you are frequently updating and working with very new versions of applications, you may opt instead to run this rule in audit mode.
+
+**I recently enabled the ASR rule, *Block credential stealing from the Windows local security authority subsystem (lsass.exe)*, and I am getting a large number of notifications. What is going on?**
+
+A notification generated by this rule does not necessarily indicate malicious activity; however, this rule is still useful for blocking malicious activity, since malware often target lsass.exe to gain illicit access to accounts. The lsass.exe process stores user credentials in memory after a user has logged in. Windows uses these credentials to validate users and apply local security policies.
+
+Because many legitimate processes throughout a typical day will be calling on lsass.exe for credentials, this rule can be especially noisy. If a known legitimate application causes this rule to generate an excessive amount of notifications, you can add it to the exclusion list. Most other ASR rules will generate a relatively smaller number of notifications, in comparison to this one, since calling on lsass.exe is typical of many applications' normal functioning.
+
+**Is it a good idea to enable the rule, *Block credential stealing from the Windows local security authority subsystem (lsass.exe)*, alongside LSA protection?**
+
+Enabling this rule will not provide additional protection if you have [LSA protection](https://docs.microsoft.com/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection#BKMK_HowToConfigure) enabled as well. Both the rule and LSA protection work in much the same way, so having both running at the same time would be redundant. However, sometimes you may not be able to enable LSA protection. In those cases, you can enable this rule to provide equivalent protection against malware that target lsass.exe.
+
+## Related topics
+
+* [Attack surface reduction overview](attack-surface-reduction.md)
+* [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
+* [Customize attack surface reduction rules](customize-attack-surface-reduction.md)
+* [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
+* [Compatibility of Microsoft Defender with other antivirus/antimalware](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md
index 8d2f79fd76..7dfd283a11 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md
@@ -11,7 +11,6 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
-ms.date: 10/15/2018
 ms.reviewer: 
 manager: dansimp
 ms.custom: asr
diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
index 49e8e3074a..f1b9737820 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
@@ -1,7 +1,7 @@
 ---
 title: Use attack surface reduction rules to prevent malware infection
-description: Attack surface reduction rules can help prevent exploits from using apps and scripts to infect machines with malware
-keywords: Attack surface reduction rules, asr, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention
+description: Attack surface reduction rules can help prevent exploits from using apps and scripts to infect machines with malware.
+keywords: Attack surface reduction rules, asr, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, Microsoft Defender Advanced Threat Protection, Microsoft Defender ATP
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
 ms.prod: w10
@@ -26,27 +26,33 @@ ms.custom: asr
 > [!IMPORTANT]
 > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 
-Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, or Windows Server 2019.
+Your attack surface is the total number of places where an attacker could compromise your organization's devices or networks. Reducing your attack surface means offering attackers fewer ways to perform attacks.
 
-To use the entire feature set of attack surface reduction rules, you need a Windows 10 Enterprise license. With a Windows E5 license you get advanced management capabilities including monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the Microsoft 365 security center. These advanced capabilities aren't available with an E3 license, but you can use Event Viewer to review attack surface reduction rule events.
+Attack surface reduction rules target software behaviors that are often abused by attackers, such as:
 
-Attack surface reduction rules target behaviors that malware and malicious apps typically use to infect computers, including:
+* Launching executable files and scripts that attempt to download or run files
+* Running obfuscated or otherwise suspicious scripts
+* Performing behaviors that apps don't usually initiate during normal day-to-day work
 
-* Executable files and scripts used in Office apps or web mail that attempt to download or run files
-* Obfuscated or otherwise suspicious scripts
-* Behaviors that apps don't usually initiate during normal day-to-day work
+These behaviors are sometimes seen in legitimate applications; however, they are considered risky because they are commonly abused by malware. Attack surface reduction rules can constrain these kinds of risky behaviors and help keep your organization safe.
 
-You can use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks similar to malware. By monitoring audit data and [adding exclusions](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity.
+Use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks in ways that seem similar to malware. By monitoring audit data and [adding exclusions](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity.
 
-Triggered rules display a notification on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays in the Microsoft Defender Security Center and in the Microsoft 365 security center.
+Whenever a rule is triggered, a notification will be displayed on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays within the Microsoft Defender Security Center and the Microsoft 365 security center.
 
-For information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
+For more information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
+
+## Attack surface reduction features across Windows versions
+
+You can set attack surface reduction rules for computers running Windows 10 versions 1709 and 1803 or later, Windows Server version 1803 (Semi-Annual Channel) or later, and Windows Server 2019.
+
+To use the entire feature-set of attack surface reduction rules, you need a Windows 10 Enterprise license. With a Windows E5 license, you get advanced management capabilities including monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the Microsoft 365 security center. These advanced capabilities aren't available with an E3 license, but you can still use Event Viewer to review attack surface reduction rule events.
 
 ## Review attack surface reduction events in the Microsoft Defender Security Center
 
-Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios.
+Microsoft Defender ATP provides detailed reporting for events and blocks, as part of its alert investigation scenarios.
 
-You can query Microsoft Defender ATP data by using [Advanced hunting](advanced-hunting-query-language.md). If you're using [audit mode](audit-windows-defender.md), you can use advanced hunting to understand how attack surface reduction rules could affect your environment.
+You can query Microsoft Defender ATP data by using [advanced hunting](advanced-hunting-query-language.md). If you're running [audit mode](audit-windows-defender.md), you can use advanced hunting to understand how attack surface reduction rules could affect your environment.
 
 Here is an example query:
 
@@ -57,19 +63,19 @@ DeviceEvents
 
 ## Review attack surface reduction events in Windows Event Viewer
 
-You can review the Windows event log to view events that are created when attack surface reduction rules fire:
+You can review the Windows event log to view events generated by attack surface reduction rules:
 
 1. Download the [Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine.
 
-2. Type **Event Viewer** in the Start menu to open the Windows Event Viewer.
+2. Enter the words, *Event Viewer*, into the Start menu to open the Windows Event Viewer.
 
-3. Click **Import custom view...** on the left panel, under **Actions**.
+3. Under **Actions**, select **Import custom view...**.
 
 4. Select the file *cfa-events.xml* from where it was extracted. Alternatively, [copy the XML directly](event-views.md).
 
-5. Click **OK**.
+5. Select **OK**.
 
-This will create a custom view that filters to only show the following events related to controlled folder access:
+This will create a custom view that filters events to only show the following, all of which are related to controlled folder access:
 
 Event ID | Description
 -|-
@@ -77,35 +83,33 @@ Event ID | Description
 1121 | Event when rule fires in Block-mode
 1122 | Event when rule fires in Audit-mode
 
-The "engine version" of attack surface reduction events in the event log, is generated by Microsoft Defender ATP, not the operating system. Microsoft Defender ATP is integrated with Windows 10, so this feature works on all machines with Windows 10 installed.
+The "engine version" listed for attack surface reduction events in the event log, is generated by Microsoft Defender ATP, not by the operating system. Microsoft Defender ATP is integrated with Windows 10, so this feature works on all devices with Windows 10 installed.
 
 ## Attack surface reduction rules
 
 The following sections describe each of the 15 attack surface reduction rules. This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy or PowerShell. If you use Microsoft Endpoint Configuration Manager or Microsoft Intune, you do not need the GUIDs:
 
  Rule name | GUID | File & folder exclusions
------------|------|--------------------------
-Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 | Supported
-Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A | Supported
-Block Office applications from creating executable content  | 3B576869-A4EC-4529-8536-B80A7769E899 | Supported
-Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 | Supported
-Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D | Not supported
-Block execution of potentially obfuscated scripts  | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC | Supported
-Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B | Supported
-Block executable files from running unless they meet a prevalence, age, or trusted list criterion | 01443614-cd74-433a-b99e-2ecdc07bfc25 | Supported
-Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35 | Supported
-Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 | Supported
-Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c | Not supported
-Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 | Supported
-Block Office communication application from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 | Supported
-Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c | Supported
-Block persistence through WMI event subscription | e6db77e5-3df2-4cf1-b95a-636979351e5b | Not supported
-
-Each rule description indicates which apps or file types the rule applies to. In general, the rules for Office apps apply to only Word, Excel, PowerPoint, and OneNote, or they apply to Outlook. Except where specified, attack surface reduction rules don't apply to any other Office apps.
+-|-|-
+[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail) | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 | Supported
+[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes) | D4F940AB-401B-4EFC-AADC-AD5F3C50688A | Supported
+[Block Office applications from creating executable content](#block-office-applications-from-creating-executable-content) | 3B576869-A4EC-4529-8536-B80A7769E899 | Supported
+[Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes) | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 | Supported
+[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) | D3E037E1-3EB8-44C8-A917-57927947596D | Not supported
+[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts) | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC | Supported
+[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B | Supported
+[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | 01443614-cd74-433a-b99e-2ecdc07bfc25 | Supported
+[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | c1db55ab-c21a-4637-bb3f-a12568109d35 | Supported
+[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 | Supported
+[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | d1e49aac-8f56-4280-b9ba-993a6d77406c | Supported
+[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 | Supported
+[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) | 26190899-1602-49e8-8b27-eb1d0a1ce869 | Supported
+[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c | Supported
+[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) | e6db77e5-3df2-4cf1-b95a-636979351e5b | Not supported
 
 ### Block executable content from email client and webmail
 
-This rule blocks the following file types from launching from email in Microsoft Outlook or Outlook.com and other popular webmail providers:
+This rule blocks the following file types from launching from email opened within the Microsoft Outlook application, or Outlook.com and other popular webmail providers:
 
 * Executable files (such as .exe, .dll, or .scr)
 * Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
@@ -122,7 +126,7 @@ GUID: BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
 
 This rule blocks Office apps from creating child processes. This includes Word, Excel, PowerPoint, OneNote, and Access.
 
-This is a typical malware behavior, especially malware that abuses Office as a vector, using VBA macros and exploit code to download and attempt to run additional payload. Some legitimate line-of-business applications might also use behaviors like this, including spawning a command prompt or using PowerShell to configure registry settings.
+Creating malicious child processes is a common malware strategy. Malware that abuse Office as a vector often run VBA macros and exploit code to download and attempt to run additional payloads. However, some legitimate line-of-business applications might also generate child processes for benign purposes, such as spawning a command prompt or using PowerShell to configure registry settings.
 
 This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1710
 
@@ -148,7 +152,11 @@ GUID: 3B576869-A4EC-4529-8536-B80A7769E899
 
 ### Block Office applications from injecting code into other processes
 
-Attackers might attempt to use Office apps to migrate malicious code into other processes through code injection, so the code can masquerade as a clean process. This rule blocks code injection attempts from Office apps into other processes. There are no known legitimate business purposes for using code injection.
+This rule blocks code injection attempts from Office apps into other processes.
+
+Attackers might attempt to use Office apps to migrate malicious code into other processes through code injection, so the code can masquerade as a clean process.
+
+There are no known legitimate business purposes for using code injection.
 
 This rule applies to Word, Excel, and PowerPoint.
 
@@ -162,9 +170,9 @@ GUID: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
 
 ### Block JavaScript or VBScript from launching downloaded executable content
 
-Malware often uses JavaScript and VBScript scripts to launch other malicious apps.
+This rule prevents scripts from launching potentially malicious downloaded content. Malware written in JavaScript or VBScript often acts as a downloader to fetch and launch other malware from the Internet.
 
-Malware written in JavaScript or VBS often acts as a downloader to fetch and launch additional native payload from the Internet. This rule prevents scripts from launching downloaded content, helping to prevent malicious use of the scripts to spread malware and infect machines. This isn't a common line-of-business use, but line-of-business applications sometimes use scripts to download and launch installers.
+Although not common, line-of-business applications sometimes use scripts to download and launch installers.
 
 > [!IMPORTANT]
 > File and folder exclusions don't apply to this attack surface reduction rule.
@@ -179,7 +187,9 @@ GUID: D3E037E1-3EB8-44C8-A917-57927947596D
 
 ### Block execution of potentially obfuscated scripts
 
-Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. This rule detects suspicious properties within an obfuscated script.
+This rule detects suspicious properties within an obfuscated script.
+
+Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. Malware authors also use obfuscation to make malicious code harder to read, which prevents close scrutiny by humans and security software.
 
 This rule was introduced in:  Windows 10 1709, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1710
 
@@ -191,7 +201,9 @@ GUID: 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
 
 ### Block Win32 API calls from Office macros
 
-Office VBA provides the ability to use Win32 API calls, which malicious code can abuse. Most organizations don't use this functionality, but might still rely on using other macro capabilities. This rule allows you to prevent using Win32 APIs in VBA macros, which reduces the attack surface.
+This rule prevents VBA macros from calling Win32 APIs.
+
+Office VBA provides the ability to make Win32 API calls. Malware can abuse this capability, such as [calling Win32 APIs to launch malicious shellcode](https://www.microsoft.com/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/) without writing anything directly to disk. Most organizations don't rely on the ability to call Win32 APIs in their day-to-day functioning, even if they use macros in other ways.
 
 This rule was introduced in:  Windows 10 1709, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1710
 
@@ -203,10 +215,12 @@ GUID: 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
 
 ### Block executable files from running unless they meet a prevalence, age, or trusted list criterion
 
-This rule blocks the following file types from launching unless they either meet prevalence or age criteria, or they're in a trusted list or exclusion list:
+This rule blocks the following file types from launching unless they meet prevalence or age criteria, or they're in a trusted list or an exclusion list:
 
 * Executable files (such as .exe, .dll, or .scr)
 
+Launching untrusted or unknown executable files can be risky, as it may not not be initially clear if the files are malicious.
+
 > [!NOTE]
 > You must [enable cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) to use this rule.
 
@@ -225,7 +239,7 @@ GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25
 
 ### Use advanced protection against ransomware
 
-This rule provides an extra layer of protection against ransomware. It scans executable files entering the system to determine whether they're trustworthy. If the files closely resemble ransomware, this rule blocks them from running, unless they're in a trusted list or exclusion list.
+This rule provides an extra layer of protection against ransomware. It scans executable files entering the system to determine whether they're trustworthy. If the files closely resemble ransomware, this rule blocks them from running, unless they're in a trusted list or an exclusion list.
 
 > [!NOTE]
 > You must [enable cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) to use this rule.
@@ -238,9 +252,11 @@ Configuration Manager name: Use advanced protection against ransomware
 
 GUID: c1db55ab-c21a-4637-bb3f-a12568109d35
 
-### Block credential stealing from the Windows local security authority subsystem (lsass.exe)
+### Block credential stealing from the Windows local security authority subsystem
 
-Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Microsoft Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS.
+This rule helps prevent credential stealing, by locking down Local Security Authority Subsystem Service (LSASS).
+
+LSASS authenticates users who log in to a Windows computer. Microsoft Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use hack tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS.
 
 > [!NOTE]
 > In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that overly enumerates LSASS, you need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.
@@ -255,10 +271,7 @@ GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
 
 ### Block process creations originating from PSExec and WMI commands
 
-This rule blocks processes through PsExec and WMI commands from running, to prevent remote code execution that can spread malware attacks.
-
-> [!IMPORTANT]
-> File and folder exclusions do not apply to this attack surface reduction rule.
+This rule blocks processes created through [PsExec](https://docs.microsoft.com/sysinternals/downloads/psexec) and [WMI](https://docs.microsoft.com/windows/win32/wmisdk/about-wmi) from running. Both PsExec and WMI can remotely execute code, so there is a risk of malware abusing this functionality for command and control purposes, or to spread an infection throughout an organization's network.
 
 > [!WARNING]
 > Only use this rule if you're managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr) because this rule blocks WMI commands the Configuration Manager client uses to function correctly.
@@ -288,7 +301,9 @@ GUID: b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
 
 ### Block Office communication application from creating child processes
 
-This rule prevents Outlook from creating child processes. It protects against social engineering attacks and prevents exploit code from abusing a vulnerability in Outlook. To achieve this, the rule prevents the launch of additional payload while still allowing legitimate Outlook functions. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised.
+This rule prevents Outlook from creating child processes, while till allowing legitimate Outlook functions.
+
+This protects against social engineering attacks and prevents exploit code from abusing vulnerabilities in Outlook. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised.
 
 > [!NOTE]
 > This rule applies to Outlook and Outlook.com only.
@@ -303,7 +318,9 @@ GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869
 
 ### Block Adobe Reader from creating child processes
 
-Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. This rule prevents attacks like this by blocking Adobe Reader from creating additional processes.
+This rule prevents attacks by blocking Adobe Reader from creating additional processes.
+
+Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. By blocking child processes from being generated by Adobe Reader, malware attempting to use it as a vector are prevented from spreading.
 
 This rule was introduced in: Windows 10 1809, Windows Server 1809, Windows Server 2019
 
@@ -315,7 +332,9 @@ GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
 
 ### Block persistence through WMI event subscription
 
-Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden. With this rule, admins can prevent threats that abuse WMI to persist and stay hidden in WMI repository.
+This rule prevents malware from abusing WMI to attain persistence on a device.
+
+Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden.
 
 This rule was introduced in: Windows 10 1903, Windows Server 1903
 
@@ -327,6 +346,7 @@ GUID: e6db77e5-3df2-4cf1-b95a-636979351e5b
 
 ## Related topics
 
+* [Attack surface reduction FAQ](attack-surface-reduction.md)
 * [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
 * [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
 * [Compatibility of Microsoft Defender with other antivirus/antimalware](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
index da85274100..06bd8455af 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
@@ -25,7 +25,7 @@ ms.topic: conceptual
 >[!NOTE]
 > Secure score is now part of Threat & Vulnerability Management as Configuration score.
 
-Your Configuration score is visible in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) of the Microsoft Defender Security Center. It reflects the collective security configuration state of your machines across the following categories:
+Your Configuration score is visible in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) of the Microsoft Defender Security Center. A higher configuration score means your endpoints are more resilient from cybersecurity threat attacks. It reflects the collective security configuration state of your machines across the following categories:
 
 - Application
 - Operating system
@@ -33,7 +33,7 @@ Your Configuration score is visible in the [Threat & Vulnerability Management da
 - Accounts
 - Security controls
 
-A higher configuration score means your endpoints are more resilient from cybersecurity threat attacks.
+Select a category to go to the [**Security recommendations**](tvm-security-recommendation.md) page and view the relevant recommendations.
 
 ## How it works
 
@@ -43,20 +43,31 @@ A higher configuration score means your endpoints are more resilient from cybers
 The data in the configuration score card is the product of meticulous and ongoing vulnerability discovery process aggregated with configuration discovery assessments that continuously:
 
 - Compare collected configurations to the collected benchmarks to discover misconfigured assets
-- Map configurations to vulnerabilities that can be remediated or partially remediated (risk reduction) by remediating the misconfiguration
+- Map configurations to vulnerabilities that can be remediated or partially remediated (risk reduction)
 - Collect and maintain best practice configuration benchmarks (vendors, security feeds, internal research teams)
 - Collect and monitor changes of security control configuration state from all assets
 
-From the widget, you'd be able to see which security aspect requires attention. You can click the configuration score categories and it will take you to the **Security recommendations** page to see more details and understand the context of the issue. From there, you can act on them based on security benchmarks.
+## Improve your security configuration
 
-## Improve your configuration score
+You can improve your security configuration when you remediate issues from the security recommendations list. As you do so, your Configuration score improves, which means your organization becomes more resilient against cybersecurity threats and vulnerabilities.
 
-The goal is to remediate the issues in the security recommendations list to improve your configuration score. You can filter the view based on:
+1. From the Configuration score card in the Threat & Vulnerability Management dashboard, select the one of the categories to view the list of recommendations related to that category. It will take you to the [**Security recommendations**](tvm-security-recommendation.md) page. If you want to see all security recommendations, once you get to the Security recommendations page, clear the search field.
 
-- **Related component** — **Accounts**, **Application**, **Network**, **OS**, or **Security controls** 
-- **Remediation type** — **Configuration change** or **Software update**
+2. Select an item on the list. The flyout panel will open with details related to the recommendation. Select **Remediation options**.
 
-See how you can [improve your security configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios#improve-your-security-configuration), for details.
+   ![Security controls related security recommendations](images/tvm_security_controls.png)
+
+3. Read the description to understand the context of the issue and what to do next. Select a due date, add notes, and select **Export all remediation activity data to CSV** so you can attach it to an email for follow-up.
+
+4. **Submit request**. You will see a confirmation message that the remediation task has been created.
+   >![Remediation task creation confirmation](images/tvm_remediation_task_created.png)
+
+5. Save your CSV file.
+   ![Save csv file](images/tvm_save_csv_file.png)
+
+6. Send a follow-up email to your IT Administrator and allow the time that you have allotted for the remediation to propagate in the system.
+
+7. Review the **Configuration score** card again on the dashboard. The number of security controls recommendations will decrease. When you select **Security controls** to go back to the **Security recommendations** page, the item that you have addressed will not be listed there anymore, and your configuration score should increase.
 
 >[!IMPORTANT]
 >To boost your vulnerability assessment detection rates, download the following mandatory security updates and deploy them in your network:
@@ -71,17 +82,14 @@ See how you can [improve your security configuration](https://docs.microsoft.com
 
 ## Related topics
 
+- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md)
 - [Supported operating systems and platforms](tvm-supported-os.md)
-- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) 
-- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
 - [Exposure score](tvm-exposure-score.md)
 - [Security recommendations](tvm-security-recommendation.md)
 - [Remediation and exception](tvm-remediation.md)
 - [Software inventory](tvm-software-inventory.md)
 - [Weaknesses](tvm-weaknesses.md)
 - [Scenarios](threat-and-vuln-mgt-scenarios.md)
+- [APIs](threat-and-vuln-mgt-scenarios.md#apis)
 - [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
-- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score)
-- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software)
-- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
-- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
index f810639c75..66efa55144 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
@@ -38,8 +38,8 @@ The WinHTTP configuration setting is independent of the Windows Internet (WinINe
   - Transparent proxy
   - Web Proxy Auto-discovery Protocol (WPAD)
 
-> [!NOTE]
-> If you're using Transparent proxy or WPAD in your network topology, you don't need special configuration settings. For more information on Microsoft Defender ATP URL exclusions in the proxy, see [Enable access to Microsoft Defender ATP service URLs in the proxy server](#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server).
+    > [!NOTE]
+    > If you're using Transparent proxy or WPAD in your network topology, you don't need special configuration settings. For more information on Microsoft Defender ATP URL exclusions in the proxy, see [Enable access to Microsoft Defender ATP service URLs in the proxy server](#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server).
 
 - Manual static proxy configuration:
   - Registry based configuration
@@ -102,7 +102,8 @@ See [Netsh Command Syntax, Contexts, and Formatting](https://docs.microsoft.com/
 
 ## Enable access to Microsoft Defender ATP service URLs in the proxy server
 
-If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are not blocked by default. Do not disable security monitoring or inspection of these URLs, but allow them as you would other internet traffic. They permit communication with Microsoft Defender ATP service in port 80 and 443:
+If a proxy or firewall is blocking all traffic by default and allowing only specific domains through, add the domains listed below to the allowed domains list.
+If a proxy or firewall has HTTPS scanning (SSL inspection) enabled, exclude the domains listed below from HTTPS scanning.
 
 > [!NOTE]
 > settings-win.data.microsoft.com is only needed if you have Windows 10 machines running version 1803 or earlier.<br>
@@ -120,6 +121,16 @@ United States | ```us.vortex-win.data.microsoft.com``` <br> ```ussus1eastprod.bl
 
 If a proxy or firewall is blocking anonymous traffic, as Microsoft Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the previously listed URLs.
 
+### Log analytics agent requirements
+
+The information below list the proxy and firewall configuration information required to communicate with Log Analytics agent (often referred to as Microsoft Monitoring Agent) for the previous versions of Windows such as Windows 7 SP1, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, and Windows Server 2016.
+
+|Agent Resource|Ports |Direction |Bypass HTTPS inspection|
+|------|---------|--------|--------|   
+|*.ods.opinsights.azure.com |Port 443 |Outbound|Yes |  
+|*.oms.opinsights.azure.com |Port 443 |Outbound|Yes |  
+|*.blob.core.windows.net |Port 443 |Outbound|Yes |  
+
 ## Microsoft Defender ATP service backend IP range
 
 If your network devices don't support the URLs added to an "allow" list in the prior section, you can use the following information.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
index 75e7f8f006..371aa16ecd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
@@ -25,7 +25,7 @@ ms.topic: article
 - Windows Server 2012 R2
 - Windows Server 2016
 - Windows Server, version 1803
-- Windows Server, 2019
+- Windows Server, 2019 and later
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
 > Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configserver-abovefoldlink)
@@ -38,7 +38,7 @@ The service supports the onboarding of the following servers:
 - Windows Server 2012 R2
 - Windows Server 2016
 - Windows Server, version 1803
-- Windows Server 2019
+- Windows Server 2019 and later
 
 
 For a practical guidance on what needs to be in place for licensing and infrastructure, see [Protecting Windows Servers with Microsoft Defender ATP](https://techcommunity.microsoft.com/t5/What-s-New/Protecting-Windows-Server-with-Windows-Defender-ATP/m-p/267114#M128).
@@ -113,7 +113,7 @@ The following steps are required to enable this integration:
     On the **Agent Setup Options** page, choose **Connect the agent to Azure Log Analytics (OMS)**.
     - [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#add-a-workspace-using-a-script). 
 
-3. You'll need to configure proxy settings for the Microsoft Monitoring Agent. For more information, see [Configure proxy settings](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#configure-proxy-settings).
+3. You'll need to configure proxy settings for the Microsoft Monitoring Agent. For more information, see [Configure proxy settings](configure-proxy-internet.md).
 
 Once completed, you should see onboarded servers in the portal within an hour.
 
@@ -153,11 +153,13 @@ Support for Windows Server, version 1803 and Windows 2019 provides deeper insigh
 
     b. Run the following PowerShell command to verify that the passive mode was configured:
 
-       ```Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84}```
+      ```PowerShell
+      Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84}
+      ```
 
     c. Confirm  that a recent event containing the passive mode event is found:
        
-    ![Image of passive mode verification result](images/atp-verify-passive-mode.png)
+      ![Image of passive mode verification result](images/atp-verify-passive-mode.png)
 
 3. Run the following command to check if Windows Defender AV is installed:
 
@@ -172,8 +174,8 @@ Microsoft Defender ATP integrates with Azure Security Center to provide a compre
 The following capabilities are included in this integration:
 - Automated onboarding - Microsoft Defender ATP sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/azure/security-center/security-center-onboarding).
 
-> [!NOTE]
-> Automated onboarding is only applicable for Windows Server 2012 R2 and Windows Server 2016.
+    > [!NOTE]
+    > Automated onboarding is only applicable for Windows Server 2012 R2 and Windows Server 2016.
 
 - Servers monitored by  Azure Security Center will also be available in Microsoft Defender ATP - Azure Security Center seamlessly connects to the Microsoft Defender ATP tenant, providing a single view across clients and servers.  In addition, Microsoft Defender ATP alerts will be available in the Azure Security Center console.
 - Server investigation -  Azure Security Center customers can access Microsoft Defender Security Center to perform detailed investigation to uncover the scope of a potential breach
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md b/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md
index fd5efbf9ea..10c69301a9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md
@@ -78,7 +78,7 @@ You'll need to configure Splunk so that it can pull Microsoft Defender ATP detec
    <td>URL to authenticate the azure app (Default : https://login.microsoftonline.com)</td>
    </tr>
    <td>Endpoint</td>
-   <td>Depending on the location of your datacenter, select any of the following URL: </br></br> <strong>For EU</strong>:  <code>https://wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts</code><br></br><strong>For US:</strong><code>https://wdatp-alertexporter-us.securitycenter.windows.com/api/alerts</code> <br><br> <strong>For UK:</strong><code>https://wdatp-alertexporter-uk.securitycenter.windows.com/api/alerts</code>
+   <td>Depending on the location of your datacenter, select any of the following URL: </br></br> <strong>For EU</strong>:  <code>https://wdatp-alertexporter-eu.securitycenter.windows.com</code><br></br><strong>For US:</strong><code>https://wdatp-alertexporter-us.securitycenter.windows.com</code> <br><br> <strong>For UK:</strong><code>https://wdatp-alertexporter-uk.securitycenter.windows.com</code>
    </tr>
    <tr>
    <td>Tenant ID</td>
diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
index 5254713db3..b2fc09e758 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
@@ -63,14 +63,14 @@ With the query in the query editor, select **Create detection rule** and specify
 For more information about how alert details are displayed, [read about the alert queue](alerts-queue.md).
 
 #### Rule frequency
-When saved, custom detections rules immediately run. They then run again at fixed intervals based on the frequency you choose. Rules that run less frequently will have longer lookback durations:
+When saved, a new or edited custom detection rule immediately runs and checks for matches from the past 30 days of data. The rule then runs again at fixed intervals and lookback durations based on the frequency you choose:
 
-- **Every 24 hours** — checks data from the past 30 days
-- **Every 12 hours** — checks data from the past 24 hours
-- **Every 3 hours** — checks data from the past 6 hours
-- **Every hour** — checks data from the past 2 hours
+- **Every 24 hours** — runs every 24 hours, checking data from the past 30 days
+- **Every 12 hours** — runs every 12 hours, checking data from the past 24 hours
+- **Every 3 hours** — runs every 3 hours, checking data from the past 6 hours
+- **Every hour** — runs hourly, checking data from the past 2 hours
 
-Whenever a rule runs, similar detections on the same machine could be aggregated into fewer alerts, so running a rule less frequently can generate fewer alerts. Select the frequency that matches how closely you want to monitor detections, and consider your organization's capacity to respond to the alerts.
+Select the frequency that matches how closely you want to monitor detections, and consider your organization's capacity to respond to the alerts.
 
 ### 3. Specify actions on files or machines.
 Your custom detection rule can automatically take actions on files or machines that are returned by the query.
@@ -88,7 +88,7 @@ These actions are applied to files in the `SHA1` or the `InitiatingProcessSHA1`
 - **Quarantine file** — deletes the file from its current location and places a copy in quarantine
 
 ### 4. Click **Create** to save and turn on the rule.
-When saved, the custom detection rule immediately runs. It runs again every 24 hours to check for matches, generate alerts, and take response actions.
+After reviewing the rule, click **Create** to save it. The custom detection rule immediately runs. It runs again based on configured frequency to check for matches, generate alerts, and take response actions.
 
 ## Manage existing custom detection rules
 In **Settings** > **Custom detections**, you can view the list of existing custom detection rules, check their previous runs, and review the alerts they have triggered. You can also run a rule on demand and modify it.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md
index 839daef3d1..a1d4579881 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md
@@ -1,5 +1,5 @@
 ---
-title: Configure how attack surface reduction rules work to finetune protection in your network
+title: Configure how attack surface reduction rules work to fine-tune protection in your network
 description: You can individually set rules in audit, block, or disabled modes, and add files and folders that should be excluded from ASR
 keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, customize, configure, exclude
 search.product: eADQiWindows 10XVcnh
@@ -26,11 +26,11 @@ manager: dansimp
 > [!IMPORTANT]
 > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 
-Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients.
+Attack surface reduction rules help prevent software behaviors that are often abused to compromise your device or network. For example, an attacker might try to run an unsigned script off of a USB drive, or have a macro in an Office document make calls directly to the Win32 API. Attack surface reduction rules can constrain these kinds of risky behaviors and improve your organization's defensive posture.
 
-This topic describes how to customize attack surface reduction rules by [excluding files and folders](#exclude-files-and-folders) or [adding custom text to the notification](#customize-the-notification) alert that appears on a user's computer.
+Learn how to customize attack surface reduction rules by [excluding files and folders](#exclude-files-and-folders) or [adding custom text to the notification](#customize-the-notification) alert that appears on a user's computer.
 
-You can use Group Policy, PowerShell, and MDM CSPs to configure these settings.
+Attack surface reduction rules are supported on Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, and Windows Server 2019. You can use Group Policy, PowerShell, and MDM CSPs to configure these settings.
 
 ## Exclude files and folders
 
@@ -39,12 +39,12 @@ You can exclude files and folders from being evaluated by attack surface reducti
 > [!WARNING]
 > This could potentially allow unsafe files to run and infect your devices. Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded.
 
-An exclusion applies to all rules that allow exclusions. You can specify an individual file, folder path, or the fully qualified domain name for a resource, but you cannot limit an exclusion to certain rules.
+An exclusion applies to all rules that allow exclusions. You can specify an individual file, folder path, or the fully qualified domain name for a resource, but you cannot limit an exclusion to a specific rule.
 
 An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
 
 Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
-If you are encountering problems with rules detecting files that you believe should not be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md).
+If you are encountering problems with rules detecting files that you believe should not be detected, you should [use audit mode to test the rule](evaluate-attack-surface-reduction.md).
 
 Rule description | GUID
 -|-|-
@@ -103,3 +103,4 @@ See the [Windows Security](../windows-defender-security-center/windows-defender-
 * [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md)
 * [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
 * [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
+* [Attack surface reduction FAQ](attack-surface-reduction.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx b/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx
index d37e16899b..b2bba2884e 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx and b/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
index 70a68c00ed..655d13f73e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
@@ -1,6 +1,6 @@
 ---
 title: Enable ASR rules individually to protect your organization
-description: Enable ASR rules to protect your devices from attacks the use macros, scripts, and common injection techniques
+description: Enable attack surface reduction (ASR) rules to protect your devices from attacks that use macros, scripts, and common injection techniques.
 keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, enable, turn on
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
@@ -19,7 +19,7 @@ manager: dansimp
 
 # Enable attack surface reduction rules
 
-[Attack surface reduction rules](attack-surface-reduction.md) help prevent actions and apps that malware often uses to infect computers. You can set attack surface reduction rules for computers running Windows 10 or Windows Server 2019.
+[Attack surface reduction rules](attack-surface-reduction.md) help prevent actions that malware often abuse to compromise devices and networks. You can set attack surface reduction rules for computers running Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, and Windows Server 2019.
 
 Each ASR rule contains three settings:
 
@@ -54,7 +54,7 @@ You can exclude files and folders from being evaluated by most attack surface re
 > * Block process creations originating from PSExec and WMI commands
 > * Block JavaScript or VBScript from launching downloaded executable content
 
-You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules the exclusions apply to. An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
+You can specify individual files or folders (using folder paths or fully qualified resource names), but you can't specify which rules the exclusions apply to. An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
 
 ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](../windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
 
@@ -62,7 +62,7 @@ The following procedures for enabling ASR rules include instructions for how to
 
 ## Intune
 
-1. In Intune, select **Device configuration** > **Profiles**. Choose an existing endpoint protection profile or create a new one. To create a new one, select **Create profile** and enter information for this profile. For **Profile type**, select **Endpoint protection**. If you've chosen an existing profile, select **Properties** and then select **Settings**.
+1. Select **Device configuration** > **Profiles**. Choose an existing endpoint protection profile or create a new one. To create a new one, select **Create profile** and enter information for this profile. For **Profile type**, select **Endpoint protection**. If you've chosen an existing profile, select **Properties** and then select **Settings**.
 
 2. In the **Endpoint protection** pane, select **Windows Defender Exploit Guard**, then select **Attack Surface Reduction**. Select the desired setting for each ASR rule.
 
@@ -186,4 +186,5 @@ Value: c:\path|e:\path|c:\Whitelisted.exe
 
 * [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md)
 * [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md)
+* [Attack surface reduction FAQ](attack-surface-reduction.md)
 * [Enable cloud-delivered protection](../windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md
index f733ffb8a4..70a03c74e5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md
@@ -23,9 +23,9 @@ manager: dansimp
 
 * [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients.
+Attack surface reduction rules help prevent actions that are typically used by malware to compromise devices or networks. Attack surface reduction rules are supported on Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, and Windows Server 2019.
 
-This topic helps you evaluate attack surface reduction rules. It explains how to enable audit mode so you can test the feature directly in your organization.
+Learn how to evaluate attack surface reduction rules, by enabling audit mode to test the feature directly in your organization.
 
 > [!TIP]
 > You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
@@ -36,16 +36,15 @@ You can enable attack surface reduction rules in audit mode. This lets you see a
 
 You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how often the rules will fire during normal use.
 
-To enable audit mode, use the following PowerShell cmdlet:
+To enable all attack surface reduction rules in audit mode, use the following PowerShell cmdlet:
 
 ```PowerShell
 Set-MpPreference -AttackSurfaceReductionRules_Actions AuditMode
 ```
 
-This enables all attack surface reduction rules in audit mode.
-
 > [!TIP]
 > If you want to fully audit how attack surface reduction rules will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
+
 You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Attack surface reduction rules topic](attack-surface-reduction.md).
 
 ## Review attack surface reduction events in Windows Event Viewer
@@ -68,3 +67,4 @@ See the [Customize attack surface reduction rules](customize-attack-surface-redu
 
 * [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md)
 * [Use audit mode to evaluate Windows Defender](audit-windows-defender.md)
+* [Attack surface reduction FAQ](attack-surface-reduction.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
index 42ce3aa2b6..702d9e6c4e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
@@ -23,8 +23,7 @@ ms.topic: article
 
 Conducting a comprehensive security product evaluation can be a complex process requiring cumbersome environment and machine configuration before an end-to-end attack simulation can actually be done. Adding to the complexity is the challenge of tracking where the simulation activities, alerts, and results are reflected during the evaluation.
 
-The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of machine and environment configuration so that you can
- focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action.
+The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of machine and environment configuration so that you can focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action.
 
 When you get started with the lab, you'll be guided through a simple set-up process where you can specify the type of configuration that best suits your needs.
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md
new file mode 100644
index 0000000000..86ce1c9e6a
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md
@@ -0,0 +1,86 @@
+---
+title: Get missing KBs by machine ID
+description: Retrieves missing KBs by machine Id
+keywords: apis, graph api, supported apis, get, list, file, information, machine id, threat & vulnerability management api, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: ellevin
+author: levinec
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+---
+
+# Get missing KBs by machine ID
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+Retrieves missing KBs by machine Id
+
+## HTTP request
+
+```
+GET /api/machines/{machineId}/getmissingkbs
+```
+
+## Request header
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+## Request body
+
+Empty
+
+## Response
+
+If successful, this method returns 200 OK, with the specified machine missing kb data in the body.
+
+## Example
+
+### Request
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/machines/2339ad14a01bd0299afb93dfa2550136057bff96/getmissingkbs 
+```
+
+### Response
+
+Here is an example of the response.
+
+
+```json
+{
+    "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(microsoft.windowsDefenderATP.api.PublicProductFixDto)",
+    "value": [
+        {
+            "id": "4540673",
+            "name": "March 2020 Security Updates",
+            "productsNames": [
+                "windows_10",
+                "edge",
+                "internet_explorer"
+            ],
+            "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4540673",
+            "machineMissedOn": 1,
+            "cveAddressed": 97
+        },
+         ...
+        ]
+}
+```
+
+## Related topics
+
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md
new file mode 100644
index 0000000000..e91d137857
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md
@@ -0,0 +1,93 @@
+---
+title: Get missing KBs by software ID
+description: Retrieves missing KBs by software ID
+keywords: apis, graph api, supported apis, get, list, file, information, software id, threat & vulnerability management api, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: ellevin
+author: levinec
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+---
+
+# Get missing KBs by software ID
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+Retrieves missing KBs by software ID
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type |   Permission   |   Permission display name
+:---|:---|:---
+Application |Software.Read.All |   'Read Threat and Vulnerability Management Software information'
+Delegated (work or school account) | Software.Read |   'Read Threat and Vulnerability Management Software information'
+
+## HTTP request
+
+```
+GET /api/Software/{Id}/getmissingkbs
+```
+
+## Request header
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+## Request body
+
+Empty
+
+## Response
+
+If successful, this method returns 200 OK, with the specified software missing kb data in the body.
+
+## Example
+
+### Request
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/getmissingkbs
+```
+
+### Response
+
+Here is an example of the response.
+
+
+```json
+{
+    "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(microsoft.windowsDefenderATP.api.PublicProductFixDto)",
+    "value": [
+         {
+            "id": "4540673",
+            "name": "March 2020 Security Updates",
+            "productsNames": [
+                "edge"
+            ],
+            "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4540673",
+            "machineMissedOn": 240,
+            "cveAddressed": 14
+         },
+         ...
+        ]
+}
+```
+
+## Related topics
+
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-column-chart.jpg b/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-column-chart.jpg
new file mode 100644
index 0000000000..34add76848
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-column-chart.jpg differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-expand.png b/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-expand.png
new file mode 100644
index 0000000000..7ef27c4d87
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-expand.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-filter-advanced-hunting.png b/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-filter.png
similarity index 100%
rename from windows/security/threat-protection/microsoft-defender-atp/images/atp-filter-advanced-hunting.png
rename to windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-filter.png
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-line-chart.jpg b/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-line-chart.jpg
new file mode 100644
index 0000000000..1091d7c719
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-line-chart.jpg differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-pie-chart.jpg b/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-pie-chart.jpg
new file mode 100644
index 0000000000..881ae197d1
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-pie-chart.jpg differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-query-example-2.png b/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-query-example-2.png
new file mode 100644
index 0000000000..f72fa6a68d
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-query-example-2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-query-example.PNG b/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-query-example.PNG
deleted file mode 100644
index 57337cd9ab..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-query-example.PNG and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting-results-filter.PNG b/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-results-filter.png
similarity index 100%
rename from windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting-results-filter.PNG
rename to windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-results-filter.png
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-stacked-chart.jpg b/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-stacked-chart.jpg
new file mode 100644
index 0000000000..d7917a6bed
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-stacked-chart.jpg differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-confirm.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-confirm.png
similarity index 100%
rename from windows/security/threat-protection/microsoft-defender-atp/images/sccm-confirm.png
rename to windows/security/threat-protection/microsoft-defender-atp/images/configmgr-confirm.png
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-create-device-collection.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-create-device-collection.png
similarity index 100%
rename from windows/security/threat-protection/microsoft-defender-atp/images/sccm-create-device-collection.png
rename to windows/security/threat-protection/microsoft-defender-atp/images/configmgr-create-device-collection.png
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-create-policy.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-create-policy.png
similarity index 100%
rename from windows/security/threat-protection/microsoft-defender-atp/images/sccm-create-policy.png
rename to windows/security/threat-protection/microsoft-defender-atp/images/configmgr-create-policy.png
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-criteria.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-criteria.png
similarity index 100%
rename from windows/security/threat-protection/microsoft-defender-atp/images/sccm-criteria.png
rename to windows/security/threat-protection/microsoft-defender-atp/images/configmgr-criteria.png
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-device-collections.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-device-collections.png
similarity index 100%
rename from windows/security/threat-protection/microsoft-defender-atp/images/sccm-device-collections.png
rename to windows/security/threat-protection/microsoft-defender-atp/images/configmgr-device-collections.png
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-direct-membership.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-direct-membership.png
similarity index 100%
rename from windows/security/threat-protection/microsoft-defender-atp/images/sccm-direct-membership.png
rename to windows/security/threat-protection/microsoft-defender-atp/images/configmgr-direct-membership.png
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-limiting-collection.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-limiting-collection.png
similarity index 100%
rename from windows/security/threat-protection/microsoft-defender-atp/images/sccm-limiting-collection.png
rename to windows/security/threat-protection/microsoft-defender-atp/images/configmgr-limiting-collection.png
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-membership-rules.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-membership-rules.png
similarity index 100%
rename from windows/security/threat-protection/microsoft-defender-atp/images/sccm-membership-rules.png
rename to windows/security/threat-protection/microsoft-defender-atp/images/configmgr-membership-rules.png
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-policy-name.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-policy-name.png
similarity index 100%
rename from windows/security/threat-protection/microsoft-defender-atp/images/sccm-policy-name.png
rename to windows/security/threat-protection/microsoft-defender-atp/images/configmgr-policy-name.png
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-query-rule.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-query-rule.png
similarity index 100%
rename from windows/security/threat-protection/microsoft-defender-atp/images/sccm-query-rule.png
rename to windows/security/threat-protection/microsoft-defender-atp/images/configmgr-query-rule.png
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-simple-value.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-simple-value.png
similarity index 100%
rename from windows/security/threat-protection/microsoft-defender-atp/images/sccm-simple-value.png
rename to windows/security/threat-protection/microsoft-defender-atp/images/configmgr-simple-value.png
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/cve-detection-logic.png b/windows/security/threat-protection/microsoft-defender-atp/images/cve-detection-logic.png
new file mode 100644
index 0000000000..f3fabfe3ba
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/cve-detection-logic.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/eos-upcoming-eos.png b/windows/security/threat-protection/microsoft-defender-atp/images/eos-upcoming-eos.png
new file mode 100644
index 0000000000..270a3502c5
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/eos-upcoming-eos.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-1.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-1.png
new file mode 100644
index 0000000000..1e1e039268
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-1.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-10.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-10.png
new file mode 100644
index 0000000000..a03e0732c7
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-10.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-11.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-11.png
new file mode 100644
index 0000000000..5d1d428e9c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-11.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-12.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-12.png
new file mode 100644
index 0000000000..ba0576849e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-12.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-13.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-13.png
new file mode 100644
index 0000000000..4854fa9f2f
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-13.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-14.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-14.png
new file mode 100644
index 0000000000..3f1eb5d2b1
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-14.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-15.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-15.png
new file mode 100644
index 0000000000..9a4fbebf8a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-15.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-16.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-16.png
new file mode 100644
index 0000000000..7928a984a4
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-16.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-17.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-17.png
new file mode 100644
index 0000000000..1c81f3d4f0
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-17.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-18.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-18.png
new file mode 100644
index 0000000000..86de17e266
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-18.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-19.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-19.png
new file mode 100644
index 0000000000..eb8b56ee9b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-19.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-2.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-2.png
new file mode 100644
index 0000000000..6754cafb4a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-20.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-20.png
new file mode 100644
index 0000000000..da1c678a78
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-20.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-21.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-21.png
new file mode 100644
index 0000000000..b1c10100a8
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-21.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-22.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-22.png
new file mode 100644
index 0000000000..4e584cf8ff
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-22.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-23.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-23.png
new file mode 100644
index 0000000000..409a17bd31
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-23.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-24.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-24.png
new file mode 100644
index 0000000000..eff967231f
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-24.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-25.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-25.png
new file mode 100644
index 0000000000..633bdd07fc
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-25.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-26.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-26.png
new file mode 100644
index 0000000000..4fa5bcefbd
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-26.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-27.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-27.png
new file mode 100644
index 0000000000..57475dbc33
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-27.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-28.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-28.png
new file mode 100644
index 0000000000..8049e9ff17
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-28.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-29.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-29.png
new file mode 100644
index 0000000000..b66bf94eed
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-29.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-3.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-3.png
new file mode 100644
index 0000000000..ac9b6fdbe0
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-3.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-30.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-30.png
new file mode 100644
index 0000000000..34013530b7
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-30.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-4.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-4.png
new file mode 100644
index 0000000000..ec02855c2e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-4.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-5.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-5.png
new file mode 100644
index 0000000000..3ca2697396
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-5.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-6.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-6.png
new file mode 100644
index 0000000000..bae2cefcb1
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-6.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-7.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-7.png
new file mode 100644
index 0000000000..6b88d7c627
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-7.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-8.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-8.png
new file mode 100644
index 0000000000..7d6da4c656
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-8.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-9.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-9.png
new file mode 100644
index 0000000000..73d85b26ad
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-9.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/msdefender-mac-config-profile.png b/windows/security/threat-protection/microsoft-defender-atp/images/msdefender-mac-config-profile.png
new file mode 100644
index 0000000000..9106d38d7e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/msdefender-mac-config-profile.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/no-license-found.png b/windows/security/threat-protection/microsoft-defender-atp/images/no-license-found.png
new file mode 100644
index 0000000000..e2a4573a13
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/no-license-found.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/remediation_swupdatefilter.png b/windows/security/threat-protection/microsoft-defender-atp/images/remediation_swupdatefilter.png
deleted file mode 100644
index a0f5f3e295..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/remediation_swupdatefilter.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/report-inaccuracy-flyout.png b/windows/security/threat-protection/microsoft-defender-atp/images/report-inaccuracy-flyout.png
new file mode 100644
index 0000000000..85a4ed9445
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/report-inaccuracy-flyout.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/report-inaccuracy-flyout500.png b/windows/security/threat-protection/microsoft-defender-atp/images/report-inaccuracy-flyout500.png
new file mode 100644
index 0000000000..e862c73200
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/report-inaccuracy-flyout500.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/report-inaccuracy.png b/windows/security/threat-protection/microsoft-defender-atp/images/report-inaccuracy.png
new file mode 100644
index 0000000000..9d3b149d1c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/report-inaccuracy.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/report-inaccuracy500.png b/windows/security/threat-protection/microsoft-defender-atp/images/report-inaccuracy500.png
new file mode 100644
index 0000000000..12f0d72fac
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/report-inaccuracy500.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secrec_sw_details.png b/windows/security/threat-protection/microsoft-defender-atp/images/secrec_sw_details.png
deleted file mode 100644
index 31e550b1e1..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/secrec_sw_details.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/software-drilldown-eos.png b/windows/security/threat-protection/microsoft-defender-atp/images/software-drilldown-eos.png
new file mode 100644
index 0000000000..b3893cd5ec
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/software-drilldown-eos.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/software-inventory-report-inaccuracy.png b/windows/security/threat-protection/microsoft-defender-atp/images/software-inventory-report-inaccuracy.png
new file mode 100644
index 0000000000..7a46a33eec
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/software-inventory-report-inaccuracy.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/software-inventory-report-inaccuracy500.png b/windows/security/threat-protection/microsoft-defender-atp/images/software-inventory-report-inaccuracy500.png
new file mode 100644
index 0000000000..b299b79238
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/software-inventory-report-inaccuracy500.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/top-security-recommendations.png b/windows/security/threat-protection/microsoft-defender-atp/images/top-security-recommendations.png
new file mode 100644
index 0000000000..5ec281d0b3
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/top-security-recommendations.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/top-security-recommendations350.png b/windows/security/threat-protection/microsoft-defender-atp/images/top-security-recommendations350.png
new file mode 100644
index 0000000000..ea977eacef
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/top-security-recommendations350.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-discovered-vulnerabilities.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-discovered-vulnerabilities.png
new file mode 100644
index 0000000000..4659dcc51f
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-discovered-vulnerabilities.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-eos-tag.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-eos-tag.png
new file mode 100644
index 0000000000..df675109cc
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-eos-tag.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-eos-tags-column.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-eos-tags-column.png
new file mode 100644
index 0000000000..7d80bca932
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-eos-tags-column.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-remediation-activities-card.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-remediation-activities-card.png
new file mode 100644
index 0000000000..c7c9c0b861
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-remediation-activities-card.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-inventory-flyout.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-inventory-flyout.png
new file mode 100644
index 0000000000..a066310eae
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-inventory-flyout.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-inventory-flyout500.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-inventory-flyout500.png
new file mode 100644
index 0000000000..5a7ce86cbd
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-inventory-flyout500.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-page-example.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-page-example.png
new file mode 100644
index 0000000000..d8b73ba265
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-page-example.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-top-vulnerable-software.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-top-vulnerable-software.png
deleted file mode 100644
index 3ef800afac..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-top-vulnerable-software.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-top-vulnerable-software500.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-top-vulnerable-software500.png
new file mode 100644
index 0000000000..d78ed19c8d
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-top-vulnerable-software500.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-weaknesses-overview.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-weaknesses-overview.png
new file mode 100644
index 0000000000..dc677108ac
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-weaknesses-overview.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_config_score.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_config_score.png
deleted file mode 100644
index 4da702615b..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_config_score.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_machine_page_flyout.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_machine_page_flyout.png
deleted file mode 100644
index 7d83e1545d..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_machine_page_flyout.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_machineslist.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_machineslist.png
deleted file mode 100644
index ea9e800b94..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_machineslist.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_vulnoptions.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_vulnoptions.png
deleted file mode 100644
index cf9f274980..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_vulnoptions.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracyflyout.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracyflyout.png
deleted file mode 100644
index 9af2ad6945..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracyflyout.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_request_remediation.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_request_remediation.png
deleted file mode 100644
index ec4fa8bc44..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_request_remediation.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/version-eos-date.png b/windows/security/threat-protection/microsoft-defender-atp/images/version-eos-date.png
new file mode 100644
index 0000000000..731fa3bcf4
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/version-eos-date.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/windows-server-drilldown.png b/windows/security/threat-protection/microsoft-defender-atp/images/windows-server-drilldown.png
new file mode 100644
index 0000000000..72a97b7f26
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/windows-server-drilldown.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-config.md b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-config.md
deleted file mode 100644
index eb0adb5890..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-config.md
+++ /dev/null
@@ -1,95 +0,0 @@
----
-title: Configure information protection in Windows 
-ms.reviewer: 
-description: Learn how to expand the coverage of Windows Information Protection (WIP) to protect files based on their label, regardless of their origin.
-keywords: information, protection, data, loss, prevention, wip, policy, scc, compliance, labels, dlp
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance 
-ms.topic: article
----
-
-# Configure information protection in Windows 
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Learn how you can use Microsoft Defender ATP to expand the coverage of Windows Information Protection (WIP) to protect files based on their label, regardless of their origin.
-
->[!TIP]
-> Read our blog post about how [Microsoft Defender ATP integrates with Microsoft Information Protection to discover, protect, and monitor sensitive data on Windows devices](https://cloudblogs.microsoft.com/microsoftsecure/2019/01/17/windows-defender-atp-integrates-with-microsoft-information-protection-to-discover-protect-and-monitor-sensitive-data-on-windows-devices/).
-
-If a file meets the criteria set in the policy settings and endpoint data loss prevention setting is also configured, WIP will be enabled for that file.
-
-
-
-## Prerequisites
-- Endpoints need to be on Windows 10, version 1809 or later
-- You need the appropriate license to use the Microsoft Defender ATP and Azure Information Protection integration
-- Your tenant needs to be onboarded to Azure Information Protection analytics, for more information, see [Configure a Log Analytics workspace for the reports](https://docs.microsoft.com/azure/information-protection/reports-aip#configure-a-log-analytics-workspace-for-the-reports)
-
-
-## Configure endpoint data loss prevention
-Complete the following steps so that Microsoft Defender ATP can automatically identify labeled documents stored on the device and enable WIP on them.
-
->[!NOTE]
->- The Microsoft Defender ATP configuration is pulled every 15 minutes. Allow up to 30 minutes for the new policy to take effect and ensure that the endpoint is online. Otherwise, it will not receive the policy.
->- Data forwarded to Azure Information Protection is stored in the same location as your other Azure Information Protection data.
-
-1. Define a WIP policy and assign it to the relevant devices. For more information, see [Protect your enterprise data using Windows Information Protection (WIP)](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip). If WIP is already configured on the relevant devices, skip this step. 
-2. Define which labels need to get WIP protection in Office 365 Security and Compliance. 
-    
-   1. Go to: **Classifications > Labels**.
-   2. Create a label or edit an existing one. 
-   3. In the configuration wizard, go to 'Data loss prevention' tab and enable WIP.
-
-      ![Image of Office 365 Security and Compliance sensitivity label](images/endpoint-data-loss-protection.png)
-
-   4. Repeat for every label that you want to get WIP applied to in Windows. 
-
-
-
-
-## Configure auto labeling
-
-Windows automatically detects when an Office file, CSV, or TXT files are being created on a device and inspects it based on context to identify sensitive information types.
-
-Those information types are evaluated against the auto-labeling policy. If a match is found, it is processed in the same way as if the file was labeled. The file is protected with Endpoint data loss prevention.
-
->[!NOTE]
-> Auto-labeling requires Windows 10, version 1903.
-
-
-1. In Office 365 Security & Compliance, go to **Classifications > Labels**.
-
-2. Create a new label or edit an existing one. 
-
-
-3. Set a policy for Data classification:
-   
-   1. Go through the label creation wizard.
-   2. When you reach the Auto labeling page, turn on auto labeling toggle on.
-   3. Add a new auto-labeling rule with the conditions that you require. 
-    
-      ![Image of auto labeling in Office 365 Security and Compliance center](images/auto-labeling.png)    
-
-   4. Validate that "When content matches these conditions" setting is set to "Automatically apply the label".
- 
-
-
-
-
-
-## Related topic
-- [Information protection in Windows overview](information-protection-in-windows-overview.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md
index 800351a160..34cb228572 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md
@@ -27,7 +27,6 @@ ms.topic: conceptual
 
 Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection to keep sensitive data secure while enabling productivity in the workplace.
 
-Microsoft Defender ATP is seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss prevention (DLP) solution for Windows devices. This solution is delivered and managed as part of the unified Microsoft 365 information protection suite.
 
 >[!TIP]
 > Read our blog post about how [Microsoft Defender ATP integrates with Microsoft Information Protection to discover, protect, and monitor sensitive data on Windows devices](https://cloudblogs.microsoft.com/microsoftsecure/2019/01/17/windows-defender-atp-integrates-with-microsoft-information-protection-to-discover-protect-and-monitor-sensitive-data-on-windows-devices/).
@@ -95,36 +94,6 @@ InformationProtectionLogs_CL
 - Enable Azure Information Protection integration in Microsoft Defender Security Center:
     - Go to **Settings** in Microsoft Defender Security Center, click on **Advanced Settings** under **General**.
 
-## Data protection
-
-### Endpoint data loss prevention
-
-For data to be protected, they must first be identified through labels.
-
-Sensitivity labels are created in Office 365 Security & Compliance Center. Microsoft Defender ATP then uses the labels to identify endpoints that need Windows Information Protection (WIP) applied on them.
-
-When you create sensitivity labels, you can set the information protection functionalities that will be applied on the file. The setting that applies to Microsoft Defender ATP is the Endpoint data loss prevention.
-
-For the endpoint data loss prevention, you'll need to turn on the Endpoint Data loss prevention and select Enable Windows end point protection (DLP for devices).
-
-![Image of Office 365 Security and Compliance sensitivity label](images/office-scc-label.png)
-
-Once, the policy is set and published, Microsoft Defender ATP automatically enables WIP for labeled files. When a labeled file is created or modified on a Windows device, Microsoft Defender ATP automatically detects it and enables WIP on that file if its label corresponds with Office Security and Compliance (SCC) policy.
-
-This functionality expands the coverage of WIP to protect files based on their label, regardless of their origin.
-
-For more information, see [Configure information protection in Windows](information-protection-in-windows-config.md).
-
-## Auto labeling
-
-Auto labeling is another way to protect data and can also be configured in Office 365 Security & Compliance Center. Windows automatically detects when an Office file, PDF, CSV or TXT files are being created on a device and inspects it based on context to identify sensitive information types.
-
-Those information types are evaluated against the auto-labeling policy. If a match is found, it is processed in the same way as if the file was labeled; the file is protected with Endpoint data loss prevention.
-
-> [!NOTE]
-> Auto-labeling is supported in Office apps only when the Azure Information Protection unified labeling client is installed. When sensitive content is detected in email or documents matching the conditions you choose, a label can automatically be applied or a message can be shown to users recommending they apply it themselves.
-
-For more information, see [Configure information protection in Windows](information-protection-in-windows-config.md).
 
 ## Related topics
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md
index 379a0c8d3e..664d337477 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md
@@ -30,6 +30,9 @@ When you investigate an incident, you'll see:
 - Incident comments and actions
 - Tabs (alerts, machines, investigations, evidence, graph)
 
+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4qLUV]
+
+
 ## Analyze incident details 
 Click an incident to see the **Incident pane**. Select **Open incident page** to see the incident details and related information (alerts, machines, investigations, evidence, graph). 
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/licensing.md b/windows/security/threat-protection/microsoft-defender-atp/licensing.md
deleted file mode 100644
index c86b827fd6..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/licensing.md
+++ /dev/null
@@ -1,123 +0,0 @@
----
-title: Validate licensing provisioning and complete Microsoft Defender ATP set up
-description: Validating licensing provisioning, setting up initial preferences, and completing the user set up for Microsoft Defender Advanced Threat Protection portal.
-keywords: license, licensing, account, set up, validating licensing, windows defender atp
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance 
-ms.topic: article
----
-
-# Validate licensing provisioning and complete set up for Microsoft Defender ATP
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-validatelicense-abovefoldlink)
-
-## Check license state
-
-Checking for the license state and whether it got properly provisioned, can be done through the admin center or through the **Microsoft Azure portal**.
-
-1. To view your licenses go to the **Microsoft Azure portal** and navigate to the [Microsoft Azure portal license section](https://portal.azure.com/#blade/Microsoft_AAD_IAM/LicensesMenuBlade/Products).
-
-   ![Image of Azure Licensing page](images/atp-licensing-azure-portal.png)
-
-1. Alternately, in the admin center, navigate to **Billing** > **Subscriptions**.
-
-   - On the screen you will see all the provisioned licenses and their current **Status**.
-
-   ![Image of billing licenses](images/atp-billing-subscriptions.png)
-
-
-## Cloud Service Provider validation
-
-To gain access into which licenses are provisioned to your company, and to check the state of the licenses, go to the admin center.
-
-1. From the **Partner portal**, click on the **Administer services > Office 365**.
-
-2. Clicking on the **Partner portal** link will leverage the **Admin on behalf** option and will give you access to the customer admin center.
-
-   ![Image of O365 admin portal](images/atp-O365-admin-portal-customer.png)
-
-## Access Microsoft Defender Security Center for the first time
-
-When accessing [Microsoft Defender Security Center](https://SecurityCenter.Windows.com) for the first time there will be a setup wizard that will guide you through some initial steps. At the end of the setup wizard there will be a dedicated cloud instance of Microsoft Defender ATP created.
-
-1. Each time you access the portal you will need to validate that you are authorized to access the product. This **Set up your permissions** step will only be available if you are not currently authorized to access the product.
-
-    ![Image of Set up your permissions for Microsoft Defender ATP](images/atp-setup-permissions-wdatp-portal.png)
-
-	Once the authorization step is completed, the **Welcome** screen will be displayed.
-
-2. The **Welcome** screen will provide some details as to what is about to occur during the set up wizard.
-
-    ![Image of Welcome screen for portal set up](images/welcome1.png)
-
-	You will need to set up your preferences for Microsoft Defender Security Center.
-
-3. Set up preferences
-    
-    ![Image of geographic location in set up](images/setup-preferences.png)
-
-   1. **Select data storage location** <br> When onboarding the service for the first time, you can choose to store your data in the Microsoft Azure datacenters in the United States, the European Union, or the United Kingdom. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not transfer the data from the specified geolocation.
-
-    	> [!WARNING]
-    	> This option cannot be changed without completely offboarding from Microsoft Defender ATP and completing a new enrollment process.
-
-   2. **Select the data retention policy** <br> Microsoft Defender ATP will store data up to a period of 6 months in your cloud instance, however, you have the option to set the data retention period for a shorter timeframe during this step of the set up process.
-
-      > [!NOTE]
-      > This option can be changed at a later time.
-
-   3. **Select the size of your organization** <br> You will need to indicate the size of your organization based on an estimate of the number of employees currently employed.
-
-      > [!NOTE]
-      > The **organization size** question is not related to how many licenses were purchased for your organization. It is used by the service to optimize the creation of the data cluster for your organization.
-
-   4. **Turn on preview features** <br> Learn about new features in the Microsoft Defender ATP preview release and be among the first to try upcoming features by turning on **Preview features**.
-
-	    You'll have access to upcoming features which you can provide feedback on to help improve the overall experience before features are generally available.
-
-      - Toggle the setting between On and Off to choose **Preview features**.
-
-      > [!NOTE]
-      > This option can be changed at a later time.
-
-4. You will receive a warning notifying you that you won't be able to change some of your preferences once you click **Continue**.
-
-	> [!NOTE]
-	> Some of these options can be changed at a later time in Microsoft Defender Security Center.
-
-    ![Image of final preference set up](images/setup-preferences2.png)
-
-5. A dedicated cloud instance of Microsoft Defender Security Center is being created at this time. This step will take an average of 5 minutes to complete.
-
-6. You are almost done. Before you can start using Microsoft Defender ATP you'll need to:
-
-   - [Onboard Windows 10 machines](configure-endpoints.md)
-
-   - Run detection test (optional)
-
-     ![Image of Onboard machines and run detection test](images/atp-onboard-endpoints-run-detection-test.png)
-
-     > [!IMPORTANT]
-     > If you click **Start using Microsoft Defender ATP** before onboarding machines you will receive the following notification:
-     > ![Image of setup imcomplete](images/atp-setup-incomplete.png)
-
-7. After onboarding machines you can click **Start using Microsoft Defender ATP**. You will now launch Microsoft Defender ATP for the first time.
-
-## Related topics
-- [Onboard machines to the Microsoft Defender Advanced Threat Protection service](onboard-configure.md)
-- [Troubleshoot onboarding process and portal access issues](troubleshoot-onboarding-error-messages.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md
new file mode 100644
index 0000000000..ef0797f456
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md
@@ -0,0 +1,118 @@
+---
+title: Configure and validate exclusions for Microsoft Defender ATP for Linux
+description: Provide and validate exclusions for Microsoft Defender ATP for Linux. Exclusions can be set for files, folders, and processes.
+keywords: microsoft, defender, atp, linux, exclusions, scans, antivirus
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: conceptual
+---
+
+# Configure and validate exclusions for Microsoft Defender ATP for Linux
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
+
+This article provides information on how to define exclusions that apply to on-demand scans, and real-time protection and monitoring.
+
+> [!IMPORTANT]
+> The exclusions described in this article don't apply to other Microsoft Defender ATP for Linux capabilities, including endpoint detection and response (EDR). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections.
+
+You can exclude certain files, folders, processes, and process-opened files from Microsoft Defender ATP for Linux scans.
+
+Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your organization. They can also be useful for mitigating performance issues caused by Microsoft Defender ATP for Linux.
+
+> [!WARNING]
+> Defining exclusions lowers the protection offered by Microsoft Defender ATP for Linux. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
+
+## Supported exclusion types
+
+The follow table shows the exclusion types supported by Microsoft Defender ATP for Linux.
+
+Exclusion | Definition | Examples
+---|---|---
+File extension | All files with the extension, anywhere on the machine | `.test`
+File | A specific file identified by the full path | `/var/log/test.log`<br/>`/var/log/*.log`<br/>`/var/log/install.?.log`
+Folder | All files under the specified folder | `/var/log/`<br/>`/var/*/`
+Process | A specific process (specified either by the full path or file name) and all files opened by it | `/bin/cat`<br/>`cat`<br/>`c?t`
+
+File, folder, and process exclusions support the following wildcards:
+
+Wildcard | Description | Example | Matches
+---|---|---|---
+\* |	Matches any number of any characters including none | `/var/\*/\*.log` | `/var/log/system.log`
+? | Matches any single character | `file?.log` | `file1.log`<br/>`file2.log`
+
+## How to configure the list of exclusions
+
+### From the management console
+
+For more information on how to configure exclusions from Puppet, Ansible, or another management console, see [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md).
+
+### From the command line
+
+Run the following command to see the available switches for managing exclusions:
+
+```bash
+$ mdatp --exclusion
+```
+
+Examples:
+
+- Add an exclusion for a file extension:
+
+    ```bash
+    $ mdatp --exclusion --add-extension .txt
+    Configuration updated successfully
+    ```
+
+- Add an exclusion for a file:
+
+    ```bash
+    $ mdatp --exclusion --add-folder /var/log/dummy.log
+    Configuration updated successfully
+    ```
+
+- Add an exclusion for a folder:
+
+    ```bash
+    $ mdatp --exclusion --add-folder /var/log/
+    Configuration updated successfully
+    ```
+
+- Add an exclusion for a process:
+
+    ```bash
+    $ mdatp --exclusion --add-process cat
+    Configuration updated successfully
+    ```
+
+## Validate exclusions lists with the EICAR test file
+
+You can validate that your exclusion lists are working by using `curl` to download a test file.
+
+In the following Bash snippet, replace `test.txt` with a file that conforms to your exclusion rules. For example, if you have excluded the `.testing` extension, replace `test.txt` with `test.testing`. If you are testing a path, ensure that you run the command within that path.
+
+```bash
+$ curl -o test.txt https://www.eicar.org/download/eicar.com.txt
+```
+
+If Microsoft Defender ATP for Linux reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm that the contents are the same as what is described on the [EICAR test file website](http://2016.eicar.org/86-0-Intended-use.html).
+
+If you do not have Internet access, you can create your own EICAR test file. Write the EICAR string to a new text file with the following Bash command:
+
+```bash
+echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > test.txt
+```
+
+You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you are attempting to exclude.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
index d6714f727e..1ea46c138a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
@@ -256,7 +256,7 @@ Download the onboarding package from Microsoft Defender Security Center:
     - Open a Terminal window. Copy and execute the following command:
 
         ``` bash
-        curl -o ~/Downloads/eicar.com.txt http://www.eicar.org/download/eicar.com.txt
+        curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt
         ```
 
     - The file should have been quarantined by Microsoft Defender ATP for Linux. Use the following command to list all the detected threats:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md
index 30ebd5fdad..373d409cfd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md
@@ -1,6 +1,6 @@
 ---
 title: Deploy Microsoft Defender ATP for Linux with Ansible
-ms.reviewer: 
+ms.reviewer:
 description: Describes how to deploy Microsoft Defender ATP for Linux using Ansible.
 keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos
 search.product: eADQiWindows 10XVcnh
@@ -14,7 +14,7 @@ author: dansimp
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: M365-security-compliance
 ms.topic: conceptual
 ---
 
@@ -36,14 +36,14 @@ This topic describes how to deploy Microsoft Defender ATP for Linux using Ansibl
 Before you get started, please see [the main Microsoft Defender ATP for Linux page](microsoft-defender-atp-linux.md) for a description of prerequisites and system requirements for the current software version.
 
 - Ansible needs to be installed on at least on one computer (we will call it the master).
-- Passwordless SSH must be configured for the root user between the master and all clients.
+- SSH must be configured for an administrator account between the master and all clients, and it is recommended be configured with public key authentication.
 - The following software must be installed on all clients:
-  - Python-apt
-  - Curl
-  - Unzip
+  - curl
+  - python-apt
+  - unzip
 
 - All hosts must be listed in the following format in the `/etc/ansible/hosts` file:
-    
+
     ```bash
     [servers]
     host1 ansible_ssh_host=10.171.134.39
@@ -67,7 +67,7 @@ Download the onboarding package from Microsoft Defender Security Center:
     ![Microsoft Defender Security Center screenshot](images/atp-portal-onboarding-linux-2.png)
 
 4. From a command prompt, verify that you have the file. Extract the contents of the archive:
-  
+
     ```bash
     $ ls -l
     total 8
@@ -79,12 +79,11 @@ Download the onboarding package from Microsoft Defender Security Center:
 
 ## Create Ansible YAML files
 
-Create subtask or role files that contribute to an actual task. Create the following files under the `/etc/ansible/roles` directory.
+Create subtask or role files that contribute to an actual task. First create the `download_copy_blob.yml` file under the `/etc/ansible/roles` directory:
 
 - Copy the onboarding package to all client machines:
 
     ```bash
-    $ cat /etc/ansible/roles/copy_onboarding_pkg.yml
     - name: Copy the zip file
         copy:
             src:  /root/WindowsDefenderATPOnboardingPackage.zip
@@ -92,29 +91,33 @@ Create subtask or role files that contribute to an actual task. Create the follo
             owner: root
             group: root
             mode: '0644'
+
+    - name: Add Microsoft apt signing key
+      apt_key:
+        url: https://packages.microsoft.com/keys/microsoft.asc
+        state: present
+      when: ansible_os_family == "Debian"
     ```
 
-- Create a `setup.sh` script that operates on the onboarding file:
+- Create the `setup.sh` script that operates on the onboarding file, in this example located in the `/root` directory:
 
     ```bash
-    $ cat /root/setup.sh
-
     #!/bin/bash
-
+    # We assume WindowsDefenderATPOnboardingPackage.zip is stored in /root
+    cd /root || exit 1
     # Unzip the archive and create the onboarding file
     mkdir -p /etc/opt/microsoft/mdatp/
     unzip WindowsDefenderATPOnboardingPackage.zip
     cp mdatp_onboard.json /etc/opt/microsoft/mdatp/mdatp_onboard.json
-
-    # get the GPG key
-    curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.gpg
-    sudo mv microsoft.gpg /etc/apt/trusted.gpg.d/
     ```
 
-- Create the onboarding file:
+- Create the onboarding task, `onboarding_setup.yml`, under the `/etc/ansible/roles` directory:
 
     ```bash
-    $ cat setup_blob.yml
+    - name: Register mdatp_onboard.json
+      stat: path=/etc/opt/microsoft/mdatp/mdatp_onboard.json
+      register: mdatp_onboard
+
     - name: Copy the setup script file
         copy:
             src: /root/setup.sh
@@ -124,7 +127,8 @@ Create subtask or role files that contribute to an actual task. Create the follo
             mode: '0744'
 
     - name: Run a script to create the onboarding file
-        script: /root/setup.sh
+      script: /root/setup.sh
+      when: not mdatp_onboard.stat.exists
     ```
 
 - Add the Microsoft Defender ATP repository and key.
@@ -142,28 +146,22 @@ Create subtask or role files that contribute to an actual task. Create the follo
     > [!NOTE]
     > In case of Oracle Linux, replace *[distro]* with “rhel”.
 
-    - For apt-based distributions use the following YAML file:
-
         ```bash
-        $ cat add_apt_repo.yml
-        - name: Add Microsoft repository for MDATP
+        - name: Add Microsoft apt repository for MDATP
             apt_repository:
                 repo: deb [arch=arm64,armhf,amd64] https://packages.microsoft.com/[distro]/[version]/prod [channel] main
                 update_cache: yes
                 state: present
                 filename: microsoft-[channel].list
+            when: ansible_os_family == "Debian"
 
         - name: Add Microsoft APT key
-                apt_key:
-                    keyserver: https://packages.microsoft.com/
-                    id: BC528686B50D79E339D3721CEB3E94ADBE1229C
-        ```
+            apt_key:
+                keyserver: https://packages.microsoft.com/
+                id: BC528686B50D79E339D3721CEB3E94ADBE1229CF
+            when: ansible_os_family == "Debian"
 
-    - For yum-based distributions use the following YAML file:
-
-        ```bash
-        $ cat add_yum_repo.yml
-        - name: Add  Microsoft repository for MDATP
+        - name: Add  Microsoft yum repository for MDATP
             yum_repository:
                 name: packages-microsoft-com-prod-[channel]
                 description: Microsoft Defender ATP
@@ -171,6 +169,7 @@ Create subtask or role files that contribute to an actual task. Create the follo
                 baseurl: https://packages.microsoft.com/[distro]/[version]/[channel]/
                 gpgcheck: yes
                 enabled: Yes
+            when: ansible_os_family == "RedHat"
         ```
 
 - Create the actual install/uninstall YAML files under `/etc/ansible/playbooks`.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md b/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md
index 43330660a0..0ac647a0b9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md
@@ -18,7 +18,7 @@ ms.collection: M365-security-compliance
 ms.topic: conceptual
 ---
 
-# Configuring Microsoft Defender ATP for static proxy discovery
+# Configure Microsoft Defender ATP for Linux for static proxy discovery
 
 **Applies to:**
 
@@ -33,7 +33,7 @@ During installation, the ```HTTPS_PROXY``` environment variable must be passed t
 - The ```HTTPS_PROXY``` variable is defined in ```/etc/environment``` with the following line:
 
     ```bash
-    HTTPS_PROXY=”http://proxy.server:port/”
+    HTTPS_PROXY="http://proxy.server:port/"
     ```
 
 - The `HTTPS_PROXY` variable is defined in the package manager global configuration. For example, in Ubuntu 18.04, you can add the following line to `/etc/apt/apt.conf.d/proxy.conf`:
@@ -48,7 +48,7 @@ During installation, the ```HTTPS_PROXY``` environment variable must be passed t
 - The `HTTPS_PROXY` variable is prepended to the installation or uninstallation commands. For example, with the APT package manager, prepend the variable as follows when installing Microsoft Defender ATP: 
 
     ```bash  
-    $ HTTPS_PROXY=”http://proxy.server:port/" apt install mdatp
+    $ HTTPS_PROXY="http://proxy.server:port/" apt install mdatp
     ```
 
     > [!NOTE]
@@ -62,12 +62,12 @@ Note that installation and uninstallation will not necessarily fail if a proxy i
   
 After installation, the `HTTPS_PROXY` environment variable must be defined in the Microsoft Defender ATP service file. To do this, open `/lib/systemd/system/mdatp.service` in a text editor while running as the root user. You can then propagate the variable to the service in one of two ways:
 
-- Uncomment the line `#Environment=HTTPS_PROXY="http://address:port”` and specify your static proxy address.
+- Uncomment the line `#Environment="HTTPS_PROXY=http://address:port"` and specify your static proxy address.
 
 - Add a line `EnvironmentFile=/path/to/env/file`. This path can point to `/etc/environment` or a custom file, either of which needs to add the following line:
   
     ```bash
-    HTTPS_PROXY=”http://proxy.server:port/”
+    HTTPS_PROXY="http://proxy.server:port/"
     ```
 
 After modifying the `mdatp.service` file, save and close it. Restart the service so the changes can be applied. In Ubuntu, this involves two commands:  
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md
new file mode 100644
index 0000000000..d34c004a38
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md
@@ -0,0 +1,91 @@
+---
+title: Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux
+ms.reviewer:
+description: Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux
+keywords: microsoft, defender, atp, linux, cloud, connectivity, communication
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
+
+## Run the connectivity test
+
+To test if Microsoft Defender ATP for Linux can communicate to the cloud with the current network settings, run a connectivity test from the command line:
+
+```bash
+$ mdatp --connectivity-test
+```
+
+If the connectivity test fails, check if the machine has Internet access and if [any of the endpoints required by the product](microsoft-defender-atp-linux.md#network-connections) are blocked by a proxy or firewall.
+
+## Troubleshooting steps for environments without proxy or with transparent proxy
+
+To test that a connection is not blocked in an environment without a proxy or with a transparent proxy, run the following command in the terminal:
+
+```bash
+curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
+```
+
+The output from this command should be similar to:
+
+```
+OK https://x.cp.wd.microsoft.com/api/report
+OK https://cdn.x.cp.wd.microsoft.com/ping
+```
+
+## Troubleshooting steps for environments with static proxy
+
+> [!WARNING]
+> PAC, WPAD, and authenticated proxies are not supported. Ensure that only a static proxy or transparent proxy is being used.
+>
+> Intercepting proxies are also not supported for security reasons. Configure your proxy server to directly pass through data from Microsoft Defender ATP for Linux to the relevant URLs without interception. Adding your proxy certificate to the global store will not allow for interception.
+
+If a static proxy is required, add a proxy parameter to the above command, where `proxy_address:port` correspond to the proxy address and port:
+
+```bash
+$ curl -x http://proxy_address:port -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
+```
+
+Ensure that you use the same proxy address and port as configured in the `/lib/system/system/mdatp.service` file. Check your proxy configuration if there are errors from the above commands.
+
+To use a static proxy, the `mdatp.service` file must be modified. Ensure the leading `#` is removed to uncomment the following line from `/lib/systemd/system/mdatp.service`:
+
+```bash
+#Environment="HTTPS_PROXY=http://address:port"
+```
+
+Also ensure that the correct static proxy address is filled in to replace `address:port`.
+
+If this file is correct, try running the following command in the terminal to reload Microsoft Defender ATP for Linux and propagate the setting:
+
+```bash
+$ sudo systemctl daemon-reload; sudo systemctl restart mdatp
+```
+
+Upon success, attempt another connectivity test from the command line:
+
+```bash
+$ mdatp --connectivity-test
+```
+
+If the problem persists, contact customer support.
+
+## Resources
+
+- For more information about how to configure the product to use a static proxy, see [Configure Microsoft Defender ATP for static proxy discovery](linux-static-proxy-configuration.md).
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md
new file mode 100644
index 0000000000..0982c630fa
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md
@@ -0,0 +1,121 @@
+---
+title: Troubleshoot installation issues for Microsoft Defender ATP for Linux
+ms.reviewer:
+description: Troubleshoot installation issues for Microsoft Defender ATP for Linux
+keywords: microsoft, defender, atp, linux, installation
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Troubleshoot installation issues for Microsoft Defender ATP for Linux
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
+
+## Verify if installation succeeded
+
+An error in installation may or may not result in a meaningful error message by the package manager. To verify if the installation succeeded, one can obtain and check the installation logs using:
+```bash
+$ sudo journalctl | grep 'microsoft-mdatp'  > installation.log
+$ grep 'postinstall end' installation.log
+
+microsoft-mdatp-installer[102243]: postinstall end [2020-03-26 07:04:43OURCE +0000] 102216
+```
+An output from the previous command with correct date and time of installation indicates success.
+
+Also check the [Client configuration](linux-install-manually.md#client-configuration) to verify the health of the product and detect the EICAR text file.
+
+## Installation failed
+
+Check if the mdatp service is running
+```bash
+$ systemctl status mdatp
+
+● mdatp.service - Microsoft Defender ATP
+   Loaded: loaded (/lib/systemd/system/mdatp.service; enabled; vendor preset: enabled)
+   Active: active (running) since Thu 2020-03-26 10:37:30 IST; 23h ago
+ Main PID: 1966 (wdavdaemon)
+    Tasks: 105 (limit: 4915)
+   CGroup: /system.slice/mdatp.service
+           ├─1966 /opt/microsoft/mdatp/sbin/wdavdaemon
+           ├─1967 /opt/microsoft/mdatp/sbin/wdavdaemon
+           └─1968 /opt/microsoft/mdatp/sbin/wdavdaemon
+```
+
+## Steps to troubleshoot if mdatp service isn't running
+
+1. Check if “mdatp” user exists:
+```bash
+$ id “mdatp”
+```
+If there’s no output, run
+```bash
+$ sudo useradd --system --no-create-home --user-group --shell /usr/sbin/nologin mdatp
+```
+
+2. Try enabling and restarting the service using:
+```bash
+$ sudo systemctl enable mdatp
+$ sudo systemctl restart mdatp
+```
+
+3. If mdatp.service isn't found upon running the previous command, run
+```bash
+$ sudo cp /opt/microsoft/mdatp/conf/mdatp.service <systemd_path>
+
+where <systemd_path> is
+/lib/systemd/system for Ubuntu and Debian distributions
+/usr/lib/systemd/system for Rhel, CentOS, Oracle and SLES
+```
+and then rerun step 2.
+
+4. If the above steps don’t work, check if SELinux is installed and in enforcing mode. If so, try setting it to permissive (preferably) or disabled mode. It can be done by setting the parameter `SELINUX` to "permissive" or "disabled" in `/etc/selinux/config` file, followed by reboot. Check the man-page of selinux for more details.
+Now try restarting the mdatp service using step 2. Revert the configuration change immediately though for security reasons after trying it and reboot.
+
+5. Ensure that the daemon has executable permission.
+```bash
+$ ls -l /opt/microsoft/mdatp/sbin/wdavdaemon
+
+-rwxr-xr-x 2 root root 15502160 Mar  3 04:47 /opt/microsoft/mdatp/sbin/wdavdaemon
+```
+If the daemon doesn't have executable permissions, make it executable using:
+```bash
+$ sudo chmod 0755 /opt/microsoft/mdatp/sbin/wdavdaemon
+```
+and retry running step 2.
+
+6. Ensure that the file system containing wdavdaemon isn't mounted with “noexec”.
+
+## If mdatp service is running, but EICAR text file detection doesn't work
+
+1. Check the file system type using:
+```bash
+$ findmnt -T <path_of_EICAR_file>
+```
+Currently supported file systems for on-access activity are listed [here](microsoft-defender-atp-linux.md#system-requirements). Any files outside these file systems won't be scanned.
+
+## Command-line tool “mdatp” isn't working
+
+1. If running the command-line tool `mdatp` gives an error `command not found`, run the following command:
+```bash
+$  sudo ln -sf /opt/microsoft/mdatp/sbin/wdavdaemonclient /usr/bin/mdatp
+```
+and try again.
+
+If none of the above steps help, collect the diagnostic logs:
+```bash
+$ sudo mdatp --diagnostic --create
+```
+Path to a zip file that contains the logs will be displayed as an output. Reach out to our customer support with these logs.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md
new file mode 100644
index 0000000000..55da60a602
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md
@@ -0,0 +1,82 @@
+---
+title: Troubleshoot performance issues for Microsoft Defender ATP for Linux
+description: Troubleshoot performance issues in Microsoft Defender ATP for Linux.
+keywords: microsoft, defender, atp, linux, performance
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: conceptual
+---
+
+# Troubleshoot performance issues for Microsoft Defender ATP for Linux
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
+
+This topic provides some general steps that can be used to narrow down performance issues related to Microsoft Defender ATP for Linux.
+
+Real-time protection (RTP) is a feature of Microsoft Defender ATP for Linux that continuously monitors and protects your device against threats. It consists of file and process monitoring and other heuristics.
+
+Depending on the applications that you are running and your device characteristics, you may experience suboptimal performance when running Microsoft Defender ATP for Linux. In particular, applications or system processes that access many resources over a short timespan can lead to performance issues in Microsoft Defender ATP for Linux.
+
+The following steps can be used to troubleshoot and mitigate these issues:
+
+1. Disable real-time protection using one of the following methods and observe whether the performance improves. This approach helps narrow down whether Microsoft Defender ATP for Linux is contributing to the performance issues.
+
+    If your device is not managed by your organization, real-time protection can be disabled from the command line:
+
+    ```bash
+    $ mdatp --config realTimeProtectionEnabled false
+    ```
+
+    If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md).
+
+2. To find the applications that are triggering the most scans, you can use real-time statistics gathered by Microsoft Defender ATP for Linux. 
+
+    > [!NOTE]
+    > This feature is available in version 100.90.70 or newer.
+
+    This feature is enabled by default on the `Dogfood` and `InsisderFast` channels. If you're using a different update channel, this feature can be enabled from the command line:
+ 
+    ```bash
+    $ mdatp config real_time_protection_statistics_enabled on
+    ```
+
+    This feature requires real-time protection to be enabled. To check the status of real-time protection, run the following command:
+
+    ```bash
+    $ mdatp health
+    ```
+
+    Verify that the `real_time_protection_enabled` entry is `true`. Otherwise, run the following command to enable it:
+
+    ```bash
+    $ mdatp --config realTimeProtectionEnabled true
+    ```
+
+    To collect current statistics, run:
+
+    ```bash
+    $ mdatp diagnostic real_time_protection_statistics # you can use ‘> stat.log’ to redirect to file
+    ```
+
+    The output of this command will show all processes and their associated scan activity. To improve the performance of Microsoft Defender ATP for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md).
+
+    > [!NOTE]
+    > The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted.
+
+3. Use the `top` command-line tool and analyze which applications are using the resources on your system. Typical examples include software updaters and compilers.
+
+4. Configure Microsoft Defender ATP for Linux with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection.
+
+    See [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md) for details.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md
new file mode 100644
index 0000000000..9ebc453a7a
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md
@@ -0,0 +1,27 @@
+---
+title: What's new in Microsoft Defender Advanced Threat Protection for Linux
+description: List of major changes for Microsoft Defender ATP for Linux.
+keywords: microsoft, defender, atp, linux, whatsnew, release
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: security
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# What's new in Microsoft Defender Advanced Threat Protection for Linux
+
+## 100.90.70
+
+- Antivirus [exclusions now support wildcards](linux-exclusions.md#supported-exclusion-types)
+- Added the ability to [troubleshoot performance issues](linux-support-perf.md) through the `mdatp` command-line tool
+- Improvements to make the package installation more robust
+- Performance improvements & bug fixes
diff --git a/windows/security/threat-protection/microsoft-defender-atp/live-response.md b/windows/security/threat-protection/microsoft-defender-atp/live-response.md
index ddd34985a3..aa9058cedb 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/live-response.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/live-response.md
@@ -1,6 +1,6 @@
 ---
 title: Investigate entities on machines using live response in Microsoft Defender ATP
-description: Access a machine using a secure remote shell connection to do investigative work and take immediate response actions on a machine in real-time.
+description: Access a machine using a secure remote shell connection to do investigative work and take immediate response actions on a machine in real time.
 keywords: remote, shell, connection, live, response, real-time, command, script, remediate, hunt, export, log, drop, download, file, 
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
@@ -17,27 +17,42 @@ ms.collection: M365-security-compliance
 ms.topic: article
 ---
 
-# Investigate entities on machines using live response
+# Investigate entities on devices using live response
 
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
 
-Live response is a capability that gives you instantaneous access to a machine using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats – real-time. 
+Live response is a capability that gives your security operations team instantaneous access to a device (also referred to as a machine) using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats –- in real time. 
 
-Live response is designed to enhance investigations by enabling you to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats. 
+Live response is designed to enhance investigations by enabling your security operations team to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats. 
 
-With live response, analysts will have the ability to:
-- Run basic and advanced commands to do investigative work 
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4qLUW]
+
+With live response, analysts can do all of the following tasks:
+- Run basic and advanced commands to do investigative work on a device
 - Download files such as malware samples and outcomes of PowerShell scripts
-- Upload a PowerShell script or executable to the library and run it on the machine from a tenant level
+- Download files in the background (new!)
+- Upload a PowerShell script or executable to the library and run it on a device from a tenant level
 - Take or undo remediation actions
 
-
 ## Before you begin
-Before you can initiate a session on a machine, make sure you fulfill the following requirements:
 
-- Machines must be Windows 10, version 18323 (also known as Windows 10 19H1) or later. 
+Before you can initiate a session on a device, make sure you fulfill the following requirements:
+
+- **Verify that you're running a supported version of Windows 10** <br/>
+Devices must be running one of the following versions of Windows 10:
+   - [1909](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1909) or later  
+   - [1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903)
+   - [1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809)
+   - [1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
+   - [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
+
+- **Make sure to install appropriate security updates**<br/>
+   - 1903: [KB4515384](https://support.microsoft.com/help/4515384/windows-10-update-kb4515384)
+   - 1809 (RS5): [KB4537818](https://support.microsoft.com/help/4537818/windows-10-update-kb4537818)
+   - 1803 (RS4): [KB4537795](https://support.microsoft.com/help/4537795/windows-10-update-kb4537795)
+   - 1709 (RS3): [KB4537816](https://support.microsoft.com/help/4537816/windows-10-update-kb4537816)
 
 - **Enable live response from the settings page**<br>
 You'll need to enable the live response capability in the [Advanced features settings](advanced-features.md) page.
@@ -50,18 +65,18 @@ You'll need to enable the live response capability in the [Advanced features set
     >[!WARNING]
     >Allowing the use of unsigned scripts may increase your exposure to threats.
  
-  Running unsigned scripts is generally not recommended as it can increase your exposure to threats. If you must use them however, you'll need to enable the setting in the [Advanced features settings](advanced-features.md) page.
+  Running unsigned scripts is not recommended as it can increase your exposure to threats. If you must use them however, you'll need to enable the setting in the [Advanced features settings](advanced-features.md) page.
     
 - **Ensure that you have the appropriate permissions**<br>
-	Only users who have been provisioned with the appropriate permissions can initiate a session. For more information on role assignments see, [Create and manage roles](user-roles.md). 
+    Only users who have been provisioned with the appropriate permissions can initiate a session. For more information on role assignments, see [Create and manage roles](user-roles.md). 
 
     > [!IMPORTANT]
     > The option to upload a file to the library is only available to those with the appropriate RBAC permissions. The button is greyed out for users with only delegated permissions.
 
-    Depending on the role that's been granted to you, you can run basic or advanced live response commands. Users permission are controlled by RBAC custom role. 
+    Depending on the role that's been granted to you, you can run basic or advanced live response commands. Users permissions are controlled by RBAC custom role. 
 
 ## Live response dashboard overview
-When you initiate a live response session on a machine, a dashboard opens. The dashboard provides information about the session such as: 
+When you initiate a live response session on a device, a dashboard opens. The dashboard provides information about the session such as the following: 
 
 - Who created the session
 - When the session started
@@ -77,81 +92,109 @@ The dashboard also gives you access to:
 ## Initiate a live response session on a machine 
 
 1. Log in to Microsoft Defender Security Center.
-2. Navigate to the machines list page and select a machine to investigate. The machine page opens.
 
-    >[!NOTE]
-    >Machines must be on Windows 10, version 18323 (also known as Windows 10 19H1) or later. 
+2. Navigate to the devices list page and select a machine to investigate. The machines page opens.
 
-2. Launch the live response session by selecting **Initiate live response session**. A command console is displayed. Wait while the session connects to the machine.
-3. Use the built-in commands to do investigative work. For more information see, [Live response commands](#live-response-commands).
-4. After completing your investigation, select **Disconnect session**, then select **Confirm**.
+3. Launch the live response session by selecting **Initiate live response session**. A command console is displayed. Wait while the session connects to the device.
 
+4. Use the built-in commands to do investigative work. For more information, see [Live response commands](#live-response-commands).
 
+5. After completing your investigation, select **Disconnect session**, then select **Confirm**.
 
 ## Live response commands
-Depending on the role that's been granted to you, you can run basic or advanced live response commands. User permissions are controlled by RBAC custom roles. For more information on role assignments see, [Create and manage roles](user-roles.md). 
+
+Depending on the role that's been granted to you, you can run basic or advanced live response commands. User permissions are controlled by RBAC custom roles. For more information on role assignments, see [Create and manage roles](user-roles.md). 
 
 ### Basic commands
-The following commands are available for user roles that's been granted the ability to run **basic** live response commands. For more information on role assignments see, [Create and manage roles](user-roles.md). 
 
-Command | Description 
-:---|:---|:---
-cd | Changes the current directory. 
-cls | Clears the console screen. 
-connect | Initiates a live response session to the machine. 
-connections | Shows all the active connections.
-dir | Shows a list of files and subdirectories in a directory
-drivers |  Shows all drivers installed on the machine.
-fileinfo | Get information about a file.
-findfile | Locates files by a given name on the machine.
-help | Provides help information for live response commands.
-persistence | Shows all known persistence methods on the machine.
-processes | Shows all processes running on the machine.
-registry | Shows registry values.
-scheduledtasks| Shows all scheduled tasks on the machine. 
-services | Shows all services on the machine. 
-trace | Sets the terminal's logging mode to debug.
+The following commands are available for user roles that are granted the ability to run **basic** live response commands. For more information on role assignments, see [Create and manage roles](user-roles.md). 
 
+| Command | Description |
+|---|---|--- |
+|`cd` | Changes the current directory. | 
+|`cls` | Clears the console screen.  |
+|`connect` | Initiates a live response session to the device. |
+|`connections` | Shows all the active connections. |
+|`dir` | Shows a list of files and subdirectories in a directory. |
+|`download <file_path> &` | Downloads a file in the background. |
+drivers |  Shows all drivers installed on the device. |
+|`fg <command ID>` | Returns a file download to the foreground. |
+|`fileinfo` | Get information about a file. |
+|`findfile` | Locates files by a given name on the device. |
+|`help` | Provides help information for live response commands. |
+|`persistence` | Shows all known persistence methods on the device. |
+|`processes` | Shows all processes running on the device. |
+|`registry` | Shows registry values. |
+|`scheduledtasks` | Shows all scheduled tasks on the device. |
+|`services` | Shows all services on the device. |
+|`trace` | Sets the terminal's logging mode to debug. |
 
 ### Advanced commands
-The following commands are available for user roles that's been granted the ability to run **advanced** live response commands. For more information on role assignments see, [Create and manage roles](user-roles.md). 
+The following commands are available for user roles that are granted the ability to run **advanced** live response commands. For more information on role assignments see, [Create and manage roles](user-roles.md). 
 
-Command | Description 
-:---|:---
-analyze | Analyses the entity with various incrimination engines to reach a verdict.
-getfile | Gets a file from the machine. <br> NOTE: This command has a prerequisite command. You can use the `-auto` command in conjunction with `getfile` to automatically run the prerequisite command. 
-run | Runs a PowerShell script from the library on the machine.
-library | Lists files that were uploaded to the live response library.
-putfile | Puts a file from the library to the machine. Files are saved in a working folder and are deleted when the machine restarts by default.
-remediate | Remediates an entity on the machine. The remediation action will vary depending on the entity type:<br>- File: delete<br>- Process: stop, delete image file<br>- Service: stop, delete image file<br>- Registry entry: delete<br>- Scheduled task: remove<br>- Startup folder item: delete file <br> NOTE: This command has a prerequisite command. You can use the `-auto` command in conjunction with `remediate` to automatically run the prerequisite command. 
-undo | Restores an entity that was remediated. 
+| Command | Description |
+|---|---|
+| `analyze` | Analyses the entity with various incrimination engines to reach a verdict. |
+| `getfile` | Gets a file from the device. <br> NOTE: This command has a prerequisite command. You can use the `-auto` command in conjunction with `getfile` to automatically run the prerequisite command. |
+| `run` | Runs a PowerShell script from the library on the device. |
+| `library` | Lists files that were uploaded to the live response library. |
+| `putfile` | Puts a file from the library to the device. Files are saved in a working folder and are deleted when the device restarts by default. |
+| `remediate` | Remediates an entity on the device. The remediation action will vary depending on the entity type:<br>- File: delete<br>- Process: stop, delete image file<br>- Service: stop, delete image file<br>- Registry entry: delete<br>- Scheduled task: remove<br>- Startup folder item: delete file <br> NOTE: This command has a prerequisite command. You can use the `-auto` command in conjunction with `remediate` to automatically run the prerequisite command. 
+|`undo` | Restores an entity that was remediated. |
 
 
 ## Use live response commands
+
 The commands that you can use in the console follow similar principles as [Windows Commands](https://docs.microsoft.com/windows-server/administration/windows-commands/windows-commands#BKMK_c).
 
-The advanced commands offer a more robust set of actions that allow you to take more powerful actions such as download and upload a file, run scripts on the machine, and take remediation actions on an entity.
+The advanced commands offer a more robust set of actions that allow you to take more powerful actions such as download and upload a file, run scripts on the device, and take remediation actions on an entity.
 
 ### Get a file from the machine
-For scenarios when you'd like get a file from a machine you're investigating, you can use the `getfile` command. This allows you to save the file from the machine for further investigation.
+
+For scenarios when you'd like get a file from a device you're investigating, you can use the `getfile` command. This allows you to save the file from the device for further investigation.
 
 >[!NOTE]
 >There is a file size limit of 750mb.
 
+### Download a file in the background
+
+To enable your security operations team to continue investigating an impacted device, files can now be downloaded in the background.
+
+- To download a file in the background, in the live response command console, type `download <file_path> &`
+- If you are waiting for a file to be downloaded, you can move it to the background by using Ctrl + Z.
+- To bring a file download to the foreground, in the live response command console, type `fg <command_id>`  
+
+Here are some examples:
+
+
+|Command  |What it does  |
+|---------|---------|
+|`"C:\windows\some_file.exe" &`     |Starts downloading a file named *some_file.exe* in the background.         |
+|`fg 1234`     |Returns a download with command ID *1234* to the foreground         |
+
+
 ### Put a file in the library
+
 Live response has a library where you can put files into. The library stores files (such as scripts) that can be run in a live response session at the tenant level.
 
 Live response allows PowerShell scripts to run, however you must first put the files into the library before you can run them. 
 
-You can have a collection of PowerShell scripts that can run on machines that you initiate live response sessions with. 
+You can have a collection of PowerShell scripts that can run on devices that you initiate live response sessions with. 
+
+#### To upload a file in the library
 
-**To upload a file in the library:** 
 1. Click **Upload file to library**. 
+
 2. Click **Browse** and select the file.
+
 3. Provide a brief description.
+
 4. Specify if you'd like to overwrite a file with the same name.
+
 5. If you'd like to be know what parameters are needed for the script, select the script parameters check box. In the text field, enter an example and a description.
+
 6. Click **Confirm**. 
+
 7. (Optional) To verify that the file was uploaded to the library, run the `library` command.
 
 
@@ -161,9 +204,8 @@ Anytime during a session, you can cancel a command by pressing CTRL + C.
 >[!WARNING]
 >Using this shortcut will not stop the command in the agent side. It will only cancel the command in the portal. So, changing operations such as "remediate" may continue, while the command is canceled. 
 
-
-
 ### Automatically run prerequisite commands
+
 Some commands have prerequisite commands to run. If you don't run the prerequisite command, you'll get an error. For example, running the `download` command without `fileinfo` will return an error.
 
 You can use the auto flag to automatically run prerequisite commands, for example:
@@ -172,8 +214,8 @@ You can use the auto flag to automatically run prerequisite commands, for exampl
 getfile c:\Users\user\Desktop\work.txt -auto
 ```
 
-
 ## Run a PowerShell script 
+
 Before you can run a PowerShell script, you must first upload it to the library. 
 
 After uploading the script to the library, use the `run` command to run the script.
@@ -183,9 +225,8 @@ If you plan to use an unsigned script in the session, you'll need to enable the
 >[!WARNING]
 >Allowing the use of unsigned scripts may increase your exposure to threats.
 
-
-
 ## Apply command parameters
+
 - View the console help to learn about command parameters. To learn about an individual command, run:
  
     `help <command name>`
@@ -202,9 +243,8 @@ If you plan to use an unsigned script in the session, you'll need to enable the
 
     `<command name> -type file -id <file path> - auto` or `remediate file <file path> - auto`.
 
-
-
 ## Supported output types
+
 Live response supports table and JSON format output types. For each command, there's a default output behavior. You can modify the output in your preferred output format using the following commands:
 
 - `-output json`
@@ -213,8 +253,8 @@ Live response supports table and JSON format output types. For each command, the
 >[!NOTE]
 >Fewer fields are shown in table format due to the limited space. To see more details in the output, you can use the JSON output command so that more details are shown.
 
-
 ## Supported output pipes
+
 Live response supports output piping to CLI and file. CLI is the default output behavior. You can pipe the output to a file using the following command: [command] > [filename].txt.  
 
 Example:
@@ -223,27 +263,24 @@ Example:
 processes > output.txt
 ```
 
-
-
 ## View the command log
-Select the **Command log** tab to see the commands used on the machine during a session. 
+
+Select the **Command log** tab to see the commands used on the device during a session. 
 Each command is tracked with full details such as:
 - ID
 - Command line
 - Duration
 - Status and input or output side bar
 
-
-
-
 ## Limitations
+
 - Live response sessions are limited to 10 live response sessions at a time
 - Large scale command execution is not supported
 - A user can only initiate one session at a time
-- A machine can only be in one session at a time
-- There is a file size limit of 750mb when downloading files from a machine
+- A device can only be in one session at a time
+- There is a file size limit of 750mb when downloading files from a device
 
-## Related topic
+## Related article
 - [Live response command examples](live-response-command-examples.md)
 
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md
index 6459e6190e..7e0983fb5f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md
@@ -41,10 +41,10 @@ The follow table shows the exclusion types supported by Microsoft Defender ATP f
 
 Exclusion | Definition | Examples
 ---|---|---
-File extension | All files with the extension, anywhere on the machine | .test
-File | A specific file identified by the full path | /var/log/test.log
-Folder | All files under the specified folder | /var/log/
-Process | A specific process (specified either by the full path or file name) and all files opened by it | /bin/cat<br/>cat
+File extension | All files with the extension, anywhere on the machine | `.test`
+File | A specific file identified by the full path | `/var/log/test.log`
+Folder | All files under the specified folder | `/var/log/`
+Process | A specific process (specified either by the full path or file name) and all files opened by it | `/bin/cat`<br/>`cat`
 
 ## How to configure the list of exclusions
 
@@ -64,15 +64,15 @@ Select the type of exclusion that you wish to add and follow the prompts.
 
 You can validate that your exclusion lists are working by using `curl` to download a test file.
 
-In the following Bash snippet, replace *test.txt* with a file that conforms to your exclusion rules. For example, if you have excluded the *.testing extension*, replace *test.txt* with *test.testing*. If you are testing a path, ensure that you run the command within that path.
+In the following Bash snippet, replace `test.txt` with a file that conforms to your exclusion rules. For example, if you have excluded the `.testing` extension, replace `test.txt` with `test.testing`. If you are testing a path, ensure that you run the command within that path.
 
 ```bash
-$ curl -o test.txt http://www.eicar.org/download/eicar.com.txt
+$ curl -o test.txt https://www.eicar.org/download/eicar.com.txt
 ```
 
 If Microsoft Defender ATP for Mac reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm that the contents are the same as what is described on the [EICAR test file website](http://2016.eicar.org/86-0-Intended-use.html).
 
-If you do not have internet access, you can create your own EICAR test file. Write the EICAR string to a new text file with the following Bash command:
+If you do not have Internet access, you can create your own EICAR test file. Write the EICAR string to a new text file with the following Bash command:
 
 ```bash
 echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > test.txt
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md
index 94bb66756c..2e8c52861f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md
@@ -15,6 +15,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: conceptual
+ms.date: 04/03/2020
 ---
 
 # JAMF-based deployment for Microsoft Defender ATP for Mac
@@ -73,17 +74,17 @@ You need to create a configuration profile and a policy to start deploying Micro
 
 ### Configuration Profile
 
-The configuration profile contains a custom settings payload that includes:
+The configuration profile contains a custom settings payload that includes the following:
 
 - Microsoft Defender ATP for Mac onboarding information
-- Approved Kernel Extensions payload, to enable running the Microsoft kernel driver
+- Approved Kernel Extensions payload to enable running the Microsoft kernel driver
 
-To set the onboarding information, add a property list file with the name, _jamf/WindowsDefenderATPOnboarding.plist_, as a custom setting. You can do this by navigating to **Computers**>**Configuration Profiles**, selecting **New**, then choosing **Custom Settings**>**Configure**. From there, you can upload the property list.
+To set the onboarding information, add a property list file that is named **jamf/WindowsDefenderATPOnboarding.plist** as a custom setting. To do this, select **Computers** > **Configuration Profiles** > **New**, and then select **Application & Custom Settings** > **Configure**. From there, you can upload the property list.
 
   >[!IMPORTANT]
-  > You must set the Preference Domain as "com.microsoft.wdav.atp"
+  > You have to set the **Preference Domain** to **com.microsoft.wdav.atp**. There are some changes to the Custom Payloads and also to the Jamf Pro user interface in version 10.18 and later versions. For more information about the changes, see [Configuration Profile Payload Settings Specific to Jamf Pro](https://www.jamf.com/jamf-nation/articles/217/configuration-profile-payload-settings-specific-to-jamf-pro).
 
-![Configuration profile screenshot](../windows-defender-antivirus/images/MDATP-16-PreferenceDomain.png)
+![Configuration profile screenshot](./images/msdefender-mac-config-profile.png)
 
 ### Approved Kernel Extension
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
index 76875534f3..6c5a04ada0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
@@ -362,9 +362,9 @@ Specifies the value of tag
 
 ## Recommended configuration profile
 
-To get started, we recommend the following configuration profile for your enterprise to take advantage of all protection features that Microsoft Defender ATP provides.
+To get started, we recommend the following configuration for your enterprise to take advantage of all protection features that Microsoft Defender ATP provides.
 
-The following configuration profile will:
+The following configuration profile (or, in case of JAMF, a property list that could be uploaded into the custom settings configuration profile) will:
 - Enable real-time protection (RTP)
 - Specify how the following threat types are handled:
   - **Potentially unwanted applications (PUA)** are blocked
@@ -372,7 +372,7 @@ The following configuration profile will:
 - Enable cloud-delivered protection
 - Enable automatic sample submission
 
-### JAMF profile
+### Property list for JAMF configuration profile
 
 ```XML
 <?xml version="1.0" encoding="UTF-8"?>
@@ -491,9 +491,9 @@ The following configuration profile will:
 
 ## Full configuration profile example
 
-The following configuration profile contains entries for all settings described in this document and can be used for more advanced scenarios where you want more control over Microsoft Defender ATP for Mac.
+The following templates contain entries for all settings described in this document and can be used for more advanced scenarios where you want more control over Microsoft Defender ATP for Mac.
 
-### JAMF profile
+### Property list for JAMF configuration profile
 
 ```XML
 <?xml version="1.0" encoding="UTF-8"?>
@@ -734,16 +734,16 @@ The following configuration profile contains entries for all settings described
         </array>
 ```
 
-## Configuration profile validation
+## Property list validation
 
-The configuration profile must be a valid *.plist* file. This can be checked by executing:
+The property list must be a valid *.plist* file. This can be checked by executing:
 
 ```bash
 $ plutil -lint com.microsoft.wdav.plist
 com.microsoft.wdav.plist: OK
 ```
 
-If the configuration profile is well-formed, the above command outputs `OK` and returns an exit code of `0`. Otherwise, an error that describes the issue is displayed and the command returns an exit code of `1`.
+If the file is well-formed, the above command outputs `OK` and returns an exit code of `0`. Otherwise, an error that describes the issue is displayed and the command returns an exit code of `1`.
 
 ## Configuration profile deployment
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-install.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-install.md
new file mode 100644
index 0000000000..564bfecdbd
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-install.md
@@ -0,0 +1,54 @@
+---
+title: Troubleshoot installation issues for Microsoft Defender ATP for Mac
+description: Troubleshoot installation issues in Microsoft Defender ATP for Mac.
+keywords: microsoft, defender, atp, mac, install
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: conceptual
+---
+
+# Troubleshoot installation issues for Microsoft Defender ATP for Mac
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
+
+## Installation failed
+
+For manual installation, it is Summary page of the installation wizard that says "An error occurred during installation. The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance". For MDM deployments it would be exposed as a generic installation failure as well.
+
+While we do not expose exact error to the end user, we keep a log file with installation progress in `/Library/Logs/Microsoft/mdatp/install.log`. Each installation session appends to this log file, you can use `sed` to output the last installation session only:
+
+```bash
+$ sed -n 'H; /^preinstall com.microsoft.wdav begin/h; ${g;p;}' /Library/Logs/Microsoft/mdatp/install.log
+
+preinstall com.microsoft.wdav begin [2020-03-11 13:08:49 -0700] 804
+INSTALLER_SECURE_TEMP=/Library/InstallerSandboxes/.PKInstallSandboxManager/CB509765-70FC-4679-866D-8A14AD3F13CC.activeSandbox/89FA879B-971B-42BF-B4EA-7F5BB7CB5695
+correlation id=CB509765-70FC-4679-866D-8A14AD3F13CC
+[ERROR] Downgrade from 100.88.54 to 100.87.80 is not permitted
+preinstall com.microsoft.wdav end [2020-03-11 13:08:49 -0700] 804 => 1
+```
+
+In the example above the actual reason is prefixed with `[ERROR]`.
+The installation failed because a downgrade between these versions is not supported.
+
+## No MDATP's install log
+
+In rare cases installation leaves no trace in MDATP's /Library/Logs/Microsoft/mdatp/install.log file.
+You can verify that installation happened and analyze possible errors by querying macOS logs (this can be helpful in case of MDM deployment, when there is no client UI). It is recommended to have a narrow time window to query and filter by the logging process name, as there will be huge amount of information;
+
+```bash
+grep '^2020-03-11 13:08' /var/log/install.log
+
+log show --start '2020-03-11 13:00:00' --end '2020-03-11 13:08:50' --info --debug --source --predicate 'processImagePath CONTAINS[C] "install"' --style syslog
+```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-license.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-license.md
new file mode 100644
index 0000000000..3a6c85369b
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-license.md
@@ -0,0 +1,46 @@
+---
+title: Troubleshoot license issues for Microsoft Defender ATP for Mac
+description: Troubleshoot license issues in Microsoft Defender ATP for Mac.
+keywords: microsoft, defender, atp, mac, performance
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: conceptual
+---
+
+# Troubleshoot license issues for Microsoft Defender ATP for Mac
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
+
+While you are going through [Microsoft Defender ATP for Mac](microsoft-defender-atp-mac.md) and [Manual deployment](mac-install-manually.md) testing or a Proof Of Concept (PoC), you might get the following error:
+
+![Image of license error](images/no-license-found.png)
+
+**Message:** 
+
+No license found
+
+Looks like your organization does not have a license for Microsoft 365 Enterprise subscription.
+
+Contact your administrator for help.
+
+**Cause:** 
+
+You deployed and/or installed the MDATP for macOS package ("Download installation package") but you might have run the configuration script ("Download onboarding package").
+
+**Solution:**
+
+Follow the WindowsDefenderATPOnboarding.py instructions documented here:
+[Client configuration](mac-install-manually.md#client-configuration)
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md b/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md
index 7770111d6d..33e4268575 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md
@@ -61,6 +61,12 @@ The `Production` channel contains the most stable version of the product.
 | **Data type** | String |
 | **Possible values** | InsiderFast <br/> External <br/> Production |
 
+>[!WARNING]
+>This setting changes the channel for all applications that are updated through Microsoft AutoUpdate. To change the channel only for Microsoft Defender ATP for Mac, execute the following command after replacing `[channel-name]` with the desired channel:
+> ```bash
+> $ defaults write com.microsoft.autoupdate2 Applications -dict-add "/Applications/Microsoft Defender ATP.app" " { 'Application ID' = 'WDAV00' ; 'App Domain' = 'com.microsoft.wdav' ; LCID = 1033 ; ChannelName = '[channel-name]' ; }"
+> ```
+
 ### Set update check frequency
 
 Change how often MAU searches for updates.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
index ebad1005b3..57fde3cc75 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
@@ -26,6 +26,20 @@ ms.topic: conceptual
 > 
 > If you have previously whitelisted the kernel extension as part of your remote deployment, that warning should not be presented to the end user. If you have not previously deployed a policy to whitelist the kernel extension, your users will be presented with the warning. To proactively silence the warning, you can still deploy a configuration to whitelist the kernel extension. Refer to the instructions in the [JAMF-based deployment](mac-install-with-jamf.md#approved-kernel-extension) and [Microsoft Intune-based deployment](mac-install-with-intune.md#create-system-configuration-profiles) topics.
 
+## 100.90.27
+
+- You can now [set an update channel](mac-updates.md#set-the-channel-name) for Microsoft Defender ATP for Mac that is different from the system-wide update channel
+- New product icon
+- Other user experience improvements
+- Bug fixes
+
+## 100.86.92
+
+- Improvements around compatibility with Time Machine
+- Addressed an issue where the product was sometimes not cleaning all files under `/Library/Application Support/Microsoft/Defender` during uninstallation
+- Reduced the CPU utilization of the product when Microsoft products are updated through Microsoft AutoUpdate
+- Other performance improvements & bug fixes
+
 ## 100.86.91
 
 > [!CAUTION]
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine.md b/windows/security/threat-protection/microsoft-defender-atp/machine.md
index a38094be67..92e5b76fd8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machine.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machine.md
@@ -25,6 +25,7 @@ ms.topic: article
 [!include[Prerelease information](../../includes/prerelease.md)]
 
 ## Methods
+
 Method|Return Type |Description
 :---|:---|:---
 [List machines](get-machines.md) | [machine](machine.md) collection | List set of [machine](machine.md) entities in the org.
@@ -36,9 +37,11 @@ Method|Return Type |Description
 [Get security recommendations](get-security-recommendations.md) | [recommendation](recommendation.md) collection | Retrieves a collection of security recommendations related to a given machine ID.
 [Add or Remove machine tags](add-or-remove-machine-tags.md) | [machine](machine.md) | Add or Remove tag to a specific machine.
 [Find machines by IP](find-machines-by-ip.md) | [machine](machine.md) collection | Find machines seen with IP.
+[Get missing KBs](get-missing-kbs-machine.md) | KB collection | Get a list of missing KBs associated with the machine ID
 
 ## Properties
-Property |	Type	|	Description
+
+Property |   Type   |   Description
 :---|:---|:---
 id | String | [machine](machine.md) identity.
 computerDnsName | String | [machine](machine.md) fully qualified name.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
index ae1856f3eb..ed7b91f290 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
@@ -122,7 +122,7 @@ It's important to understand the following prerequisites prior to creating indic
 
 >[!IMPORTANT]
 > Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs.
-> For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages Network Protection (link) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS): <br>
+> For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](network-protection.md) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement: <br>
 > NOTE:
 >- IP is supported for all three protocols
 >- Encrypted URLs (full path) can only be blocked on first party browsers
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md
index b005d81545..1dd8377db2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md
@@ -34,6 +34,9 @@ Microsoft Cloud App Security (Cloud App Security) is a comprehensive solution th
 
 Cloud App Security discovery relies on cloud traffic logs being forwarded to it from enterprise firewall and proxy servers. Microsoft Defender ATP integrates with Cloud App Security by collecting and forwarding all cloud app networking activities, providing unparalleled visibility to cloud app usage. The monitoring functionality is built into the device, providing complete coverage of network activity.
 
+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4r4yQ]
+
+
 The integration provides the following major improvements to the existing Cloud App Security discovery: 
 
 - Available everywhere - Since the network activity is collected directly from the endpoint, it's available wherever the device is, on or off corporate network, as it's no longer depended on traffic routed through the enterprise firewall or proxy servers. 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
index 463c512570..a4991649d4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
@@ -59,7 +59,7 @@ Microsoft Defender ATP uses the following combination of technology built into W
 </tr>
 <tr>
 <td colspan="7">
-<a href="#apis"><center><b>Centratlized configuration and administration, APIs</a></b></center></td>
+<a href="#apis"><center><b>Centralized configuration and administration, APIs</a></b></center></td>
 </tr>
 <tr>
 <td colspan="7"><a href="#mtp"><center><b>Microsoft Threat Protection</a></center></b></td>
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
index 96bb2dc3c9..14e534cd2c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
@@ -38,10 +38,6 @@ This topic describes how to install, configure, update, and use Microsoft Defend
 > [!CAUTION]
 > Running other third-party endpoint protection products alongside Microsoft Defender ATP for Linux is likely to cause performance problems and unpredictable system errors.
 
-
-
-
-
 ## How to install Microsoft Defender ATP for Linux
 
 ### Prerequisites
@@ -53,6 +49,7 @@ This topic describes how to install, configure, update, and use Microsoft Defend
 ### Known issues
 
 - Logged on users do not appear in the ATP portal.
+- Running the product on CentOS / RHEL / Oracle Linux 7.0 or 7.1 with kernel versions lower than 3.10.0-327 can result in hanging the operating system. We recommend that you upgrade to version 7.2 or newer.
 - In SUSE distributions, if the installation of *libatomic1* fails, you should validate that your OS is registered:
 
     ```bash
@@ -73,20 +70,32 @@ In general you need to take the following steps:
     - [Deploy using Puppet configuration management tool](linux-install-with-puppet.md)
     - [Deploy using Ansible configuration management tool](linux-install-with-ansible.md)
 
+If you experience any installation failures, refer to [Troubleshooting installation failures in Microsoft Defender ATP for Linux](linux-support-install.md).
+
 ### System requirements
 
 - Supported Linux server distributions and versions: 
 
-  - Red Hat Enterprise Linux 7 or higher
-  - CentOS 7 or higher
+  - Red Hat Enterprise Linux 7.2 or higher
+  - CentOS 7.2 or higher
   - Ubuntu 16.04 LTS or higher LTS
   - Debian 9 or higher
   - SUSE Linux Enterprise Server 12 or higher
-  - Oracle Linux 7
+  - Oracle Linux 7.2 or higher
 
 - Minimum kernel version 2.6.38
 - The `fanotify` kernel option must be enabled
 - Disk space: 650 MB
+- The solution currently provides real-time protection for the following file system types:
+
+  - btrfs
+  - ext2
+  - ext3
+  - ext4
+  - tmpfs
+  - xfs
+
+  More file system types will be added in the future.
 
 After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints.
 
@@ -96,10 +105,10 @@ The following table lists the services and their associated URLs that your netwo
 
 | Service location                         | DNS record              |
 | ---------------------------------------- | ----------------------- |
-| Common URLs for all locations            |  x.cp.wd.microsoft.com <br/> cdn.x.cp.wd.microsoft.com <br/> eu-cdn.x.cp.wd.microsoft.com <br/> wu-cdn.x.cp.wd.microsoft.com <br/> *.blob.core.windows.net <br/> officecdn-microsoft-com.akamaized.net <br/> crl.microsoft.com <br/>  events.data.microsoft.com |
-| European Union                           | europe.x.cp.wd.microsoft.com <br/> eu-v20.events.data.microsoft.com |
-| United Kingdom                           | unitedkingdom.x.cp.wd.microsoft.com <br/> uk-v20.events.data.microsoft.com |
-| United States                            | unitedstates.x.cp.wd.microsoft.com  <br/> us-v20.events.data.microsoft.com |
+| Common URLs for all locations            |  x.cp.wd.microsoft.com <br/> cdn.x.cp.wd.microsoft.com <br/> eu-cdn.x.cp.wd.microsoft.com <br/> wu-cdn.x.cp.wd.microsoft.com <br/> officecdn-microsoft-com.akamaized.net <br/> crl.microsoft.com <br/>  events.data.microsoft.com |
+| European Union                           | europe.x.cp.wd.microsoft.com <br/> eu-v20.events.data.microsoft.com <br/> usseu1northprod.blob.core.windows.net <br/> usseu1westprod.blob.core.windows.net |
+| United Kingdom                           | unitedkingdom.x.cp.wd.microsoft.com <br/> uk-v20.events.data.microsoft.com <br/> ussuk1southprod.blob.core.windows.net <br/> ussuk1westprod.blob.core.windows.net |
+| United States                            | unitedstates.x.cp.wd.microsoft.com  <br/> us-v20.events.data.microsoft.com <br/> ussus1eastprod.blob.core.windows.net <br/> ussus1westprod.blob.core.windows.net |
 
 > [!NOTE]
 > For a more specific URL list, see [Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server) 
@@ -110,25 +119,7 @@ Microsoft Defender ATP can discover a proxy server by using the following discov
 
 If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the previously listed URLs. For transparent proxies, no additional configuration is needed for Microsoft Defender ATP. For static proxy, follow the steps in [Manual Static Proxy Configuration](linux-static-proxy-configuration.md).
 
-## Validating cloud connectivity
-
-To test that a connection is not blocked, open [https://x.cp.wd.microsoft.com/api/report](https://x.cp.wd.microsoft.com/api/report) and [https://cdn.x.cp.wd.microsoft.com/ping](https://cdn.x.cp.wd.microsoft.com/ping) in a browser.
-
-If you prefer the command line, you can also check the connection by running the following command in Terminal:
-
-```bash
-$ curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
-```
-
-The output from this command should be similar to the following:
-
-> `OK https://x.cp.wd.microsoft.com/api/report`  
-> `OK https://cdn.x.cp.wd.microsoft.com/ping`
-
-Once Microsoft Defender ATP is installed, connectivity can be validated by running the following command in Terminal:
-```bash
-$ mdatp --connectivity-test
-```
+For troubleshooting steps, see the [Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux](linux-support-connectivity.md) page.
 
 ## How to update Microsoft Defender ATP for Linux
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
index fa9b382efb..d5135bbd1c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
@@ -73,10 +73,10 @@ The following table lists the services and their associated URLs that your netwo
 
 | Service location                         | DNS record              |
 | ---------------------------------------- | ----------------------- |
-| Common URLs for all locations            |  x.cp.wd.microsoft.com <br/> cdn.x.cp.wd.microsoft.com <br/> eu-cdn.x.cp.wd.microsoft.com <br/> wu-cdn.x.cp.wd.microsoft.com <br/> *.blob.core.windows.net <br/> officecdn-microsoft-com.akamaized.net <br/> crl.microsoft.com <br/>  events.data.microsoft.com |
-| European Union                           | europe.x.cp.wd.microsoft.com <br/> eu-v20.events.data.microsoft.com |
-| United Kingdom                           | unitedkingdom.x.cp.wd.microsoft.com <br/> uk-v20.events.data.microsoft.com |
-| United States                            | unitedstates.x.cp.wd.microsoft.com  <br/> us-v20.events.data.microsoft.com |
+| Common URLs for all locations            |  x.cp.wd.microsoft.com <br/> cdn.x.cp.wd.microsoft.com <br/> eu-cdn.x.cp.wd.microsoft.com <br/> wu-cdn.x.cp.wd.microsoft.com <br/> officecdn-microsoft-com.akamaized.net <br/> crl.microsoft.com <br/>  events.data.microsoft.com |
+| European Union                           | europe.x.cp.wd.microsoft.com <br/> eu-v20.events.data.microsoft.com <br/> usseu1northprod.blob.core.windows.net <br/> usseu1westprod.blob.core.windows.net |
+| United Kingdom                           | unitedkingdom.x.cp.wd.microsoft.com <br/> uk-v20.events.data.microsoft.com <br/> ussuk1southprod.blob.core.windows.net <br/> ussuk1westprod.blob.core.windows.net |
+| United States                            | unitedstates.x.cp.wd.microsoft.com  <br/> us-v20.events.data.microsoft.com <br/> ussus1eastprod.blob.core.windows.net <br/> ussus1westprod.blob.core.windows.net |
 
 Microsoft Defender ATP can discover a proxy server by using the following discovery methods:
 - Web Proxy Auto-discovery Protocol (WPAD)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
index d418314c95..eed0fc1ca1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
@@ -28,7 +28,7 @@ There are some minimum requirements for onboarding machines to the service. Lear
 
 
 >[!TIP]
->- Learn about the latest enhancements in Microsoft Defender ATP: [What's new in Microsoft Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
+>- Learn about the latest enhancements in Microsoft Defender ATP:[Microsoft Defender Advanced Threat Protection Tech Community](https://techcommunity.microsoft.com/t5/Windows-Defender-Advanced-Threat/ct-p/WindowsDefenderAdvanced).
 >- Microsoft Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
 
 ## Licensing requirements
@@ -40,6 +40,7 @@ Microsoft Defender Advanced Threat Protection requires one of the following Micr
 - Microsoft 365 E5 Security
 - Microsoft 365 A5 (M365 A5)
 
+For detailed licensing information, see the [Product terms page](https://www.microsoft.com/en-us/licensing/product-licensing/products) and work with your account team to learn the detailed terms and conditions for the product. 
 
 For more information on the array of features in Windows 10 editions, see [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare).
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
index 7773ecd54f..6b17eb0031 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
@@ -70,10 +70,33 @@ Microsoft Defender ATP's Threat & Vulnerability Management allows security admin
 - Alternate mitigations. Threat & Vulnerability Management provides insights on additional mitigations, such as configuration changes that can reduce risk associated with software vulnerabilities.
 - Real-time remediation status. Microsoft Defender ATP provides real-time monitoring of the status and progress of remediation activities across the organization.
 
+## Before you begin
+
+Ensure that your machines:
+
+- Are onboarded to Microsoft Defender Advanced Threat Protection
+- Run with Windows 10 1709 (Fall Creators Update) or later
+
+>[!NOTE]
+>Threat & Vulnerability Management can also scan machines that run on Windows 7 and Windows Server 2019 operating systems and detects vulnerabilities addressed in patch Tuesday.
+
+- Have the following mandatory updates installed and deployed in your network to boost your vulnerability assessment detection rates:
+
+> Release | Security update KB number and link
+> :---|:---
+> RS3 customers | [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441) and [KB 4516071](https://support.microsoft.com/help/4516071/windows-10-update-kb4516071)
+> RS4 customers| [KB4493464](https://support.microsoft.com/help/4493464) and [KB 4516045](https://support.microsoft.com/help/4516045/windows-10-update-kb4516045)
+> RS5 customers | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077)
+> 19H1 customers | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941)
+
+- Are onboarded to Microsoft Intune and  Microsoft Endpoint Configuration Manager. If you are using Configuration Manager, update your console to the latest version.
+- Have at least one security recommendation that can be viewed in the machine page
+- Are tagged or marked as co-managed
+
 ## Related topics
 
 - [Supported operating systems and platforms](tvm-supported-os.md)
-- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
 - [Exposure score](tvm-exposure-score.md)
 - [Configuration score](configuration-score.md)
 - [Security recommendations](tvm-security-recommendation.md)
@@ -81,10 +104,6 @@ Microsoft Defender ATP's Threat & Vulnerability Management allows security admin
 - [Software inventory](tvm-software-inventory.md)
 - [Weaknesses](tvm-weaknesses.md)
 - [Scenarios](threat-and-vuln-mgt-scenarios.md)
-- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
-- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score)
-- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
-- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software)
-- [Machine APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine)
-- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
+- [APIs](threat-and-vuln-mgt-scenarios.md#apis)
+- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
 - [BLOG: Microsoft's Threat & Vulnerability Management now helps thousands of customers to discover, prioritize, and remediate vulnerabilities in real time](https://www.microsoft.com/security/blog/2019/07/02/microsofts-threat-vulnerability-management-now-helps-thousands-of-customers-to-discover-prioritize-and-remediate-vulnerabilities-in-real-time/)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md
index ab3dd486d7..5b7477d473 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md
@@ -28,11 +28,14 @@ Offboard machine from Microsoft Defender ATP.
 
 
 ## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
+ - Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
 
 
 [!include[Machine actions note](../../includes/machineactionsnote.md)]
 
+>[!Note]
+> This does not support offboarding macOS Devices.
+
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
 
@@ -83,4 +86,4 @@ Content-type: application/json
 {
   "Comment": "Offboard machine by automation"
 }
-```
\ No newline at end of file
+```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md
index 800d493402..5ac688bcec 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md
@@ -28,23 +28,23 @@ ms.topic: article
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
 
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-downlevel-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-downlevel-abovefoldlink).
 
 Microsoft Defender ATP extends support to include down-level operating systems, providing advanced attack detection and investigation capabilities on supported Windows versions.
 
->[!IMPORTANT]
->This capability is currently in preview. You'll need to turn on the preview features to take advantage of this feature. For more information, see [Preview features](preview.md).
+> [!IMPORTANT]
+> This capability is currently in preview. You'll need to turn on the preview features to take advantage of this feature. For more information, see [Preview features](preview.md).
 
 To onboard down-level Windows client endpoints to Microsoft Defender ATP, you'll need to:
 - Configure and update System Center Endpoint Protection clients.
 - Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Microsoft Defender ATP as instructed below.
 
->[!TIP]
+> [!TIP]
 > After onboarding the machine, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test.md).
 
 ## Configure and update System Center Endpoint Protection clients
->[!IMPORTANT]
->This step is required only if your organization uses System Center Endpoint Protection (SCEP).
+> [!IMPORTANT]
+> This step is required only if your organization uses System Center Endpoint Protection (SCEP).
 
 Microsoft Defender ATP integrates with System Center Endpoint Protection to provide visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware. 
 
@@ -59,16 +59,16 @@ The following steps are required to enable this integration:
 Review the following details to verify minimum system requirements:
 - Install the [February 2018 monthly update rollup](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598)
   
-  >[!NOTE]
-  >Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro. 
+  > [!NOTE]
+  > Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro. 
 
 - Install the [Update for customer experience and diagnostic telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
 
 - Install either [.NET framework 4.5](https://www.microsoft.com/download/details.aspx?id=30653) (or later) or [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework)
 
-    >[!NOTE]
-    >Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro.
-    >Don't install .NET framework 4.0.x, since it will negate the above installation.
+    > [!NOTE]
+    > Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro.
+    > Don't install .NET Framework 4.0.x, since it will negate the above installation.
 
 - Meet the Azure Log Analytics agent minimum system requirements. For more information, see [Collect data from computers in you environment with Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-concept-hybrid#prerequisites)
 
@@ -93,29 +93,10 @@ Once completed, you should see onboarded endpoints in the portal within an hour.
 ### Configure proxy and Internet connectivity settings
  
 - Each Windows endpoint must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the [OMS Gateway](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-gateway).
-- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Microsoft Defender ATP service:
-
-Agent Resource    |    Ports 
-:---|:---
-|    *.oms.opinsights.azure.com    |    443    |
-|    *.blob.core.windows.net    |    443    |
-|    *.azure-automation.net    |    443    |
-|    *.ods.opinsights.azure.com    |    443    |
-|    winatp-gw-cus.microsoft.com     |    443    |
-|    winatp-gw-eus.microsoft.com    |    443    |
-|    winatp-gw-neu.microsoft.com    |    443    |
-|    winatp-gw-weu.microsoft.com    |    443    |
-|winatp-gw-uks.microsoft.com | 443 |
-|winatp-gw-ukw.microsoft.com | 443 | 
-
+- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that you [enable access to Microsoft Defender ATP service URLs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server).
 
 ## Offboard client endpoints
 To offboard, you can uninstall the MMA agent from the endpoint or detach it from reporting to your Microsoft Defender ATP workspace. After offboarding the agent, the endpoint will no longer send sensor data to Microsoft Defender ATP. 
 
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-downlevele-belowfoldlink)
-
-
-
-
-
+> Want to experience Microsoft Defender ATP? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-downlevele-belowfoldlink).
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md
index ff5e1ed7d9..0534d30935 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md
@@ -25,6 +25,18 @@ ms.topic: article
 
 To onboard machines without Internet access, you'll need to take the following general steps:
 
+> [!IMPORTANT] 
+> The steps below are applicable only to machines running previous versions of Windows such as:
+Windows Server 2016 and earlier or Windows 8.1 and earlier.
+
+> [!NOTE]
+> An OMS gateway server can still be used as proxy for disconnected Windows 10 machines when configured via 'TelemetryProxyServer' registry or GPO.
+
+For more information, see the following articles:
+- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel)
+- [Onboard servers to the Microsoft Defender ATP service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-2008-r2-sp1--windows-server-2012-r2-and-windows-server-2016)
+- [Configure machine proxy and Internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#configure-the-proxy-server-manually-using-a-registry-based-static-proxy)
+
 ## On-premise machines
 
 - Setup Azure Log Analytics (formerly known as OMS Gateway) to act as proxy or hub:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md
index 2e8bae4127..3a1e55ca42 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md
@@ -1,5 +1,5 @@
 ---
-title: Onboard to the Micrsoft Defender ATP service
+title: Onboard to the Microsoft Defender ATP service
 description: 
 keywords: 
 search.product: eADQiWindows 10XVcnh
@@ -16,7 +16,7 @@ ms.collection: M365-security-compliance
 ms.topic: article
 ---
 
-# Onboard to the Micrsoft Defender ATP service
+# Onboard to the Microsoft Defender ATP service
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
@@ -34,7 +34,7 @@ Deploying Microsoft Defender ATP is a three-phase process:
      <td align="center">
       <a href="https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment">
         <img src="images/setup.png" alt="Setup the Microsoft Defender ATP service" title="Setup" />
-      <br/>Phase 2: Setup </a><br>
+      <br/>Phase 2: Set up </a><br>
     </td>
     <td align="center" bgcolor="#d5f5e3">
       <a href="https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboarding">
@@ -73,39 +73,39 @@ below to onboard systems with Configuration Manager.
 
 1. In Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Device Collections**.            
 
-    ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-device-collections.png)
+    ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-device-collections.png)
 
 2. Right Click **Device Collection** and select **Create Device Collection**.
 
-    ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-create-device-collection.png)
+    ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-create-device-collection.png)
 
 3. Provide a **Name** and **Limiting Collection**, then select **Next**.
 
-    ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-limiting-collection.png)
+    ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-limiting-collection.png)
 
 4. Select **Add Rule** and choose **Query Rule**.
 
-    ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-query-rule.png)
+    ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-query-rule.png)
 
 5.  Click **Next** on the **Direct Membership Wizard** and click on **Edit Query Statement**.
 
-     ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-direct-membership.png)
+     ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-direct-membership.png)
 
 6. Select **Criteria** and then choose the star icon.
 
-     ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-criteria.png)
+     ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-criteria.png)
 
 7. Keep criterion type as **simple value**, choose where as **Operating System - build number**, operator as **is equal to** and value **10240** and click on **OK**.
 
-    ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-simple-value.png)
+    ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-simple-value.png)
 
 8. Select **Next** and **Close**.
 
-    ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-membership-rules.png)
+    ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-membership-rules.png)
 
 9. Select **Next**.
 
-    ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-confirm.png)
+    ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-confirm.png)
 
 After completing this task, you now have a device collection with all the Windows 10 endpoints in the environment. 
 
@@ -123,7 +123,7 @@ Manager and deploy that policy to Windows 10 devices.
 
     ![Image of Microsoft Defender ATP onboarding wizard](images/mdatp-onboarding-wizard.png)
 
-3.	Select **Download package**.
+3.    Select **Download package**.
 
     ![Image of Microsoft Defender ATP onboarding wizard](images/mdatp-download-package.png)
 
@@ -132,11 +132,11 @@ Manager and deploy that policy to Windows 10 devices.
 
 6. Right-click **Microsoft Defender ATP Policies** and select **Create Microsoft Defender ATP Policy**.
 
-    ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-create-policy.png)
+    ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-create-policy.png)
 
 7. Enter the name and description, verify **Onboarding** is selected, then select **Next**.
 
-    ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-policy-name.png)
+    ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-policy-name.png)
 
 8. Click **Browse**.
 
@@ -184,11 +184,11 @@ Before the systems can be onboarded into the workspace, the deployment scripts n
 Edit the InstallMMA.cmd with a text editor, such as notepad and update the
 following lines and save the file:
 
-   ![Image of onboarding](images/a22081b675da83e8f62a046ae6922b0d.png)
+    ![Image of onboarding](images/a22081b675da83e8f62a046ae6922b0d.png)
 
 Edit the ConfiguerOMSAgent.vbs with a text editor, such as notepad, and update the following lines and save the file:
 
-   ![Image of onboarding](images/09833d16df7f37eda97ea1d5009b651a.png)
+    ![Image of onboarding](images/09833d16df7f37eda97ea1d5009b651a.png)
 
 Microsoft Monitoring Agent (MMA) is currently (as of January 2019) supported on the following Windows Operating
 Systems:
@@ -257,15 +257,15 @@ MMA for enrollment into the workspace.
 
 9.  Set Run to **Hidden**.
 
-10.  Set **Program can run** to **Whether or not a user is logged on**.
+10. Set **Program can run** to **Whether or not a user is logged on**.
 
-11.  Click **Next**.
+11. Click **Next**.
 
-12.  Set the **Maximum allowed run time** to 720.
+12. Set the **Maximum allowed run time** to 720.
 
-13.  Click **Next**.
+13. Click **Next**.
 
-   ![Image of Microsoft Endpoint Configuration Manager console](images/262a41839704d6da2bbd72ed6b4a826a.png)
+    ![Image of Microsoft Endpoint Configuration Manager console](images/262a41839704d6da2bbd72ed6b4a826a.png)
 
 14. Verify the configuration, then click **Next**.
 
@@ -275,12 +275,12 @@ MMA for enrollment into the workspace.
 
 16. Click **Close**.
 
-17.  In the Microsoft Endpoint Configuration Manager console, right-click the Microsoft Defender ATP
+17. In the Microsoft Endpoint Configuration Manager console, right-click the Microsoft Defender ATP
     Onboarding Package just created and select **Deploy**.
 
 18. On the right panel select the appropriate collection.
 
-19.  Click **OK**.
+19. Click **OK**.
 
 ## Next generation protection 
 Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers.
@@ -318,7 +318,7 @@ needs on how Antivirus is configured.
 
     ![Image of next generation protection pane](images/3876ca687391bfc0ce215d221c683970.png)
 
-3. Right-click on the newly created antimalware policy and select **Deploy** .
+3. Right-click on the newly created antimalware policy and select **Deploy**.
 
     ![Image of next generation protection pane](images/f5508317cd8c7870627cb4726acd5f3d.png)
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
index 1247c43078..4fda24160f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
@@ -1,8 +1,8 @@
 ---
 title: Overview of attack surface reduction
 ms.reviewer: 
-description: Learn about the attack surface reduction capability in Microsoft Defender ATP
-keywords: asr, attack surface reduction, microsoft defender atp, microsoft defender, antivirus, av, windows defender
+description: Learn about the attack surface reduction capabilities of Microsoft Defender ATP.
+keywords: asr, attack surface reduction, microsoft defender atp, microsoft defender advanced threat protection, microsoft defender, antivirus, av, windows defender
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
@@ -22,17 +22,19 @@ ms.topic: conceptual
 # Overview of attack surface reduction
 
 **Applies to:**
+
 * [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-Reduce your attack surfaces by minimizing the places where your organization is vulnerable to cyberthreats and attacks. Use the following resources to configure protection for the devices and applications in your organization.
+Help reduce your attack surfaces, by minimizing the places where your organization is vulnerable to cyberthreats and attacks. Use the following resources to configure protection for the devices and applications in your organization.
 
-|Article | Description |
-|-------|------|
-|[Hardware-based isolation](../windows-defender-application-guard/wd-app-guard-overview.md) | Protect and maintain the integrity of a system as it starts and while it's running. Validate system integrity through local and remote attestation. And, use container isolation for Microsoft Edge to help guard against malicious websites. |
-|[Application control](../windows-defender-application-control/windows-defender-application-control.md) | Use application control so that your applications must earn trust in order to run. |
-|[Exploit protection](./exploit-protection.md) |Help protect operating systems and apps your organization uses from being exploited. Exploit protection also works with third-party antivirus solutions. |
-|[Network protection](./network-protection.md) |Extend protection to your network traffic and connectivity on your organization's devices. (Requires Windows Defender Antivirus) |
-|[Web protection](./web-protection-overview.md) |Secure your machines against web threats and help you regulate unwanted content.
-|[Controlled folder access](./controlled-folders.md) | Help prevent malicious or suspicious apps (including file-encrypting ransomware malware) from making changes to files in your key system folders (Requires Windows Defender Antivirus) |
-|[Attack surface reduction](./attack-surface-reduction.md) |Reduce vulnerabilities (attack surfaces) in your applications with intelligent rules that help stop malware. (Requires Windows Defender Antivirus) |
-|[Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md) |Prevent unauthorized traffic from flowing to or from your organization's devices with two-way network traffic filtering. |
+Article | Description
+-|-
+[Attack surface reduction](./attack-surface-reduction.md) | Reduce vulnerabilities (attack surfaces) in your applications with intelligent rules that help stop malware. (Requires Windows Defender Antivirus).
+[Hardware-based isolation](../windows-defender-application-guard/wd-app-guard-overview.md) | Protect and maintain the integrity of a system as it starts and while it's running. Validate system integrity through local and remote attestation. And, use container isolation for Microsoft Edge to help guard against malicious websites.
+[Application control](../windows-defender-application-control/windows-defender-application-control.md) | Use application control so that your applications must earn trust in order to run.
+[Exploit protection](./exploit-protection.md) | Help protect operating systems and apps your organization uses from being exploited. Exploit protection also works with third-party antivirus solutions.
+[Network protection](./network-protection.md) | Extend protection to your network traffic and connectivity on your organization's devices. (Requires Windows Defender Antivirus)
+[Web protection](./web-protection-overview.md) | Secure your machines against web threats and help you regulate unwanted content.
+[Controlled folder access](./controlled-folders.md) | Help prevent malicious or suspicious apps (including file-encrypting ransomware malware) from making changes to files in your key system folders (Requires Windows Defender Antivirus)
+[Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md) | Prevent unauthorized traffic from flowing to or from your organization's devices with two-way network traffic filtering.
+[Attack surface reduction FAQ](./attack-surface-reduction-faq.md) | Frequently asked questions about Attack surface reduction rules, licensing, and more.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md b/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md
index 4c4cf5edcf..261734d68b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md
@@ -32,12 +32,10 @@ Inspired by the "assume breach" mindset, Microsoft Defender ATP continuously col
 
 The response capabilities give you the power to promptly remediate threats by acting on the affected entities.
 
-## In this section
 
-Topic | Description
-:---|:---
-[Security operations dashboard](security-operations-dashboard.md) | Explore a high level overview of detections, highlighting where response actions are needed.
-[Incidents queue](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue) | View and organize the incidents queue, and manage and investigate alerts.
-[Alerts queue](alerts-queue.md) | View and organize the machine alerts queue, and manage and investigate alerts.
-[Machines list](machines-view-overview.md) | Investigate machines with generated alerts and search for specific events over time.
-[Take response actions](response-actions.md) | Learn about the available response actions and apply them to machines and files.
+## Related topics
+- [Security operations dashboard](security-operations-dashboard.md)
+- [Incidents queue](view-incidents-queue.md)
+- [Alerts queue](alerts-queue.md)
+- [Machines list](machines-view-overview.md)
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md
index bf5f352335..2436a0642e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md
@@ -38,7 +38,7 @@ Deploying Microsoft Defender ATP is a three-phase process:
      <td align="center"  >
       <a href="https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment">
         <img src="images/setup.png" alt="Onboard to the Microsoft Defender ATP service" title="Setup the Microsoft Defender ATP service" />
-      <br/>Phase 2: Setup </a><br>
+      <br/>Phase 2: Set up </a><br>
         </td>
     <td align="center">
       <a href="https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboarding">
@@ -180,5 +180,5 @@ how the endpoint security suite should be enabled.
 ## Next step
 |||
 |:-------|:-----|
-|![Phase 2: Setup](images/setup.png) <br>[Phase 2: Setup](production-deployment.md) | Setup Microsoft Defender ATP deployment
+|![Phase 2: Setup](images/setup.png) <br>[Phase 2: Setup](production-deployment.md) | Set up Microsoft Defender ATP deployment
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview.md b/windows/security/threat-protection/microsoft-defender-atp/preview.md
index 4cde145e4c..c55fe2642d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/preview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/preview.md
@@ -24,14 +24,15 @@ ms.topic: conceptual
 
 The Microsoft Defender ATP service is constantly being updated to include new feature enhancements and capabilities.
 
-> [!TIP] 
-> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-preview-abovefoldlink) 
+> [!TIP]
+> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-preview-abovefoldlink)
 
 Learn about new features in the Microsoft Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience.
 
 For more information on new capabilities that are generally available, see [What's new in Microsoft Defender ATP](whats-new-in-microsoft-defender-atp.md).
 
 ## Turn on preview features
+
 You'll have access to upcoming features which you can provide feedback on to help improve the overall experience before features are generally available.
 
 Turn on the preview experience setting to be among the first to try upcoming features.
@@ -41,17 +42,19 @@ Turn on the preview experience setting to be among the first to try upcoming fea
 2. Toggle the setting between **On** and **Off** and select **Save preferences**.
 
 ## Preview features
+
 The following features are included in the preview release:
+- [Microsoft Defender ATP for Linux](microsoft-defender-atp-linux.md) <br> Microsoft Defender ATP now adds support for Linux. Learn how to install, configure, update, and use Microsoft Defender ATP for Linux.
 
 - [Threat & Vulnerability Management API support](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list) <BR>Run Threat & Vulnerability Management-related API calls such as get your organization's threat exposure score or device secure score, software and machine vulnerability inventory, software version distribution, machine vulnerability information, security recommendation information.
- 
- - [Threat & Vulnerability supported operating systems and platforms](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os) <BR>Ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your devices are properly accounted for. Threat & Vulnerability Management supports Windows 7, Windows 10 1607-1703, Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, Windows Server 2019.
+
+ - [Threat & Vulnerability supported operating systems and platforms](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os) <BR> Ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your devices are properly accounted for. Threat & Vulnerability Management supports Windows 7, Windows 10 1607-1703, Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, Windows Server 2019. <BR> <BR> Secure Configuration Assessment (SCA) supports Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, and Windows Server 2019. See [Secure Configuration Assessment (SCA) for Windows Server now in public preview](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/secure-configuration-assessment-sca-for-windows-server-now-in/ba-p/1243885) and [Reducing risk with new Threat & Vulnerability Management capabilities](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/reducing-risk-with-new-threat-amp-vulnerability-management/ba-p/978145) blogs for more information.
 
 - [Threat & Vulnerability Management granular exploit details](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses) <BR> You can now see a comprehensive set of details on the vulnerabilities found in your machine to give you informed decision on your next steps. The threat insights icon now shows more granular details, such as if the exploit is a part of an exploit kit, connected to specific advanced persistent campaigns or activity groups for which, Threat Analytics report links are provided that you can read, has associated zero-day exploitation news, disclosures, or related security advisories.
  
  - [Threat & Vulnerability Management Report inaccuracy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy) <BR> You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated [security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy), [software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory#report-inaccuracy), and [discovered vulnerabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses#report-inaccuracy).  
 
-- [Machine health and compliance report](machine-reports.md)  The machine health and compliance report provides high-level information about the devices in your organization.
+- [Machine health and compliance report](machine-reports.md) <br/> The machine health and compliance report provides high-level information about the devices in your organization.
 
 - [Information protection](information-protection-in-windows-overview.md)<BR>
 Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection to keep sensitive data secure while enabling productivity in the workplace. Microsoft Defender ATP is seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss prevention (DLP) solution for Windows devices.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
index 5ee99f304a..4fabe73b03 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
@@ -1,5 +1,5 @@
 ---
-title: Setup Microsoft Defender ATP deployment
+title: Set up Microsoft Defender ATP deployment
 description: 
 keywords:
 search.product: eADQiWindows 10XVcnh
@@ -17,7 +17,7 @@ ms.collection: M365-security-compliance
 ms.topic: article 
 ---
 
-# Setup Microsoft Defender ATP deployment
+# Set up Microsoft Defender ATP deployment
 
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -36,7 +36,7 @@ Deploying Microsoft Defender ATP is a three-phase process:
      <td align="center"bgcolor="#d5f5e3">
       <a href="https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment">
         <img src="images/setup.png" alt="Onboard to the Microsoft Defender ATP service" title="Setup" />
-      <br/>Phase 2: Setup </a><br>
+      <br/>Phase 2: Set up </a><br>
     </td>
     <td align="center">
       <a href="https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboarding">
@@ -48,7 +48,7 @@ Deploying Microsoft Defender ATP is a three-phase process:
   </tr>
 </table>
 
-You are currently in the setup phase.
+You are currently in the set up phase.
 
 In this deployment scenario, you'll be guided through the steps on:
 - Licensing validation
@@ -69,9 +69,9 @@ Checking for the license state and whether it got properly provisioned, can be d
 
 1. Alternately, in the admin center, navigate to **Billing** > **Subscriptions**.
 
-   - On the screen you will see all the provisioned licenses and their current **Status**.
+    On the screen you will see all the provisioned licenses and their current **Status**.
 
-   ![Image of billing licenses](images/atp-billing-subscriptions.png)
+    ![Image of billing licenses](images/atp-billing-subscriptions.png)
 
 
 ## Cloud Service Provider validation
@@ -88,7 +88,7 @@ To gain access into which licenses are provisioned to your company, and to check
 
 ## Tenant Configuration
 
-When accessing [Microsoft Defender Security Center](https://securitycenter.windows.com/) for the first time there will be a setup wizard that will guide you through some initial steps. At the end of the setup wizard there will be a dedicated cloud instance of Microsoft Defender ATP created. The easiest method is to perform these steps from a Windows 10 client machine.
+When accessing [Microsoft Defender Security Center](https://securitycenter.windows.com/) for the first time there will be a set up wizard that will guide you through some initial steps. At the end of the setup wizard there will be a dedicated cloud instance of Microsoft Defender ATP created. The easiest method is to perform these steps from a Windows 10 client machine.
 
 1. From a web browser, navigate to <https://securitycenter.windows.com>.
 
@@ -103,7 +103,7 @@ When accessing [Microsoft Defender Security Center](https://securitycenter.windo
 
 4. Set up preferences.
 
-   **Data storage location** - It's important to set this up correctly. Determine where the customer wants to be primarily hosted: US, EU or UK. You cannot change the location after this setup and Microsoft will not transfer the data from the specified geolocation. 
+   **Data storage location** - It's important to set this up correctly. Determine where the customer wants to be primarily hosted: US, EU or UK. You cannot change the location after this set up and Microsoft will not transfer the data from the specified geolocation. 
 
     **Data retention** - The default is 6 months.
 
@@ -160,11 +160,8 @@ services if a computer is not permitted to connect to the Internet. The static
 proxy is configurable through Group Policy (GP). The group policy can be found
 under:
 
--   Administrative Templates \> Windows Components \> Data Collection and
-    Preview Builds \> Configure Authenticated Proxy usage for the Connected User
-    Experience and Telemetry Service
-
-    -   Set it to **Enabled** and select **Disable Authenticated Proxy usage**
+ - Administrative Templates \> Windows Components \> Data Collection and Preview Builds \> Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service
+     - Set it to **Enabled** and select **Disable Authenticated Proxy usage**
 
 1. Open the Group Policy Management Console.
 2. Create a policy or edit an existing policy based off the organizational practices.
@@ -261,4 +258,4 @@ You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https:
 ## Next step
 |||
 |:-------|:-----|
-|![Phase 3: Onboard](images/onboard.png) <br>[Phase 3: Onboard](onboarding.md) | Onboard devices to the service so the Microsoft Defender ATP service can get sensor data from them
\ No newline at end of file
+|![Phase 3: Onboard](images/onboard.png) <br>[Phase 3: Onboard](onboarding.md) | Onboard devices to the service so the Microsoft Defender ATP service can get sensor data from them
diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md
index 54dc6d37fa..1aabe438b0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md
@@ -29,6 +29,9 @@ ms.topic: article
 
 Microsoft Defender ATP supports streaming all the events available through [Advanced Hunting](advanced-hunting-overview.md) to an [Event Hubs](https://docs.microsoft.com/azure/event-hubs/) and/or [Azure storage account](https://docs.microsoft.com/azure/event-hubs/).
 
+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4r4ga]
+
+
 ## In this section
 
 Topic | Description
diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
index 8998da024b..9213bd067e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
@@ -126,7 +126,9 @@ You can roll back and remove a file from quarantine if you’ve determined that
    ```
 
 > [!NOTE]
-> Microsoft Defender ATP will restore all files that were quarantined on this machine in the last 30 days.
+> In some scenarios, the **ThreatName** may appear as: EUS:Win32/CustomEnterpriseBlock!cl.
+> 
+> Microsoft Defender ATP will restore all custom blocked files that were quarantined on this machine in the last 30 days.
 
 ## Add indicator to block or allow a file
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/software.md b/windows/security/threat-protection/microsoft-defender-atp/software.md
index 49e8e4c12d..414a3a54fc 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/software.md
@@ -20,11 +20,12 @@ ms.topic: article
 
 **Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
 
 [!include[Prerelease information](../../includes/prerelease.md)]
 
 ## Methods
+
 Method |Return Type |Description
 :---|:---|:---
 [List software](get-software.md) | Software collection | List the organizational software inventory.
@@ -32,16 +33,17 @@ Method |Return Type |Description
 [List software version distribution](get-software-ver-distribution.md)| Distribution collection | List software version distribution by software ID.
 [List machines by software](get-machines-by-software.md)| MachineRef collection | Retrieve a list of machines that are associated with the software ID.
 [List vulnerabilities by software](get-vuln-by-software.md) | [Vulnerability](vulnerability.md) collection | Retrieve a list of vulnerabilities associated with the software ID.
+[Get missing KBs](get-missing-kbs-software.md) | KB collection | Get a list of missing KBs associated with the software ID
 
 ## Properties
-Property |	Type	|	Description
+
+Property |   Type   |   Description
 :---|:---|:---
 id | String | Software ID
-Name | String | Software name 
-Vendor | String | Software vendor name 
-Weaknesses | Long | Number of discovered vulnerabilities 
+Name | String | Software name
+Vendor | String | Software vendor name
+Weaknesses | Long | Number of discovered vulnerabilities
 publicExploit | Boolean | Public exploit exists for some of the vulnerabilities
 activeAlert | Boolean | Active alert is associated with this software
 exposedMachines | Long | Number of exposed machines
-impactScore | Double | Exposure score impact of this software 
-
+impactScore | Double | Exposure score impact of this software
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
index 14398b7265..6d27373c84 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
@@ -27,155 +27,19 @@ ms.topic: article
 
 [!include[Prerelease information](../../includes/prerelease.md)]
 
-## Before you begin
+## APIs
 
-Ensure that your machines:
+Threat and vulnerability management supports multiple APIs. See the following topics for related APIs:
 
-- Are onboarded to Microsoft Defender Advanced Threat Protection
-- Run with Windows 10 1709 (Fall Creators Update) or later
-
->[!NOTE]
->Threat & Vulnerability Management can also scan machines that run on Windows 7 and Windows Server 2019 operating systems and detects vulnerabilities addressed in patch Tuesday.
-
-- Have the following mandatory updates installed and deployed in your network to boost your vulnerability assessment detection rates:
-
-> Release | Security update KB number and link
-> :---|:---
-> RS3 customers | [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441) and [KB 4516071](https://support.microsoft.com/help/4516071/windows-10-update-kb4516071)
-> RS4 customers| [KB4493464](https://support.microsoft.com/help/4493464) and [KB 4516045](https://support.microsoft.com/help/4516045/windows-10-update-kb4516045)
-> RS5 customers | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077)
-> 19H1 customers | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941)
-
-- Are onboarded to Microsoft Intune and  Microsoft Endpoint Configuration Manager. If you are using Configuration Manager, update your console to the latest version.
-- Have at least one security recommendation that can be viewed in the machine page
-- Are tagged or marked as co-managed
-
-## Reduce your threat and vulnerability exposure
-
-Threat & Vulnerability Management introduces a new exposure score metric, which visually represents how exposed your machines are to imminent threats.
-
-The exposure score is continuously calculated on each device in the organization and influenced by the following factors:
-
-- Weaknesses, such as vulnerabilities discovered on the device
-- External and internal threats such as public exploit code and security alerts
-- Likelihood of the device to get breached given its current security posture
-- Value of the device to the organization given its role and content
-
-The exposure score is broken down into the following levels:
-
-- 0–29: low exposure score
-- 30–69: medium exposure score
-- 70–100: high exposure score
-
-You can remediate the issues based on prioritized security recommendations to reduce the exposure score. Each software has weaknesses that are transformed into recommendations and prioritized based on risk to the organization.
-
-To lower down your threat and vulnerability exposure:
-
-1. Review the **Top security recommendations** from your **Threat & Vulnerability Management dashboard**, and select the first item on the list. The **Security recommendation** page opens.  
-
-   There are two types of recommendations:
-
-   - *Security update* which refers to recommendations that require a package installation
-   - *Configuration change* which refers to recommendations that require a registry or GPO modification
-
-   Always prioritize recommendations that are associated with ongoing threats:
-
-   - ![Threat insight](images/tvm_bug_icon.png) Threat insight icon
-   - ![Possible active alert](images/tvm_alert_icon.png) Active alert icon
-  
-   >![Top security recommendations](images/tvm_security_recommendations.png)
-
-2. The **Security recommendations** page shows the list of items to remediate. Select the security recommendation that you need to investigate. When you select a recommendation from the list, a fly-out panel will display a description of what you need to remediate, number of vulnerabilities, associated exploits in machines, number of exposed machines and their machine names, business impact, and a list of CVEs. Click **Open software page** option from the flyout panel.  ![Details in security recommendations page](images/tvm_security_recommendations_page.png)
-
-3. Click **Installed machines** and select the affected machine from the list to open the flyout panel with the relevant machine details, exposure and risk levels, alert and incident activities. ![Details in software page ](images/tvm_software_page_details.png)
-
-4. Click **Open machine page** to connect to the machine and apply the selected recommendation. See [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md) for details.  ![Details in machine page](images/tvm_machine_page_details.png)
-
-5. Allow a few hours for the changes to propagate in the system.
-
-6. Review the machine **Security recommendation** tab again. The recommendation you've chosen to remediate is removed from the security recommendation list, and the exposure score decreases.
-
-## Improve your security configuration
-
->[!NOTE]
-> Secure score is now part of Threat & Vulnerability Management as [Configuration score](configuration-score.md).
-
-You can improve your security configuration when you remediate issues from the security recommendations list. As you do so, your configuration score improves, which means your organization becomes more resilient against cybersecurity threats and vulnerabilities.
-
-1. From the Configuration score widget, select **Security controls**. The **Security recommendations** page opens and shows the list of issues related to security controls.
-
-   >![Configuration score widget](images/tvm_config_score.png)
-
-2. Select the first item on the list. The flyout panel will open with a description of the security controls issue, a short description of the potential risk, insights, configuration ID, exposed machines, and business impact. Click **Remediation options**.
-
-   ![Security controls related security recommendations](images/tvm_security_controls.png)
-
-3. Read the description to understand the context of the issue and what to do next. Select a due date, add notes, and select **Export all remediation activity data to CSV** so you can attach it to the email that you can send to your IT Administrator for follow-up.
-
-   >![Request remediation](images/tvm_request_remediation.png).
-
-   You will see a confirmation message that the remediation task has been created.
-   >![Remediation task creation confirmation](images/tvm_remediation_task_created.png)
-
-4. Save your CSV file.
-   ![Save csv file](images/tvm_save_csv_file.png)
-
-5. Send a follow-up email to your IT Administrator and allow the time that you have allotted for the remediation to propagate in the system.
-
-6. Review the machine **Configuration score** widget again. The number of the security controls issues will decrease. When you click **Security controls** to go back to the **Security recommendations** page, the item that you have addressed will not be listed there anymore, and your configuration score should increase.
-
-## Request a remediation 
-
->[!NOTE]
->To use this capability, enable your Microsoft Intune connections. Navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle on.
-
-The Threat & Vulnerability Management capability in Microsoft Defender ATP bridges the gap between Security and IT Administrators through the remediation request workflow. 
-
-Security Administrators like you can request for the IT Administrator to remediate a vulnerability from the **Security recommendation** pages to Intune.
-
-1. Click a security recommendation you would like to request remediation for, and then click **Remediation options**.
-
-2. Select **Open a ticket in Intune (for AAD joined devices)**, select a due date, and add optional notes for the IT Administrator. Click **Submit request**.
-
-3. Notify your IT Administrator about the new request and have them log into Intune to approve or reject the request and start a package deployment.
-
-4. Go to the **Remediation** page to view the status of your remediation request.
-
-See [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details.
-
->[!NOTE]
->If your request involves remediating more than 10,000 machines, we can only send 10,000 machines for remediation to Intune.
-
-## File for exception
-
-With Threat & Vulnerability Management, you can create exceptions for recommendations, as an alternative to a remediation request.
-
-There are many reasons why organizations create exceptions for a recommendation. For example, if there's a business justification that prevents the company from applying the recommendation, the existence of a compensating or alternative control that provides as much protection than the recommendation would, a false positive, among other reasons.
-
-Exceptions can be created for both *Security update* and *Configuration change* recommendations.
-
-When an exception is created for a recommendation, the recommendation is no longer active. The recommendation state changes to **Exception**, and it no longer shows up in the security recommendations list.
-
-1. Navigate to the **Security recommendations** page under the **Threat & Vulnerability Management** section menu.
-
-2. Click the top-most recommendation. A flyout panel opens with the recommendation details.
-
-3. Click **Exception options**.
-![Screenshot of the exception option in the remediation flyout pane](images/tvm-exception-option.png)
-
-4. Select your justification for the exception you need to file instead of remediating the security recommendation in question. Fill out the justification context, then set the exception duration.
-
-> ![Screenshot of exception flyout page which details justification and context](images/tvm-exception-flyout.png)
-
-5. Click **Submit**. A confirmation message at the top of the page indicates that the exception has been created.
-![Screenshot of exception confirmation message](images/tvm-exception-confirmation.png)
-
-6. Navigate to the **Remediation** page under the **Threat & Vulnerability Management** menu and click the **Exceptions** tab to view all your exceptions (current and past).
-![Screenshot of exception list of exceptions in the Remediation page](images/tvm-exception-list.png)
+- [Machine APIs](machine.md)
+- [Recommendation APIs](vulnerability.md)
+- [Score APIs](score.md)
+- [Software APIs](software.md)
+- [Vulnerability APIs](vulnerability.md)
 
 ## Use advanced hunting query to search for machines with High active alerts or critical CVE public exploit
 
-1. Go to **Advanced hunting** from the left-hand navigation pane.
+1. Go to **Advanced hunting** from the left-hand navigation pane of the Microsoft Defender Security Center.
 
 2. Scroll down to the TVM advanced hunting schemas to familiarize yourself with the column names.
 
@@ -196,42 +60,53 @@ DeviceName=any(DeviceName) by DeviceId, AlertId
 
 ```
 
-## Conduct an inventory of software or software versions which have reached end-of-support (EOS)
+## Find and remediate software or software versions which have reached end-of-support (EOS)
 
-End-of-support (otherwise known as end-of-life) for software or software versions means that they will no longer be supported or serviced. When you use software or software versions which have reached end-of-support, you're exposing your organization to security vulnerabilities, legal, and financial risks.
+End-of-support (otherwise known as end-of-life) for software or software versions means that they will no longer be supported or serviced, and will not receive security updates. When you use software or software versions which have reached end-of-support, you're exposing your organization to security vulnerabilities, legal, and financial risks.
 
-It is crucial for Security and IT Administrators to work together and ensure that the organization's software inventory is configured for optimal results, compliance, and a healthy network ecosystem.
+It is crucial for Security and IT Administrators to work together and ensure that the organization's software inventory is configured for optimal results, compliance, and a healthy network ecosystem. They should examine the options to remove or replace apps that have reached end of support, and update versions that have reached end of support. It is best to create and implement a plan **before** the end of support dates.
 
-To conduct an inventory of software or software versions which have reached end-of-support:
+To find software or software versions which have reached end-of-support:
 
 1. From the Threat & Vulnerability Management menu, navigate to **Security recommendations**.
-2. Go to the **Filters** panel and select **Software uninstall** from **Remediation Type** options to see the list of software recommendations associated with software which have reached end of support (tagged as **EOS software**).
-3. Select **Software update** from **Remediation Type** options to see the list of software recommendations associated with software and software versions which have reached end-of-support (tagged as **EOS versions installed**).
-4. Select software that you'd like to investigate. A fly-out screen opens where you can select **Open software page**.
-![Screenshot of Security recommendation for a software that reached its end of life page](images/secrec_flyout.png)
+2. Go to the **Filters** panel and look for the tags section. Select one or more of the EOS tag options. Then **Apply**.
 
-5. In the **Software page** select the **Version distribution** tab to know which versions of the software have reached their end-of-support, and how many vulnerabilities were discovered in it.
-![Screenshot of software details for a software that reached its end of support](images/secrec_sw_details.png)
+    ![Screenshot tags that say EOS software, EOS versions, and Upcoming EOS versions](images/tvm-eos-tag.png)
+
+3. You will see a list recommendations related to software that is end of support, software versions that are end of support, or upcoming end of support versions. These tags are also visible in the [software inventory](tvm-software-inventory.md) page.
+
+    ![Screenshot tags that say EOS software, EOS versions, and Upcoming EOS versions](images/tvm-eos-tags-column.png)
+
+### List of versions and dates
+
+To view a list of version that have reached end of support, or end or support soon, and those dates, follow the below steps:
+
+1. For software that has versions which have reached end of support, or will reach end of support soon, a message will appear in the flyout once the security recommendation is selected.
+
+    ![Screenshot of version distribution link](images/eos-upcoming-eos.png) <br><br>
+
+2. Select the **version distribution** link to go to the software drill down page. There, you can see a filtered list of versions with tags identifying them as end of support, or upcoming end of support.
+
+    ![Screenshot of version distribution link](images/software-drilldown-eos.png) <br><br>
+
+3. Select one of the versions in the table to open. For example, version 3.5.2150.0. A flyout will appear with the end of support date.
+
+![Screenshot of version distribution link](images/version-eos-date.png)<br><br>
 
 After you have identified which software and software versions are vulnerable due to its end-of-support status, remediate them to lower your organizations exposure to vulnerabilities and advanced persistent threats. See [Remediation and exception](tvm-remediation.md) for details.
 
 ## Related topics
 
+- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md)
 - [Supported operating systems and platforms](tvm-supported-os.md)
-- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
-- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
 - [Exposure score](tvm-exposure-score.md)
 - [Configuration score](configuration-score.md)
 - [Security recommendations](tvm-security-recommendation.md)
 - [Remediation and exception](tvm-remediation.md)
 - [Software inventory](tvm-software-inventory.md)
 - [Weaknesses](tvm-weaknesses.md)
+- [APIs](threat-and-vuln-mgt-scenarios.md#apis)
+- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
 - [Advanced hunting overview](overview-hunting.md)
 - [All advanced hunting tables](advanced-hunting-reference.md)
-- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
-- [Machine APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine)
-- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
-- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software)
-- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
-- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score)
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/time-settings.md b/windows/security/threat-protection/microsoft-defender-atp/time-settings.md
index e0ce98100b..34dcdcc230 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/time-settings.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/time-settings.md
@@ -72,11 +72,12 @@ IE and Microsoft Edge use the **Region** settings configured in the **Clocks, La
 #### Known issues with regional formats
 
 **Date and time formats**<br>
-There are some known issues with the time and date formats. 
+There are some known issues with the time and date formats. If you configure your regional settings to anything other than the supported formats, the portal may not correctly reflect your settings.
 
-The following date formats are supported:
-- MM/dd/yyyy
-- dd/MM/yyyy
+The following date and time formats are supported:
+- Date format MM/dd/yyyy
+- Date format dd/MM/yyyy
+- Time format hh:mm:ss (12 hour format)
 
 The following date and time formats are currently not supported:
 - Date format yyyy-MM-dd
@@ -84,7 +85,7 @@ The following date and time formats are currently not supported:
 - Date format dd/MM/yy
 - Date format MM/dd/yy
 - Date format with yy. Will only show yyyy.
-- Time format HH:mm:ss is not supported (the 12 hour AM/PM format is not supported). Only the 24-hour format is supported.
+- Time format HH:mm:ss (24 hour format)
 
 **Decimal symbol used in numbers**<br>
 Decimal symbol used is always a dot, even if a comma is selected in  the **Numbers** format settings in **Region** settings. For example, 15,5K is displayed as 15.5K.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md
index 8e21eddb4d..d415db238d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md
@@ -52,5 +52,14 @@ If while trying to take an action during a live response session, you encounter
 4. Navigate to your TEMP folder.
 5. Run the action you wanted to take on the copied file.
 
+## Slow live response sessions or delays during initial connections
+Live response leverages Microsoft Defender ATP sensor registration with WNS service in Windows. 
+If you are having connectivity issues with live response, please confirm the following:
+1. `notify.windows.com` is not blocked in your environment. For more information see, [Configure machine proxy and Internet connectivity settings](configure-proxy-internet.md#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server).
+2. WpnService (Windows Push Notifications System Service) is not disabled.
 
+Please refer to the articles below to fully understand the WpnService service behavior and requirements:
+- [Windows Push Notification Services (WNS) overview](https://docs.microsoft.com/windows/uwp/design/shell/tiles-and-notifications/windows-push-notification-services--wns--overview)
+- [Enterprise Firewall and Proxy Configurations to Support WNS Traffic](https://docs.microsoft.com/windows/uwp/design/shell/tiles-and-notifications/firewall-allowlist-config)
+- [Microsoft Push Notifications Service (MPNS) Public IP ranges](https://www.microsoft.com/en-us/download/details.aspx?id=44535)
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md
index e4cd47a5a8..317cac63d6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md
@@ -13,7 +13,7 @@ author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
-ms.collection: M365-security-compliance 
+ms.collection: M365-security-compliance
 ms.topic: troubleshooting
 ---
 
@@ -68,7 +68,7 @@ If the script fails and the event is an error, you can check the event ID in the
 Event ID | Error Type | Resolution steps
 :---|:---|:---
 5 | Offboarding data was found but couldn't be deleted | Check the permissions on the registry, specifically ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```.
-10 | Onboarding data couldn't be written to registry |  Check the permissions on the registry, specifically<br> ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat```.<br>Verify that the script was ran as an administrator.
+10 | Onboarding data couldn't be written to registry |  Check the permissions on the registry, specifically<br> ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```.<br>Verify that the script has been run as an administrator.
 15 |  Failed to start SENSE service |Check the service health (```sc query sense``` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights). <br> <br> If the machine is running Windows 10, version 1607 and running the command `sc query sense` returns `START_PENDING`, reboot the machine. If rebooting the machine doesn't address the issue, upgrade to KB4015217 and try onboarding again.
 15 | Failed to start SENSE service | If the message of the error is: System error 577  or error 1058 has occurred. You need to enable the Windows Defender Antivirus ELAM driver, see [Ensure that Windows Defender Antivirus is not disabled by a policy](#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy) for instructions.
 30 |  The script failed to wait for the service to start running | The service could have taken more time to start or has encountered errors while trying to start. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes.md).
@@ -79,7 +79,7 @@ Event ID | Error Type | Resolution steps
 ### Troubleshoot onboarding issues using Microsoft Intune
 You can use Microsoft Intune to check error codes and attempt to troubleshoot the cause of the issue.
 
-If you have configured policies in Intune and they are not propagated on machines, you might need to configure automatic MDM enrollment. 
+If you have configured policies in Intune and they are not propagated on machines, you might need to configure automatic MDM enrollment.
 
 Use the following tables to understand the possible causes of issues while onboarding:
 
@@ -87,7 +87,7 @@ Use the following tables to understand the possible causes of issues while onboa
 - Known issues with non-compliance table
 - Mobile Device Management (MDM) event logs table
 
-If none of the event logs and troubleshooting steps work, download the Local script from the **Machine management** section of the portal, and run it in an elevated command prompt.  
+If none of the event logs and troubleshooting steps work, download the Local script from the **Machine management** section of the portal, and run it in an elevated command prompt.
 
 **Microsoft Intune error codes and OMA-URIs**:
 
@@ -140,7 +140,7 @@ If the deployment tools used does not indicate an error in the onboarding proces
 2. In the **Event Viewer (Local)** pane, expand **Applications and Services Logs** > **Microsoft** > **Windows** > **SENSE**.
 
    > [!NOTE]
-	> SENSE is the internal name used to refer to the behavioral sensor that powers Microsoft Defender ATP.
+   > SENSE is the internal name used to refer to the behavioral sensor that powers Microsoft Defender ATP.
 
 3. Select **Operational** to load the log.
 
@@ -282,28 +282,125 @@ You might also need to check the following:
 
 - Check **Event Viewer** > **Applications and Services Logs** > **Operation Manager** to see if there are any errors.
 
-- In **Services**, check if the **Microsoft Monitoring Agent** is running on the server. For example, 
+- In **Services**, check if the **Microsoft Monitoring Agent** is running on the server. For example,
 
     ![Image of Services](images/atp-services.png)
 
-- In **Microsoft Monitoring Agent** > **Azure Log Analytics (OMS)**, check the Workspaces and verify that the status is running. 
+- In **Microsoft Monitoring Agent** > **Azure Log Analytics (OMS)**, check the Workspaces and verify that the status is running.
 
     ![Image of Microsoft Monitoring Agent Properties](images/atp-mma-properties.png)
 
-- Check to see that machines are reflected in the **Machines list** in the portal. 
+- Check to see that machines are reflected in the **Machines list** in the portal.
+
+## Confirming onboarding of newly built machines 
+There may be instances when onboarding is deployed on a newly built machine but not completed. 
+
+The steps below provide guidance for the following scenario:
+- Onboarding package is deployed to newly built machines
+- Sensor does not start because the Out-of-box experience (OOBE) or first user logon has not been completed
+- Machine is turned off or restarted before the end user performs a first logon
+- In this scenario, the SENSE service will not start automatically even though onboarding package was deployed
+
+>[!NOTE]
+>The following steps are only relevant when using Microsoft Endpoint Configuration Manager (current branch)
 
 
-## Licensing requirements
-Microsoft Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
+1. Create an application in Microsoft Endpoint Configuration Manager current branch. 
 
-- Windows 10 Enterprise E5
-- Windows 10 Education E5
-- Microsoft 365 Enterprise E5 which includes Windows 10 Enterprise E5
+    ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-1.png)
 
-For more information, see [Windows 10 Licensing](https://www.microsoft.com/Licensing/product-licensing/windows10.aspx#tab=2).
+2. Select **Manually specify the application information**.
+    ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-2.png)
 
+3. Specify information about the application, then select **Next**.
+    ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-3.png)
+
+4.  Specify information about the software center, then select **Next**.
+    ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-4.png)
+
+5. In **Deployment types** select **Add**.
+    ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-5.png)
+
+6. Select **Manually specify the deployment type information**, then select **Next**.
+    ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-6.png)
+
+7. Specify information about the deployment type, then select **Next**.
+    ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-7.png)
+
+8. In **Content** > **Installation program** specify the command: `net start sense`.
+    ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-8.png)
+
+9. In **Detection method**, select **Configure rules to detect the presence of this deployment type**, then select **Add Clause**. 
+
+    ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-9.png)
+
+10. Specify the following detection rule details, then select **OK**:
+    ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-10.png)
+
+11. In **Detection method** select **Next**.
+    ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-11.png)
+
+12. In **User Experience**, specify the following information, then select **Next**:
+    ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-12.png)
+
+13. In **Requirements**, select **Next**.
+    ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-13.png)
+
+14. In **Dependencies**, select **Next**.
+    ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-14.png)
+
+15. In **Summary**, select **Next**.
+    ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-15.png)
+
+16. In **Completion**, select **Close**.
+    
+     ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-16.png)
+
+17. In **Deployment types**, select **Next**.
+    
+    ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-17.png)
+
+18. In **Summary**, select **Next**.
+    ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-18.png)
+    
+    The status is then displayed
+    ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-19.png)
+
+19. In **Completion**, select **Close**.
+    
+    ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-20.png)
+
+20. You can now deploy the application by right-clicking the app and selecting **Deploy**.
+    
+    ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-21.png)
+
+21. In **General** select **Automatically distribute content for dependencies** and **Browse**.
+    ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-22.png)
+
+22. In **Content** select **Next**.
+    ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-23.png)
+
+23. In **Deployment settings**, select **Next**.
+    ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-24.png)
+
+24. In **Scheduling** select **As soon as possible after the available time**, then select **Next**.
+    ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-25.png)
+
+25. In **User experience**, select **Commit changes at deadline or during a maintenance window (requires restarts)**, then select **Next**.
+    ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-26.png)
+
+26. In **Alerts** select **Next**.
+    ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-27.png)
+
+27. In **Summary**, select **Next**. 
+    ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-28.png)
+
+    The status is then displayed
+    ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-29.png)
+
+28. In **Completion**, select **Close**.
+    ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-30.png)
 
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-troubleshootonboarding-belowfoldlink)
 
 
 ## Related topics
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
index d2c196a62c..e35d189282 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
@@ -76,7 +76,7 @@ Area | Description
 [**Exposure score**](tvm-exposure-score.md)   | See the current state of your organization's device exposure to threats and vulnerabilities. Several factors affect your organization's exposure score: weaknesses discovered in your devices, likelihood of your devices to be breached, value of the devices to your organization, and relevant alerts discovered with your devices. The goal is to lower the exposure score of your organization to be more secure. To reduce the score, you need to remediate the related security configuration issues listed in the security recommendations.
 [**Configuration score**](configuration-score.md) | See the security posture of the operating system, applications, network, accounts and security controls of your organization. The goal is to remediate the related security configuration issues to increase your configuration score. Selecting the bars will take you to the **Security recommendation** page.
 **Machine exposure distribution** | See how many machines are exposed based on their exposure level. Select a section in the doughnut chart to go to the **Machines list** page and view the affected machine names, exposure level, risk level, and other details such as domain, operating system platform, its health state, when it was last seen, and its tags.
-**Top security recommendations** | See the collated security recommendations which are sorted and prioritized based on your organization's risk exposure and the urgency that it requires. Useful icons also quickly calls your attention to <ul><li> ![Possible active alert](images/tvm_alert_icon.png) possible active alerts</li><li>![Threat insight](images/tvm_bug_icon.png) associated public exploits</li><li>![Recommendation insight](images/tvm_insight_icon.png) recommendation insights</li></ul><br>Tags also indicates the remediation type required, such as **Configuration change**, **Software uninstall** (if the software has reached its end-of-life), and **Software update** (if the software version has reached end-of-support, or if a vulnerable version requires updating). You can drill down on the security recommendation to see potential risks, list of exposed machines, and insights. You can then request a remediation for the recommendation. Select **Show more** to see the rest of the security recommendations in the list or **Show exceptions** for the list of recommendations that have an exception.
+**Top security recommendations** | See the collated security recommendations which are sorted and prioritized based on your organization's risk exposure and the urgency that it requires. Select **Show more** to see the rest of the security recommendations in the list or **Show exceptions** for the list of recommendations that have an exception.
 **Top vulnerable software** | Get real-time visibility into your organization's software inventory with a stack-ranked list of vulnerable software installed on your network's devices and how they impact your organizational exposure score. Select an item for details or **Show more** to see the rest of the vulnerable software list in the **Software inventory** page.
 **Top remediation activities** | Track the remediation activities generated from the security recommendations. You can select each item on the list to see the details in the **Remediation** page or select **Show more** to view the rest of the remediation activities, and active exceptions.
 **Top exposed machines** | View exposed machine names and their exposure level. Select a machine name from the list to go to the machine page where you can view the alerts, risks, incidents, security recommendations, installed software, and discovered vulnerabilities associated with the exposed machines. Select **Show more** to see the rest of the exposed machines list. From the machines list, you can manage tags, initiate automated investigations, initiate a live response session, collect an investigation package, run antivirus scan, restrict app execution, and isolate machine.
@@ -85,8 +85,8 @@ See [Microsoft Defender ATP icons](portal-overview.md#microsoft-defender-atp-ico
 
 ## Related topics
 
+- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md)
 - [Supported operating systems and platforms](tvm-supported-os.md)
-- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
 - [Exposure score](tvm-exposure-score.md)
 - [Configuration score](configuration-score.md)
 - [Security recommendations](tvm-security-recommendation.md)
@@ -94,4 +94,5 @@ See [Microsoft Defender ATP icons](portal-overview.md#microsoft-defender-atp-ico
 - [Software inventory](tvm-software-inventory.md)
 - [Weaknesses](tvm-weaknesses.md)
 - [Scenarios](threat-and-vuln-mgt-scenarios.md)
+- [APIs](threat-and-vuln-mgt-scenarios.md#apis)
 - [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
index 6785da1317..3078eee09f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
@@ -30,28 +30,56 @@ The card gives you a high-level view of your exposure score trend over time. Any
 
 ## How it works
 
-Several factors affect your organization exposure score:
+Threat & Vulnerability Management introduces a new exposure score metric, which visually represents how exposed your machines are to imminent threats.
 
-- Weakness discovered on the device
-- Likelihood of a device getting breached
-- Value of the device to the organization
-- Relevant alert discovered on the device
+The exposure score is continuously calculated on each device in the organization and influenced by the following factors:
 
-Reduce the exposure score by addressing what needs to be remediated based on the prioritized security recommendations. See [Security recommendations](tvm-security-recommendation.md) for details.
+- Weaknesses, such as vulnerabilities discovered on the device
+- External and internal threats such as public exploit code and security alerts
+- Likelihood of the device to get breached given its current security posture
+- Value of the device to the organization given its role and content
+
+The exposure score is broken down into the following levels:
+
+- 0–29: low exposure score
+- 30–69: medium exposure score
+- 70–100: high exposure score
+
+You can remediate the issues based on prioritized [security recommendations](tvm-security-recommendation.md) to reduce the exposure score. Each software has weaknesses that are transformed into recommendations and prioritized based on risk to the organization.
+
+## Reduce your threat and vulnerability exposure
+
+To lower your threat and vulnerability exposure, follow these steps.
+
+1. Review the **Top security recommendations** from your [**Threat & Vulnerability Management dashboard**](tvm-dashboard-insights.md) , and select the first item on the list. The **Security recommendation** page opens.  
+
+   Always prioritize recommendations that are associated with ongoing threats:
+
+   - ![Threat insight](images/tvm_bug_icon.png) Threat insight icon
+   - ![Possible active alert](images/tvm_alert_icon.png) Active alert icon
+
+   ![Screenshot of security recommendations page](images/top-security-recommendations350.png)
+
+2. The **Security recommendations** page shows the list of items to remediate. Select the security recommendation that you need to investigate. When you select a recommendation from the list, a fly-out panel will display a description of what you need to remediate, number of vulnerabilities, associated exploits in machines, number of exposed machines and their machine names, business impact, and a list of CVEs. Click **Open software page** option from the flyout panel.  ![Details in security recommendations page](images/tvm_security_recommendations_page.png)
+
+3. Select **Installed machines** and then the affected machine from the list. A flyout panel will open with the relevant machine details, exposure and risk levels, alert and incident activities. ![Details in software page ](images/tvm_software_page_details.png)
+
+4. Click **Open machine page** to connect to the machine and apply the selected recommendation. See [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md) for details.  ![Details in machine page](images/tvm_machine_page_details.png)
+
+5. Allow a few hours for the changes to propagate in the system.
+
+6. Review the machine **Security recommendation** tab again. The recommendation you've chosen to remediate is removed from the security recommendation list, and the exposure score decreases.
 
 ## Related topics
 
+- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md)
 - [Supported operating systems and platforms](tvm-supported-os.md)
-- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) 
-- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
 - [Configuration score](configuration-score.md)
 - [Security recommendations](tvm-security-recommendation.md)
 - [Remediation and exception](tvm-remediation.md)
 - [Software inventory](tvm-software-inventory.md)
 - [Weaknesses](tvm-weaknesses.md)
 - [Scenarios](threat-and-vuln-mgt-scenarios.md)
-- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
-- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score)
-- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software)
-- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
-- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
+- [APIs](threat-and-vuln-mgt-scenarios.md#apis)
+- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
index a0465dd642..96d0ba1377 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
@@ -8,135 +8,101 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
+ms.author: ellevin
+author: levinec
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: conceptual
-ms.date: 04/11/2019
 ---
-# Remediation and exception
+# Remediation activities and exceptions
+
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) 
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
 
 >[!NOTE]
 >To use this capability, enable your Microsoft Intune connections. Navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle on.
 
-After your organization's cybersecurity weaknesses are identified and mapped to actionable security recommendations, you can start creating security tasks through the integration with Microsoft Intune where remediation tickets are created.
+After your organization's cybersecurity weaknesses are identified and mapped to actionable [security recommendations](tvm-security-recommendation.md), start creating security tasks through the integration with Microsoft Intune where remediation tickets are created.
 
-You can lower down your organization's exposure from vulnerabilities and increase your security configuration by remediating the security recommendations.
+Lower your organization's exposure from vulnerabilities and increase your security configuration by remediating the security recommendations.
 
-## Navigate through your remediation options 
-You can access the remediation page in a few places in the portal:
-- Security recommendation flyout panel
-- Remediation in the navigation menu
-- Top remediation activities widget in the dashboard
+## Navigate to the Remediation page
 
-*Security recommendation flyout page*
-<br>You'll see your remediation options when you select one of the security recommendation blocks from your **Top security recommendations** widget in the dashboard. 
-1. From the flyout panel, you'll see the security recommendation details including your next steps. Click **Remediation options**.
-2. In the **Remediation options** page, select **Open a ticket in Intune (for AAD joined devices)**. 
+You can access the Remediation page a few different ways:
 
->[!NOTE]
->If your request involves remediating more than 10,000 machines, we will only send 10,000 machines for remediation to Intune.
+- Threat & Vulnerability Management navigation menu in the [Microsoft Defender Security Center](portal-overview.md)
+- Top remediation activities card in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
 
-3. Select a remediation due date.
-4. Add notes to give your IT administrator a context of your remediation request. For example, you can indicate urgency of the remediation request to avoid potential exposure to a recent exploit activity, or if the request is a part of compliance. 
+### Navigation menu
 
-If you want to check how the ticket shows up in Intune, see [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details.
+Go to the Threat & Vulnerability Management navigation menu and select **Remediation** to open up the list of remediation activities and exceptions found in your organization.
 
-*Remediation in the navigation menu*
-1. Go to the Threat & Vulnerability Management navigation menu and select **Remediation** to open up the list of remediation activities and exceptions found in your organization. You can filter your view based on remediation type, machine remediation progress, and exception justification. If you want to see the remediation activities of software which have reached their end-of-life, select **Software uninstall** from the **Remediation type** filter. If you want to see the remediation activities of software and software versions which have reached their end-of-life, select **Software update** from the **Remediation type** filter. Select **In progress** then click **Apply**.
-![Screenshot of the remediation page filters for software update and uninstall](images/remediation_swupdatefilter.png)
+### Top remediation activities in the dashboard
 
-2. Select the remediation activity that you need to see or process. 
-![Screenshot of the remediation page flyout for a software which reached its end-of-life](images/remediation_flyouteolsw.png)
+View **Top remediation activities** in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md). Select any of the entries to go to the **Remediation** page. You can mark the remediation activity as completed after the IT admin team remediates the task.
 
-*Top remediation activities widget in the dashboard*
-1. Go to the Threat & Vulnerability Management dashboard and scroll down to the **Top remediation activities** widget. The list is sorted and prioritized based on what is listed in the **Top security recommendations**. 
-2. Select the remediation activity that you need to see or process.
+![Screenshot of the remediation page flyout for a software which reached end-of-support](images/tvm-remediation-activities-card.png)
 
-## How it works
+## Remediation activities
 
-When you submit a remediation request from Threat & Vulnerability Management, it kicks-off a remediation activity. 
+When you [submit a remediation request](tvm-security-recommendation.md#request-remediation) from the [Security recommendations page](tvm-security-recommendation.md), it kicks-off a remediation activity. A security task is created which will be tracked in the Threat & Vulnerability Management **Remediation** page, and a remediation ticket is created in Microsoft Intune.
 
-It creates a security task which will be tracked in Threat & Vulnerability Management **Remediation** page, and it also creates a remediation ticket in Microsoft Intune.
+Once you are in the Remediation page, select the remediation activity that you want to view. You can follow the remediation steps, track progress, view the related recommendation, export to CSV, or mark as complete.
+![Screenshot of the remediation page flyout for a software which reached end-of-support](images/remediation_flyouteolsw.png)
 
-The dashboard will show that status of your top remediation activities. Click any of the entries and it will take you to the **Remediation** page. You can mark the remediation activity as completed after the IT administration team remediates the task.
+## Exceptions
 
-## When to file for exception instead of remediating issues 
-You can file exceptions to exclude certain recommendation from showing up in reports and affecting your configuration score.
+When you [file for an exception](tvm-security-recommendation.md#file-for-exception) from the [Security recommendations page](tvm-security-recommendation.md), you create an exception  for that security recommendation. You can file exceptions to exclude certain recommendation from showing up in reports and affecting your [configuration score](configuration-score.md). 
 
-When you select a security recommendation, it opens up a flyout screen with details and options for your next step. You can either **Open software page**, choose from **Remediation options**, go through **Exception options** to file for exceptions, or **Report inaccuracy**.
-
-Select **Exception options** and a flyout screen opens.
-
-![Screenshot of exception flyout screen](images/tvm-exception-flyout.png)
-
-### Exception justification
-If the security recommendation stemmed from a false positive report, or if there are existing business justification that blocks the remediation, such as compensating control, productivity needs, compliance, or if there's already a planned remediation grace period, you can file an exception and indicate the reason. The following list details the justifications behind the exception options:
-
--   **Compensating/alternate control** - A 3rd party control that mitigates this recommendation exists, for example, if Network Firewall -   -   prevents access to a machine, third party antivirus
--   **Productivity/business need** - Remediation will impact productivity or interrupt business-critical workflow 
--   **Accept risk** - Poses low risk and/or implementing a compensating control is too expensive
--   **Planned remediation (grace)** - Already planned but is awaiting execution or authorization
--   **Other** - False positive
-   
-   
-   ![Screenshot of exception reason dropdown menu](images/tvm-exception-dropdown.png)
-
-### Exception visibility
-The exceptions you've filed will show up in the **Remediation** page, in the **Exceptions** tab.
-However, you also have the option to filter your view based on exception justification, type, and status.  
+The exceptions you've filed will show up in the **Remediation** page, in the **Exceptions** tab. You can filter your view based on exception justification, type, and status.  
 
 ![Screenshot of exception tab and filters](images/tvm-exception-filters.png)
 
-Aside from that, there's also an option to **Show exceptions** at the bottom of the **Top security recommendations** card in the dashboard. 
+### Exception actions and statuses
 
-![Screenshot of Show exceptions link in the  Top security recommendations card in the dashboard](images/tvm-exception-dashboard.png)
+You can take the following actions on an exception:
 
-Clicking the link opens up to the **Security recommendations** page, where you can select the item exempted item with details.
+- Cancel - You can cancel the exceptions you've filed any time
+- Resurface - Your exception automatically becomes void and resurfaces in the security recommendation list when dynamic environmental factors change, which adversely affect the exposure impact associated with a recommendation that had previously been excluded
 
-![Screenshot of exception details in the Security recommendation page](images/tvm-exception-details.png)
+The following statuses will be a part of an exception:
 
-### Actions on exceptions
--  Cancel - You can cancel the exceptions you've filed any time
--  Resurface - Your exception automatically becomes void and resurfaces in the security recommendation list when dynamic environmental factors change, which adversely affect the exposure impact associated with a recommendation that had previously been excluded
-
-### Exception status
--   **Canceled** - The exception has been canceled and is no longer in effect  
--   **Expired** - The exception that you've filed is no longer in effect
--   **In effect** - The exception that you've filed is in progress
+- **Canceled** - The exception has been canceled and is no longer in effect  
+- **Expired** - The exception that you've filed is no longer in effect
+- **In effect** - The exception that you've filed is in progress
 
 ### Exception impact on scores
+
 Creating an exception can potentially affect the Exposure Score (for both types of weaknesses) and Configuration Score (for configurations) of your organization in the following manner:
--   **No impact** - Removes the recommendation from the lists (which can be reverse through filters), but will not affect the scores
--   **Mitigation-like impact** - As if the recommendation was mitigated (and scores will be adjusted accordingly) when you select it as a compensating control.
--   **Hybrid** - Provides visibility on both No impact and Mitigation-like impact. It shows both the Exposure Score and Configuration Score results out of the exception option that you made
+
+- **No impact** - Removes the recommendation from the lists (which can be reverse through filters), but will not affect the scores
+- **Mitigation-like impact** - As if the recommendation was mitigated (and scores will be adjusted accordingly) when you select it as a compensating control.
+- **Hybrid** - Provides visibility on both No impact and Mitigation-like impact. It shows both the Exposure Score and Configuration Score results out of the exception option that you made
 
 The exception impact shows on both the Security recommendations page column and in the flyout pane.
 
 ![Screenshot of where to find the exception impact](images/tvm-exception-impact.png)
 
+### View exceptions in other places
+
+Select **Show exceptions** at the bottom of the **Top security recommendations** card in the dashboard to open a filtered view in the **Security recommendations** page of recommendations with an "Exception" status.
+
+![Screenshot of Show exceptions link in the  Top security recommendations card in the dashboard](images/tvm-exception-dashboard.png)
+
 ## Related topics
+
+- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md)
 - [Supported operating systems and platforms](tvm-supported-os.md)
-- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) 
-- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
 - [Exposure score](tvm-exposure-score.md)
 - [Configuration score](configuration-score.md)
-- [Security recommendation](tvm-security-recommendation.md)
+- [Security recommendations](tvm-security-recommendation.md)
 - [Software inventory](tvm-software-inventory.md)
 - [Weaknesses](tvm-weaknesses.md)
 - [Scenarios](threat-and-vuln-mgt-scenarios.md)
-- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
-- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score)
-- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
-- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software)
-- [Machine APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine)
-- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
-
-
+- [APIs](threat-and-vuln-mgt-scenarios.md#apis)
+- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
index a33b2a7311..14d39dfac1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
@@ -1,6 +1,6 @@
 ---
-title: Security recommendation
-description: The weaknesses identified in the environment are mapped to actionable security recommendations and prioritized by their impact on the organizational exposure score.
+title: Security recommendations
+description: Get actionable security recommendations prioritized by threat, likelihood to be breached, and value.
 keywords: threat and vulnerability management, mdatp tvm security recommendation, cybersecurity recommendation, actionable security recommendation
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
@@ -8,17 +8,18 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
+ms.author: ellevin
+author: levinec
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: conceptual
-ms.date: 04/11/2019
 ---
-# Security recommendation
+# Security recommendations
+
 **Applies to:**
+
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
 > [!TIP]
@@ -26,92 +27,150 @@ ms.date: 04/11/2019
 
 [!include[Prerelease information](../../includes/prerelease.md)]
 
-The cyber security weaknesses identified in your organization are mapped to actionable security recommendations and prioritized by their impact on the security recommendation list. Prioritized recommendation helps shorten the mean time to mitigate or remediate vulnerabilities and drive compliance.
+Cybersecurity weaknesses identified in your organization are mapped to actionable security recommendations and prioritized by their impact. Prioritized recommendations help shorten the time to mitigate or remediate vulnerabilities and drive compliance.
 
-Each security recommendation includes an actionable remediation recommendation which can be pushed into the IT task queue through a built-in integration with Microsoft Intune and Microsoft Endpoint Configuration Manager. It is also dynamic in the sense that when the threat landscape changes, the recommendation also changes as it continuously collects information from your environment. 
+Each security recommendation includes an actionable remediation recommendation which can be pushed into the IT task queue through a built-in integration with Microsoft Intune and Microsoft Endpoint Configuration Manager. When the threat landscape changes, the recommendation also changes as it continuously collects information from your environment.
 
-## The basis of the security recommendation
-Each machine in the organization is scored based on three important factors: threat, likelihood to be breached, and value, to help customers to focus on the right things at the right time.
+## How it works
 
-- Threat - Characteristics of the vulnerabilities and exploits in your organizations' devices and breach history. Based on these factors, the security recommendations shows the corresponding links to active alerts, ongoing threat campaigns, and their corresponding threat analytic reports. 
+Each machine in the organization is scored based on three important factors to help customers to focus on the right things at the right time.
 
-- Breach likelihood - Your organization's security posture and resilience against threats
+- **Threat** - Characteristics of the vulnerabilities and exploits in your organizations' devices and breach history. Based on these factors, the security recommendations shows the corresponding links to active alerts, ongoing threat campaigns, and their corresponding threat analytic reports.
 
-- Business value - Your organization's assets, critical processes, and intellectual properties
+- **Breach likelihood** - Your organization's security posture and resilience against threats
 
+- **Business value** - Your organization's assets, critical processes, and intellectual properties
 
-## Navigate through your security recommendations
+## Navigate to the Security recommendations page
 
-You can access the security recommendation from the Microsoft Defender ATP Threat & Vulnerability Management menu, dashboard, software page, and machine page, to give you the context that you need, as you require it. 
+Access the Security recommendations page a few different ways:
 
-*Security recommendations option from the left navigation menu* 
+- Threat & Vulnerability Management navigation menu in the [Microsoft Defender Security Center](portal-overview.md)
+- Top security recommendations in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
 
-1. Go to the Threat & Vulnerability Management navigation menu and select **Security recommendations** to open up the list of security recommendations for the threats and vulnerabilities found in your organization. It gives you an overview of the security recommendation context: weaknesses found, related components, the application and operating system where the threat or vulnerabilities were found, network, accounts, and security controls, associated breach, threats, and recommendation insights, exposed machine trends, status, remediation type and activities. 
-![Screenshot of Security recommendations page](images/tvmsecrec-updated.png)
+View related security recommendations in the following places:
 
-    >[!NOTE]
-    > The color of the **Exposed machines** graph changes as the trend changes. If the number of exposed machines is on the rise, the color changes into red. If there's a decrease in the amount of exposed machines, the color of the graph will change into green. This happens when the numbers on the right hand side is greater than what’s on the left,  which means an increase or decrease at the end of even a single machine will change the graph's color.
+- Software page
+- Machine page
 
-    You can filter your view based on related components, status, and remediation type. If you want to see the remediation activities of software and software versions which have reached their end-of-life, select **Active**, then select **Software update** from the **Remediation Type** filter, and click **Apply**.
-    <br></br>![Screenshot of the remediation type filters for software update and uninstall](images/remediationtype-swupdatefilter.png)
+### Navigation menu
 
-2. Select the security recommendation that you need to investigate or process. 
-<br></br>![Screenshot of the security recommendation page flyout for a software which reached its end-of-life](images/secrec-flyouteolsw.png)
+Go to the Threat & Vulnerability Management navigation menu and select **Security recommendations** to open the list of security recommendations for the threats and vulnerabilities found in your organization.
 
-    
-*Top security recommendations from the dashboard*
+### Top security recommendations in the Threat & Vulnerability Management dashboard
 
-In a given day as a Security Administrator, you can take a look at the dashboard to see your exposure score side-by-side with your configuration score. The goal is to lower down your organization's exposure from vulnerabilities, and increase your organization's security configuration to be more resilient against cybersecurity threat attacks. The top security recommendations list can help you achieve that goal. 
+In a given day as a Security Administrator, you can take a look at the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) to see your [exposure score](tvm-exposure-score.md) side-by-side with your [configuration score](configuration-score.md). The goal is to **lower** your organization's exposure from vulnerabilities, and **increase** your organization's security configuration to be more resilient against cybersecurity threat attacks. The top security recommendations list can help you achieve that goal.
 
-The top security recommendations lists down the improvement opportunities prioritized based on the three important factors mentioned in the previous section - threat, likelihood to be breached, and value.   
+![Screenshot of security recommendations page](images/top-security-recommendations350.png)
 
-You can click on each one of them and see the details, the description, the potential risk if you don't act on or remediate it, insights, vulnerabilities, other threats found, how many exposed devices are associated with the security recommendation, and business impact of each security recommendation on the organizational exposure and configuration score.
+The top security recommendations lists the improvement opportunities prioritized based on the important factors mentioned in the previous section - threat, likelihood to be breached, and value. Selecting a recommendation will take you to the security recommendations page with more details about the recommendation.
 
-From that page, you can do any of the following depending on what you need to do:
+## Security recommendations overview
 
-- Open software page - Drill down and open the software page to get more context of the software details, prevalence in the organization, weaknesses discovered, version distribution, software or software version end-of-life, and charts so you can see the exposure trend over time. 
+View recommendations, the number of weaknesses found, related components, threat insights, number of exposed machines, status, remediation type, remediation activities, impact to your exposure and configuration scores, and associated tags.
 
-- Choose from remediation options - Submit a remediation request to open a ticket in Microsoft Intune for your IT Administrator to pick up and address.
+The color of the **Exposed machines** graph changes as the trend changes. If the number of exposed machines is on the rise, the color changes into red. If there's a decrease in the number of exposed machines, the color of the graph will change into green.
 
-- Choose from exception options - Submit an exception, provide justification, and set exception duration if you can't remediate the issue just yet due to specific business reasons, compensation controls, or if it is a false positive. 
+![Screenshot of security recommendations page](images/tvmsecrec-updated.png)
+
+### Icons
+
+Useful icons also quickly calls your attention to: <ul><li> ![Possible active alert](images/tvm_alert_icon.png) possible active alerts</li><li>![Threat insight](images/tvm_bug_icon.png) associated public exploits</li><li>![Recommendation insight](images/tvm_insight_icon.png) recommendation insights</li></ul><br>
+
+### Investigate
+
+Select the security recommendation that you want to investigate or process.
+
+![Screenshot of the security recommendation page flyout for a software which reached its end-of-life](images/secrec-flyouteolsw.png)
+
+From the flyout, you can do any of the following:
+
+- **Open software page** - Open the software page to get more context of the software details, prevalence in the organization, weaknesses discovered, version distribution, software or software version end-of-support, and charts of the exposure trend over time.
+
+- **Remediation options** - Submit a remediation request to open a ticket in Microsoft Intune for your IT Administrator to pick up and address.
+
+- **Exception options** - Submit an exception, provide justification, and set exception duration if you can't remediate the issue just yet.
+
+>[!NOTE]
+>When a change is made on a machine, it may take up to two hours for the data to be reflected in the Microsoft Defender Security Center.
+
+## Request remediation
+
+The Threat & Vulnerability Management capability in Microsoft Defender ATP bridges the gap between Security and IT administrators through the remediation request workflow. Security admins like you can request for the IT Administrator to remediate a vulnerability from the **Security recommendation** pages to Intune.
+
+### Enable Microsoft Intune connection
+
+To use this capability, enable your Microsoft Intune connections. In the Microsoft Defender Security Center, navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle **On**.
+
+See [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details.
+
+### Remediation request steps
+
+1. Select a security recommendation you would like to request remediation for, and then select **Remediation options**.
+
+2. Fill out the form, including what you are requesting remediation for, priority, due date, and optional notes. Select **Submit request**. Submitting a remediation request creates a remediation activity item within Threat & Vulnerability Management, which can be used for monitoring the remediation progress for this recommendation. This will not trigger a remediation or apply any changes to machines.
+
+3. Notify your IT Administrator about the new request and have them log into Intune to approve or reject the request and start a package deployment.
+
+4. Go to the [**Remediation**](tvm-remediation.md) page to view the status of your remediation request.
+
+If you want to check how the ticket shows up in Intune, see [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details.
+
+>[!NOTE]
+>If your request involves remediating more than 10,000 machines, we can only send 10,000 machines for remediation to Intune.
+
+## File for exception
+
+As an alternative to a remediation request, you can create exceptions for recommendations.
+
+There are many reasons why organizations create exceptions for a recommendation. For example, if there's a business justification that prevents the company from applying the recommendation, the existence of a compensating or alternative control that provides as much protection than the recommendation would, a false positive, among other reasons.
+
+Exceptions can be created for both Security update and Configuration change recommendations.
+
+When an exception is created for a recommendation, the recommendation is no longer active. The recommendation state changes to **Exception**, and it no longer shows up in the security recommendations list.
+
+1. Select a security recommendation you would like create an exception for, and then **Exception options**.
+![Screenshot of the exception option in the remediation flyout pane](images/tvm-exception-option.png)
+
+2. Select your justification for the exception you need to file instead of remediating the security recommendation in question. Fill out the justification context, then set the exception duration.
+
+    The following list details the justifications behind the exception options:
+
+    - **Compensating/alternate control** - A 3rd party control that mitigates this recommendation exists, for example, if Network Firewall -   -   prevents access to a machine, third party antivirus
+    - **Productivity/business need** - Remediation will impact productivity or interrupt business-critical workflow
+    - **Accept risk** - Poses low risk and/or implementing a compensating control is too expensive
+    - **Planned remediation (grace)** - Already planned but is awaiting execution or authorization
+    - **Other** - False positive
+
+3. Select **Submit**. A confirmation message at the top of the page indicates that the exception has been created.
+
+4. Navigate to the [**Remediation**](tvm-remediation.md) page under the **Threat & Vulnerability Management** menu and select the **Exceptions** tab to view all your exceptions (current and past).
 
 ## Report inaccuracy
 
-You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated security recommendation information in the machine page.
+You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated security recommendation information.
 
-1. Select the **Security recommendation** tab.
+1. Open the Security recommendation.
 
-2. Click **:** beside the security recommendation that you want to report about,  then select **Report inaccuracy**. 
-![Screenshot of Report inaccuracy control from the machine page under the Security recommendation column](images/tvm-report-inaccuracy.png)
-<br>A flyout pane opens.</br>
-![Screenshot of Report inaccuracy flyout pane](images/tvm-report-inaccuracyflyout.png)
+2. Select the three dots beside the security recommendation that you want to report,  then select **Report inaccuracy**.
 
-3. From the flyout pane, select the inaccuracy category from the drop-down menu. 
-<br>![Screenshot of Report inaccuracy categories drop-down menu](images/tvm-report-inaccuracyoptions.png)</br>
+![Screenshot of Report inaccuracy control](images/report-inaccuracy500.png)
 
-4. Include your email address so Microsoft can send you feedback regarding the inaccuracy you reported.
+3. From the flyout pane, select the inaccuracy category from the drop-down menu, fill in your email address, and details regarding the inaccuracy.
 
-5. Include your machine name for investigation context.
-
-    >[!TIP]
-    > You can also provide details regarding the inaccuracy you reported in the **Tell us more (optional)** field to give the threat and vulnerability management investigators context. 
-
-6. Click **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts with its context.
+4. Select **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts.
 
 
 ## Related topics
+
+- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md)
 - [Supported operating systems and platforms](tvm-supported-os.md)
-- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) 
-- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
 - [Exposure score](tvm-exposure-score.md)
 - [Configuration score](configuration-score.md)
 - [Remediation and exception](tvm-remediation.md)
 - [Software inventory](tvm-software-inventory.md)
 - [Weaknesses](tvm-weaknesses.md)
-- [Scenarios](threat-and-vuln-mgt-scenarios.md) 
-- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
-- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
-- [Machine APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine)
-- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score)
-- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software)
-- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
+- [Scenarios](threat-and-vuln-mgt-scenarios.md)
+- [APIs](threat-and-vuln-mgt-scenarios.md#apis)
+- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
index 4428d8a925..84165fe568 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
@@ -8,74 +8,73 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
+ms.author: ellevin
+author: levinec
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: conceptual
-ms.date: 04/11/2019
 ---
 # Software inventory
+
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) 
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
 
 [!include[Prerelease information](../../includes/prerelease.md)]
 
 Microsoft Defender ATP Threat & Vulnerability management's discovery capability shows in the **Software inventory** page. The software inventory includes the name of the product or vendor, the latest version it is in, and the number of weaknesses and vulnerabilities detected with it.
 
-## Navigate through your software inventory
-1. Select **Software inventory** from the Threat & Vulnerability management navigation menu. The **Software inventory** page opens with a list of software installed in your network, vendor name, weaknesses found, threats associated with them, exposed machines, impact, tags. You can also filter the software inventory list view based on weaknesses found in the software, threats associated with them, and whether the software or software versions have reached their end-of-life.      
-![Screenshot of software inventory page](images/software_inventory_filter.png) 
-2. In the **Software inventory** page, select the software that you want to investigate and a flyout panel opens up with the same details mentioned above but in a more compact view. You can either dive deeper into the investigation and select **Open software page** or flag any technical inconsistencies by selecting **Report inaccuracy**. 
-3. Select **Open software page** to dive deeper into your software inventory to see how many weaknesses are discovered in the software, devices exposed, installed machines, version distribution, and the corresponding security recommendations for the weaknesses and vulnerabilities identified. From the **Version distribution** tab, you can also filter the view by **Version EOL** if you want to see the software versions that has reached their end-of-life which needs to be uninstalled, replaced, or updated.
-
 ## How it works
-In the field of discovery, we are leveraging the same set of signals in Microsoft Defender ATP's endpoint detection and response that's responsible for detection, for vulnerability assessment. 
+
+In the field of discovery, we are leveraging the same set of signals that is responsible for detection and vulnerability assessment in [Microsoft Defender ATP endpoint detection and response capabilities](overview-endpoint-detection-response.md).
 
 Since it is real-time, in a matter of minutes, you will see vulnerability information as they get discovered. The engine automatically grabs information from multiple security feeds. In fact, you'll will see if a particular software is connected to a live threat campaign. It also provides a link to a Threat Analytics report soon as it's available.
 
+## Navigate to the Software inventory page
+
+You can access the Software inventory page by selecting **Software inventory** from the Threat & Vulnerability Management navigation menu in the [Microsoft Defender Security Center](portal-overview.md).
+
+## Software inventory overview
+
+The **Software inventory** page opens with a list of software installed in your network, vendor name, weaknesses found, threats associated with them, exposed machines, impact to exposure score, and tags. You can also filter the software inventory list view based on weaknesses found in the software, threats associated with them, and whether the software or software versions have reached end-of-support.
+![Screenshot of software inventory page](images/software_inventory_filter.png)
+
+Select the software that you want to investigate and a flyout panel opens up with a more compact view of the information on the page. You can either dive deeper into the investigation and select **Open software page**, or flag any technical inconsistencies by selecting **Report inaccuracy**.
+
+![Screenshot of software inventory flyout](images/tvm-software-inventory-flyout500.png)
+
+## Software pages
+
+Once you are in the Software inventory page and have opened the flyout panel by selecting a software to investigate, select **Open software page** (see image in the previous section). A full page will appear with all the details of a specific software and the following information:
+
+- Side panel with vendor information, prevalence of the software in the organization (including number of machines it is installed on, and exposed machines that are not patched), whether and exploit is available, and impact to your exposure score
+- Data visualizations showing the number of, and severity of, vulnerabilities and misconfigurations. Also, graphs of the number of exposed machines
+- Tabs with lists of the corresponding security recommendations for the weaknesses and vulnerabilities identified, the named CVEs of discovered vulnerabilities, the names of the machines that the software is installed on, and the specific versions of the software with the number of machines that have each version installed and number of vulnerabilities.
+
+![Screenshot of software page example](images/tvm-software-page-example.png)
+
 ## Report inaccuracy
 
-You can report a false positive when you see any vague, inaccurate version, incomplete, or already remediated software inventory information in the machine page.
-
-1. Select the **Software inventory** tab. 
-
-2. Click **:** beside the software that you want to report about, and then select **Report inaccuracy**. 
-![Screenshot of Report inaccuracy control from the machine page under the Software inventory column](images/tvm_report_inaccuracy_software.png)
-<br>A flyout pane opens.</br>
-![Screenshot of Report inaccuracy flyout pane](images/tvm_report_inaccuracy_softwareflyout.png)
-
-3. From the flyout pane, select the inaccuracy category from the **Software inventory inaccuracy reason** drop-down menu. 
-<br>![Screenshot of Report inaccuracy software inventory inaccuracy reason drop-down menu](images/tvm_report_inaccuracy_softwareoptions.png)</br>
-
-4. Include your email address so Microsoft can send you feedback regarding the inaccuracy you reported.
-
-5. Include your machine name for investigation context.
-
-    >[!NOTE]
-    > You can also provide details regarding the inaccuracy you reported in the **Tell us more (optional)** field to give the threat and vulnerability management investigators context. 
-
-6. Click **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts with its context.
+You can report a false positive when you see any vague, inaccurate version, incomplete, or already remediated software inventory information.
 
+1. Open the software flyout on the Software inventory page.
+2. Select **Report inaccuracy**.
+3. From the flyout pane, select the inaccuracy category from the drop-down menu, fill in your email address, and details regarding the inaccuracy.
+4. Select **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts.
 
 ## Related topics
+
+- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md)
 - [Supported operating systems and platforms](tvm-supported-os.md)
-- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) 
-- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
 - [Exposure score](tvm-exposure-score.md)
 - [Configuration score](configuration-score.md)
-- [Security recommendation](tvm-security-recommendation.md)
+- [Security recommendations](tvm-security-recommendation.md)
 - [Remediation and exception](tvm-remediation.md)
 - [Weaknesses](tvm-weaknesses.md)
 - [Scenarios](threat-and-vuln-mgt-scenarios.md)
-- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
-- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software)
-- [Machine APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine)
-- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
-- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
-- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score)
-
+- [APIs](threat-and-vuln-mgt-scenarios.md#apis)
+- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md
index bd569252f4..d7cad2e5aa 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md
@@ -22,7 +22,7 @@ ms.topic: article
 
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) 
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
 
 [!include[Prerelease information](../../includes/prerelease.md)]
 
@@ -33,11 +33,11 @@ Operating system | Security assessment support
 Windows 7 | Operating System (OS) vulnerabilities
 Windows 8.1 | Not supported
 Windows 10 1607-1703 | Operating System (OS) vulnerabilities
-Windows 10 1709+ |Operating System (OS) vulnerabilities<br/>Software product vulnerabilities<br/>Operating System (OS) configuration assessment<br/>Security controls configuration assessment<br/>Software product configuration assessment
-Windows Server 2008R2 | Operating System (OS) vulnerabilities<br/>Software product vulnerabilities
-Windows Server 2012R2 | Operating System (OS) vulnerabilities<br/>Software product vulnerabilities
-Windows Server 2016 | Operating System (OS) vulnerabilities<br/>Software product vulnerabilities
-Windows Server 2019 | Operating System (OS) vulnerabilities<br/>Software product vulnerabilities
+Windows 10 1709+ |Operating System (OS) vulnerabilities<br/>Software product vulnerabilities<br/>Operating System (OS) configuration assessment<br/>Security controls configuration assessment<br/>Software product configuration assessment 
+Windows Server 2008R2 | Operating System (OS) vulnerabilities<br/>Software product vulnerabilities<br/>Operating System (OS) configuration assessment<br/>Security controls configuration assessment<br/>Software product configuration assessment
+Windows Server 2012R2 | Operating System (OS) vulnerabilities<br/>Software product vulnerabilities<br/>Operating System (OS) configuration assessment<br/>Security controls configuration assessment<br/>Software product configuration assessment
+Windows Server 2016 | Operating System (OS) vulnerabilities<br/>Software product vulnerabilities<br/>Operating System (OS) configuration assessment<br/>Security controls configuration assessment<br/>Software product configuration assessment
+Windows Server 2019 | Operating System (OS) vulnerabilities<br/>Software product vulnerabilities<br/>Operating System (OS) configuration assessment<br/>Security controls configuration assessment<br/>Software product configuration assessment
 MacOS | Not supported (planned)
 Linux | Not supported (planned)
 
@@ -45,7 +45,8 @@ Some of the above prerequisites might be different from the [Minimum requirement
 
 ## Related topics
 
-- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
+- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md)
+- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
 - [Exposure score](tvm-exposure-score.md)
 - [Configuration score](configuration-score.md)
 - [Security recommendations](tvm-security-recommendation.md)
@@ -53,4 +54,5 @@ Some of the above prerequisites might be different from the [Minimum requirement
 - [Software inventory](tvm-software-inventory.md)
 - [Weaknesses](tvm-weaknesses.md)
 - [Scenarios](threat-and-vuln-mgt-scenarios.md)
+- [APIs](threat-and-vuln-mgt-scenarios.md#apis)
 - [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
index de5dd35eec..7df8d6c770 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
@@ -8,26 +8,26 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
+ms.author: ellevin
+author: levinec
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: conceptual
-ms.date: 10/31/2019
 ---
 # Weaknesses
+
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) 
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
 
 [!include[Prerelease information](../../includes/prerelease.md)]
 
 Threat & Vulnerability Management leverages the same signals in Microsoft Defender ATP's endpoint protection to scan and detect vulnerabilities.
 
-The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization, their severity, Common Vulnerability Scoring System (CVSS) rating, its prevalence in your organization, corresponding breach, and threat insights.
+The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization by listing the Common Vulnerabilities and Exposures (CVE) ID, the severity, Common Vulnerability Scoring System (CVSS) rating, prevalence in your organization, corresponding breach, and threat insights.
 
 >[!IMPORTANT]
 >To boost your vulnerability assessment detection rates, you can download the following mandatory security updates and deploy them in your network:
@@ -36,105 +36,95 @@ The **Weaknesses** page lists down the vulnerabilities found in the infected sof
 >- RS4 customers | [KB 4516045](https://support.microsoft.com/help/4516045/windows-10-update-kb4516045)
 >- RS3 customers | [KB 4516071](https://support.microsoft.com/help/4516071/windows-10-update-kb4516071)
 
+## Navigate to the Weaknesses page
 
-## Navigate through your organization's weaknesses page
-You can access the list of vulnerabilities in a few places in the portal:
+Access the Weaknesses page a few different ways:
+
+- Selecting **Weaknesses** from the Threat & Vulnerability Management navigation menu in the [Microsoft Defender Security Center](portal-overview.md)
 - Global search
-- Weaknesses option in the navigation menu
-- Top vulnerable software widget in the dashboard
-- Discovered vulnerabilities page in the machine page
 
-*Vulnerabilities in global search*
-1. Click the global search drop-down menu.
-2. Select **Vulnerability** and key-in the Common Vulnerabilities and Exposures (CVE) ID that you are looking for, then click the search icon. The **Weaknesses** page opens with the CVE information that you are looking for. 
+### Navigation menu
+
+Go to the Threat & Vulnerability Management navigation menu and select **Weaknesses** to open the list of CVEs.
+
+### Vulnerabilities in global search
+
+1. Go to the global search drop-down menu.
+2. Select **Vulnerability** and key-in the Common Vulnerabilities and Exposures (CVE) ID that you are looking for, then select the search icon. The **Weaknesses** page opens with the CVE information that you are looking for.
 ![tvm-vuln-globalsearch](images/tvm-vuln-globalsearch.png)
-3. Select the CVE and a flyout panel opens up with more information - the vulnerability description, exploits available, severity level, CVSS v3 rating, publishing and update dates. 
+3. Select the CVE and a flyout panel opens up with more information - the vulnerability description, exploits available, severity level, CVSS v3 rating, publishing and update dates.
 
-    > [!NOTE]
-    > To see the rest of the vulnerabilities in the **Weaknesses** page, type CVE, then click search. 
+To see the rest of the vulnerabilities in the **Weaknesses** page, type CVE, then click search.
 
-*Weaknesses page in the menu* 
-1. Go to the Threat & Vulnerability Management navigation menu and select **Weaknesses** to open up the list of vulnerabilities found in your organization.
-2. Select the vulnerability that you want to investigate to open up a flyout panel with the vulnerability details, such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, dates when it was published and updated, related software, exploit kits available, vulnerability type, link to useful reference, and number of exposed machines which users can also export.    
-![Screenshot of the CVE details in the flyout pane in the Weaknesses page](images/tvm-weaknesses-page.png)
+## Weaknesses overview
 
-*Top vulnerable software widget in the dashboard* 
-1. Go to the Threat & Vulnerability Management dashboard and scroll down to the **Top vulnerable software** widget. You will see the number of vulnerabilities found in each software along with threat information and a high-level view of the device exposure trend over time. 
-![tvm-top-vulnerable-software](images/tvm-top-vulnerable-software.png)
-2. Click the software that you want to investigate and it takes you to the software page. You will see the weaknesses found in your machine per severity level, in which machines are they installed, version distribution, and the corresponding security recommendation. 
-3. Select the **Discovered vulnerabilities** tab. 
-4. Select the vulnerability that you want to investigate to open up a flyout panel with the vulnerability details, such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, publish, and update dates.  
+If the **Exposed Machines** column shows 0, that means you are not at risk. If exposed machines exist, the next step is to remediate the vulnerabilities in those machines to reduce the risk to your assets and organization.
 
-*Discovered vulnerabilities in the machine page*
-1. Go to the left-hand navigation menu bar, then select the machine icon. The **Machines list** page opens. 
-<br>![Screenshot of Machines list page](images/tvm_machineslist.png)</br>
-2. In the **Machines list** page, select the machine that you want to investigate. 
-<br>![Screenshot of machine list with selected machine to investigate](images/tvm_machinetoinvestigate.png)</br>
-<br>A flyout pane opens with machine details and response action options.</br>
-![Screenshot of the flyout pane with machine details and response options](images/tvm_machine_page_flyout.png)
-3. In the flyout pane, select **Open machine page**. A page opens with details and response options for the machine you want to investigate. 
-<br>![Screenshot of the machine page with details and response options](images/tvm_machines_discoveredvuln.png)</br>
-4. Select **Discovered vulnerabilities**.
-5. Select the vulnerability that you want to investigate to open up a flyout panel with the vulnerability details, such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, publish, and update dates.
+![tvm-breach-insights](images/tvm-weaknesses-overview.png)
 
-## How it works
-When new vulnerabilities are released, you would want to know how many of your assets are exposed. You can see the list of vulnerabilities and the details in the **Weaknesses** page. 
-
-If the **Exposed Machines** column shows 0, that means you are not at risk. 
-
-If exposed machines exist, that means you need to remediate the vulnerabilities in those machines because they  put the rest of your assets and your organization at risk. 
-
-You can also see the related alert and threat insights in the **Threat** column.
-
-The breach insights icon is highlighted if there is a vulnerability found in your organization. Prioritize an investigation because it  means there might be a breach in your organization.  
-
-![tvm-breach-insights](images/tvm-breach-insights.png)
-
-The threat insights icons are highlighted if there are associated exploits in the vulnerability found in your organization. It also shows whether the threat is a part of an exploit kit, connected to specific advanced persistent campaigns or activity groups for which, Threat Analytics report links are provided that you can read, has zero-day exploitation news, disclosures, or related security advisories.  
-
-![tvm-threat-insights](images/tvm-threat-insights.png)
+### Breach and threat insights
 
+You can view the related breach and threat insights in the **Threat** column when the icons are colored red.
 
  >[!NOTE]
  > Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight ![threat insight](images/tvm_bug_icon.png) icon and breach insight ![possible active alert](images/tvm_alert_icon.png) icon.  
 
+The breach insights icon is highlighted if there is a vulnerability found in your organization.
+![tvm-breach-insights](images/tvm-breach-insights.png)
+
+The threat insights icon is highlighted if there are associated exploits in the vulnerability found in your organization. It also shows whether the threat is a part of an exploit kit or connected to specific advanced persistent campaigns or activity groups. Threat Analytics report links are provided that you can read with zero-day exploitation news, disclosures, or related security advisories.  
+
+![tvm-threat-insights](images/tvm-threat-insights.png)
+
+## View Common Vulnerabilities and Exposures (CVE) entries in other places
+
+### Top vulnerable software in the dashboard
+
+1. Go to the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) and scroll down to the **Top vulnerable software** widget. You will see the number of vulnerabilities found in each software along with threat information and a high-level view of the device exposure trend over time.
+![top vulnerable software card](images/tvm-top-vulnerable-software500.png)
+2. Select the software that you want to investigate to go a drill down page.
+3. Select the **Discovered vulnerabilities** tab.
+4. Select the vulnerability that you want to investigate. A flyout panel will appear with the vulnerability details, such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, publish, and update dates.  
+
+![Windows server drill down overview](images/windows-server-drilldown.png)
+
+### Discover vulnerabilities in the machine page
+
+View related weaknesses information in the machine page.
+
+1. Go to the Microsoft Defender Security Center navigation menu bar, then select the machine icon. The **Machines list** page opens.
+2. In the **Machines list** page, select the machine name that you want to investigate.
+<br>![Screenshot of machine list with selected machine to investigate](images/tvm_machinetoinvestigate.png)</br>
+3. The machine page will open with details and response options for the machine you want to investigate.
+4. Select **Discovered vulnerabilities**.
+<br>![Screenshot of the machine page with details and response options](images/tvm-discovered-vulnerabilities.png)</br>
+5. Select the vulnerability that you want to investigate to open up a flyout panel with the CVE details, such as: vulnerability description, threat insights, and detection logic.
+
+#### CVE Detection logic
+
+Similar to the software evidence, we now show the detection logic we applied on a machine in order to state that it's vulnerable. This is a new section called "Detection Logic" (in any discovered vulnerability in the machine page) that shows the detection logic and source.
+
+![Screenshot of the machine page with details and response options](images/cve-detection-logic.png)
+
 ## Report inaccuracy
 
-You can report a false positive when you see any vague, inaccurate, missing, or already remediated vulnerability information in the machine page.
-
-1. Select the **Discovered vulnerabilities** tab. 
-
-2. Click **:** beside the vulnerability that you want to report about, and then select **Report inaccuracy**. 
-![Screenshot of Report inaccuracy control from the machine page in the Discovered vulnerabilities tab](images/tvm_report_inaccuracy_vuln.png)
-<br>A flyout pane opens.</br>
-![Screenshot of Report inaccuracy flyout pane](images/tvm_report_inaccuracy_vulnflyout.png)
-
-3. From the flyout pane, select the inaccuracy category from the **Discovered vulnerability inaccuracy reason** drop-down menu. 
-<br>![Screenshot of discovered vulnerability inaccuracy reason drop-down menu](images/tvm_report_inaccuracy_vulnoptions.png)</br>
-
-4. Include your email address so Microsoft can send you feedback regarding the inaccuracy you reported.
-
-5. Include your machine name for investigation context.
-
-    > [!NOTE]
-    > You can also provide details regarding the inaccuracy you reported in the **Tell us more (optional)** field to give the threat and vulnerability management investigators context. 
-
-6. Click **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts with its context.
+You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated security recommendation information.
 
+1. Open the CVE on the Weaknesses page.
+2. Select **Report inaccuracy**.
+3. From the flyout pane, select the inaccuracy category from the drop-down menu, fill in your email address, and details regarding the inaccuracy.
+4. Select **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts.
 
 ## Related topics
+
+- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md)
 - [Supported operating systems and platforms](tvm-supported-os.md)
-- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) 
-- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
 - [Exposure score](tvm-exposure-score.md)
 - [Configuration score](configuration-score.md)
-- [Security recommendation](tvm-security-recommendation.md)
+- [Security recommendations](tvm-security-recommendation.md)
 - [Remediation and exception](tvm-remediation.md)
 - [Software inventory](tvm-software-inventory.md)
 - [Scenarios](threat-and-vuln-mgt-scenarios.md)
-- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
-- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
-- [Machine APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine)
-- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software)
-- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
-- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score)
+- [APIs](threat-and-vuln-mgt-scenarios.md#apis)
+- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
index e55dfe29c0..a2a976d975 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
@@ -79,7 +79,8 @@ The following steps guide you on how to create roles in Microsoft Defender Secur
 7. Apply the configuration settings.
 
 
-After creating roles, you'll need to create a machine group and provide access to the machine group by assigning it to a role that you just created. 
+> [!IMPORTANT]
+> After creating roles, you'll need to create a machine group and provide access to the machine group by assigning it to a role that you just created. 
 
 
 ## Edit roles
diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md
index 4c475c71c0..de8bac35db 100644
--- a/windows/security/threat-protection/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/security-compliance-toolkit-10.md
@@ -44,7 +44,7 @@ The Security Compliance Toolkit consists of:
     -   Office 365 ProPlus (Sept 2019)
 
 -   Microsoft Edge security baseline
-    -   Version 79
+    -   Version 80
 
 -   Tools
     -   Policy Analyzer tool
diff --git a/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md
index 9a66e7fa06..378bc21d36 100644
--- a/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md
@@ -55,7 +55,7 @@ Over time, new ways to manage security policy settings have been introduced, whi
 |[Security Configuration Wizard](#using-the-security-configuration-wizard)|Scw.exe <br> SCW is a role-based tool available on servers only: You can use it to create a policy that enables services, firewall rules, and settings that are required for a selected server to perform specific roles.|
 |[Security Configuration Manager tool](#working-with-the-security-configuration-manager)|This tool set allows you to create, apply, and edit the security for your local device, organizational unit, or domain.|
 |[Group Policy](#working-with-group-policy-tools)|Gpmc.msc and Gpedit.msc <br> The Group Policy Management Console uses the Group Policy Object editor to expose the local Security options, which can then be incorporated into Group Policy Objects for distribution throughout the domain. The Local Group Policy Editor performs similar functions on the local device.|
-|Software Restriction Policies <br> See [Administer Software Restriction Policies](https://docs.microsoft.com/en-us/windows-server/identity/software-restriction-policies/administer-software-restriction-policies)|Gpedit.msc <br> Software Restriction Policies (SRP) is a Group Policy-based feature that identifies software programs running on computers in a domain, and it controls the ability of those programs to run.|
+|Software Restriction Policies <br> See [Administer Software Restriction Policies](https://docs.microsoft.com/windows-server/identity/software-restriction-policies/administer-software-restriction-policies)|Gpedit.msc <br> Software Restriction Policies (SRP) is a Group Policy-based feature that identifies software programs running on computers in a domain, and it controls the ability of those programs to run.|
 |Administer AppLocker <br> See [Administer AppLocker](/windows/device-security/applocker/administer-applocker)|Gpedit.msc <br> Prevents malicious software (malware) and unsupported applications from affecting computers in your environment, and it prevents users in your organization from installing and using unauthorized applications.|
 
 ## <a href="" id="bkmk-secpol"></a>Using the Local Security Policy snap-in
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md
index accf7f1ab2..07e009dc0e 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md
@@ -28,6 +28,9 @@ Describes the best practices, location, values, management, and security conside
 
 Beginning with Windows Server 2012 and Windows 8, Windows detects user-input inactivity of a sign-in (logon) session by using the security policy setting **Interactive logon: Machine inactivity limit**. If the amount of inactive time exceeds the inactivity limit set by this policy, then the user’s session locks by invoking the screen saver (screen saver should be active on the destination machine). You can activate the screen saver by enabling the Group Policy **User Configuration\Administrative Templates\Control Panel\Personalization\Enable screen saver**. This policy setting allows you to control the locking time by using Group Policy.
 
+> [!NOTE]
+> If the **Interactive logon: Machine inactivity limit** security policy setting is configured, the device locks not only when inactive time exceeds the inactivity limit, but also when the screensaver activates or when the display turns off because of power settings.
+
 ### Possible values
 
 The automatic lock of the device is set in elapsed seconds of inactivity, which can range from zero (0) to 599,940 seconds (166.65 hours).
diff --git a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
index 20fd54f909..b713a96ecb 100644
--- a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
+++ b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
@@ -14,7 +14,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 09/08/2017
 ---
 
 # Password must meet complexity requirements
@@ -59,6 +58,9 @@ Additional settings that can be included in a custom Passfilt.dll are the use of
 
 ### Best practices
 
+> [!TIP]
+> For the latest best practices, see [Password Guidance](https://www.microsoft.com/research/publication/password-guidance).
+
 Set **Passwords must meet complexity requirements** to Enabled. This policy setting, combined with a minimum password length of 8, ensures that there are at least 218,340,105,584,896 different possibilities for a single password. This makes a brute force attack difficult, but still not impossible.
 
 The use of ALT key character combinations can greatly enhance the complexity of a password. However, requiring all users in an organization to adhere to such stringent password requirements can result in unhappy users and an extremely busy Help Desk. Consider implementing a requirement in your organization to use ALT characters in the range from 0128 through 0159 as part of all administrator passwords. (ALT characters outside of this range can represent standard alphanumeric characters that do not add additional complexity to the password.)
@@ -104,6 +106,6 @@ If your organization has more stringent security requirements, you can create a
 
 The use of ALT key character combinations can greatly enhance the complexity of a password. However, such stringent password requirements can result in additional Help Desk requests. Alternatively, your organization could consider a requirement for all administrator passwords to use ALT characters in the 0128–0159 range. (ALT characters outside of this range can represent standard alphanumeric characters that would not add additional complexity to the password.)
 
-## Related topics
+## Related articles
 
 - [Password Policy](password-policy.md)
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md b/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md
index 4a75974332..fb06a1c928 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md
@@ -22,7 +22,7 @@ ms.date: 04/19/2017
 **Applies to**
 -   Windows 10
 
-Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Run all administrators in Admin Approval Mode** security policy setting.
+This article describes the best practices, location, values, policy management and security considerations for the **User Account Control: Run all administrators in Admin Approval Mode** security policy setting.
 
 ## Reference
 
@@ -38,11 +38,12 @@ This policy setting determines the behavior of all User Account Control (UAC) po
 
     Admin Approval Mode and all related UAC policies are disabled.
 
-    >**Note:**  If this security setting is configured to **Disabled**, the Security Center notifies the user that the overall security of the operating system has been reduced.
+    > [!NOTE]
+    > If this security setting is configured to **Disabled**, the Security Center notifies the user that the overall security of the operating system has been reduced.
      
 ### Best practices
 
--   Enable this policy to allow all other UAC features and policies to function.
+-   Turn on this policy to allow all other UAC features and policies to function.
 
 ### Location
 
@@ -67,11 +68,11 @@ This section describes features and tools that are available to help you manage
 
 ### Restart requirement
 
-A restart of the computer is required before this policy will be effective when changes to this policy are saved locally or distributed through Group Policy.
+The computer must be restarted before this policy is effective when changes to this policy are saved locally or distributed through Group Policy.
 
 ### Group Policy
 
-All auditing capabilities are integrated in Group Policy. You can configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU).
+All auditing capabilities are integrated in Group Policy. You can configure, deploy, and manage these settings in the Group Policy Management Console or Local Security Policy snap-in for a domain, site, or organizational unit.
 
 ## Security considerations
 
@@ -79,11 +80,11 @@ This section describes how an attacker might exploit a feature or its configurat
 
 ### Vulnerability
 
-This is the setting that turns UAC on or off. If this setting is disabled, UAC is not used, and any security benefits and risk mitigations that are dependent on UAC are not present on the computer.
+This setting turns on or turns off UAC. If this setting isn't turned on, UAC isn't used, and any security benefits and risk mitigations that are dependent on UAC aren't present on the computer.
 
 ### Countermeasure
 
-Enable the **User Account Control: Run all users, including administrators, as standard users** setting.
+Turn on the **User Account Control: Run all users, including administrators, as standard users** setting.
 
 ### Potential impact
 
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md
index 03cf88d610..e0805ca3fb 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
 ms.custom: nextgen
-ms.date: 02/05/2020
+ms.date: 03/12/2020
 ms.reviewer: 
 manager: dansimp
 ---
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
index 7f217bed68..bc096eac9e 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
@@ -12,7 +12,6 @@ ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
 ms.custom: nextgen
-ms.date: 12/10/2018
 ms.reviewer: 
 manager: dansimp
 ---
@@ -33,11 +32,11 @@ You can exclude certain files from Windows Defender Antivirus scans by modifying
 > [!NOTE]
 > Automatic exclusions apply only to Windows Server 2016 and above. The default antimalware policy we deploy at Microsoft doesn't set any exclusions by default.
 
-This topic describes how to configure exclusion lists for the files and folders.
+This article  describes how to configure exclusion lists for the files and folders.
 
 Exclusion | Examples | Exclusion list
 ---|---|---
-Any file with a specific extension | All files with the `.test` extension, anywhere on the machine | Extension exclusions
+Any file with a specific extension | All files with the specified extension, anywhere on the machine.<br/>Valid syntax: `.test` and `test`  | Extension exclusions
 Any file under a specific folder | All files under the `c:\test\sample` folder | File and folder exclusions
 A specific file in a specific folder | The file `c:\sample\sample.test` only | File and folder exclusions
 A specific process | The executable file `c:\test\process.exe` | File and folder exclusions
@@ -90,21 +89,22 @@ See [How to create and deploy antimalware policies: Exclusion settings](https://
 
 3. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**.
 
-4. Double-click the **Path Exclusions** setting and add the exclusions:
+4. Double-click the **Path Exclusions** setting and add the exclusions.
 
-    1. Set the option to **Enabled**. 
-    2. Under the **Options** section, click **Show...**.
-    3. Enter each folder on its own line under the **Value name** column. If you are entering a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column. 
+    - Set the option to **Enabled**. 
+    - Under the **Options** section, click **Show...**.
+    - Specify each folder on its own line under the **Value name** column. 
+    - If you are specifying a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column. 
 
 5. Click **OK**.
 
     ![The Group Policy setting for file and folder exclusions](images/defender/wdav-path-exclusions.png)
 
-6. Double-click the **Extension Exclusions** setting and add the exclusions:
+6. Double-click the **Extension Exclusions** setting and add the exclusions.
 
-    1. Set the option to **Enabled**.
-    2. Under the **Options** section, click **Show...**.
-    3. Enter each file extension on its own line under the **Value name** column.  Enter **0** in the **Value** column.
+    - Set the option to **Enabled**.
+    - Under the **Options** section, click **Show...**.
+    - Enter each file extension on its own line under the **Value name** column.  Enter **0** in the **Value** column.
 
 7. Click **OK**.
 
@@ -116,13 +116,13 @@ See [How to create and deploy antimalware policies: Exclusion settings](https://
 
 Using PowerShell to add or remove exclusions for files based on the extension, location, or file name requires using a combination of three cmdlets and the appropriate exclusion list parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/itpro/powershell/windows/defender/defender).
 
-The format for the cmdlets is:
+The format for the cmdlets is as follows:
 
 ```PowerShell
 <cmdlet> -<exclusion list> "<item>"
 ```
 
-The following are allowed as the \<cmdlet>:
+The following are allowed as the `<cmdlet>`:
 
 Configuration action | PowerShell cmdlet
 ---|---
@@ -130,7 +130,7 @@ Create or overwrite the list | `Set-MpPreference`
 Add to the list | `Add-MpPreference`
 Remove item from the list | `Remove-MpPreference`
 
-The following are allowed as the \<exclusion list>:
+The following are allowed as the `<exclusion list>`:
 
 Exclusion type | PowerShell parameter
 ---|---
@@ -168,6 +168,7 @@ For more information, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.c
 See [Add exclusions in the Windows Security app](windows-defender-security-center-antivirus.md#exclusions) for instructions.
 
 <a id="wildcards"></a>
+
 ## Use wildcards in the file name and folder path or extension exclusion lists
 
 You can use the asterisk `*`, question mark `?`, or environment variables (such as `%ALLUSERSPROFILE%`) as wildcards when defining items in the file name or folder path exclusion list. The way in which these wildcards are interpreted differs from their usual usage in other apps and languages. Make sure to read this section to understand their specific limitations.
@@ -180,91 +181,21 @@ You can use the asterisk `*`, question mark `?`, or environment variables (such
 >- An asterisk `*` in a folder exclusion will stand in place for a single folder. Use multiple instances of `\*\` to indicate multiple nested folders with unspecified names.
 
 The following table describes how the wildcards can be used and provides some examples.
-<table>
-    <tr>
-        <th>Wildcard</th>
-        <th>Use in file name and file extension exclusions</th>
-        <th>Use in folder exclusions</th>
-        <th>Example use</th>
-        <th>Example matches</th>
-    </tr>
-    <tr>
-        <td><b>*</b> (asterisk)</td>
-        <td>Replaces any number of characters. <br />Only applies to files in the last folder defined in the argument. </td>
-        <td>Replaces a single folder. <br />Use multiple <b>*</b> with folder slashes <b>\</b> to indicate multiple, nested folders. </br>After matching the number of wild carded and named folders, all subfolders will also be included.</td>
-        <td>
-            <ol>
-                <li>C:\MyData\<b>*</b>.txt</li>
-                <li>C:\somepath\<b>*</b>\Data</li>
-                <li>C:\Serv\<b>*</b>\<b>*</b>\Backup
-            </ol>
-        </td>
-        <td>
-            <ol>
-                <li>C:\MyData\<b>notes</b>.txt</li>
-                <li>Any file in:
-                    <ul>
-                        <li>C:\somepath\<b>Archives</b>\Data and its subfolders</li>
-                        <li>C:\somepath\<b>Authorized</b>\Data and its subfolders</li>
-                    </ul>
-                <li>Any file in:
-                <ul>
-                    <li>C:\Serv\<b>Primary</b>\<b>Denied</b>\Backup and its subfolders</li>
-                    <li>C:\Serv\<b>Secondary</b>\<b>Allowed</b>\Backup and its subfolders</li>
-                </ul>
-            </ol>
-        </td>
-    </tr>
-    <tr>
-        <td>
-            <b>?</b> (question mark)
-        </td>
-        <td>
-            Replaces a single character. <br />
-            Only applies to files in the last folder defined in the argument.
-        </td>
-        <td>
-            Replaces a single character in a folder name. </br>
-            After matching the number of wild carded and named folders, all subfolders will also be included.
-        </td>
-        <td>
-            <ol>
-                <li>C:\MyData\my<b>?</b>.zip</li>
-                <li>C:\somepath\<b>?</b>\Data</li>
-                <li>C:\somepath\test0<b>?</b>\Data</li>
-            </ol>
-        </td>
-        <td>
-            <ol>
-                <li>C:\MyData\my<b>1</b>.zip</li>
-                <li>Any file in C:\somepath\<b>P</b>\Data and its subfolders</li>
-                <li>Any file in C:\somepath\test0<b>1</b>\Data and its subfolders</li>
-            </ol>
-        </td>
-    </tr>
-    <tr>
-        <td>Environment variables</td>
-        <td>The defined variable will be populated as a path when the exclusion is evaluated.</td>
-        <td>Same as file and extension use. </td>
-        <td>
-            <ol>
-                <li><b>%ALLUSERSPROFILE%</b>\CustomLogFiles</li>
-            </ol> 
-        </td>
-        <td>
-            <ol>
-                <li><b>C:\ProgramData</b>\CustomLogFiles\Folder1\file1.txt</li>
-            </ol>
-        </td>
-    </tr>
-</table>
+
+
+|Wildcard  |Examples  |
+|---------|---------|
+|`*` (asterisk) <br/><br/>In **file name and file extension inclusions**, the asterisk replaces any number of characters, and only applies to files in the last folder defined in the argument. <br/><br/>In **folder exclusions**, the asterisk replaces a single folder. Use multiple `*` with folder slashes `\` to indicate multiple, nested folders. After matching the number of wild carded and named folders, all subfolders are also included.   | `C:\MyData\*.txt` would include `C:\MyData\notes.txt`<br/><br/>`C:\somepath\*\Data` would include any file in `C:\somepath\Archives\Data and its subfolders` and `C:\somepath\Authorized\Data and its subfolders` <br/><br/>`C:\Serv\*\*\Backup` would include any file in `C:\Serv\Primary\Denied\Backup and its subfolders` and `C:\Serv\Secondary\Allowed\Backup and its subfolders`     |
+|`?` (question mark)  <br/><br/>In **file name and file extension inclusions**, the question mark replaces a single character, and only applies to files in the last folder defined in the argument. <br/><br/>In **folder exclusions**, the question mark replaces a single character in a folder name. After matching the number of wild carded and named folders, all subfolders are also included.   |`C:\MyData\my` would include `C:\MyData\my1.zip` <br/><br/>`C:\somepath\?\Data` would include any file in `C:\somepath\P\Data` and its subfolders <br/><br/>`C:\somepath\test0?\Data` would include any file in `C:\somepath\test01\Data` and its subfolders          |
+|Environment variables <br/><br/>The defined variable is populated as a path when the exclusion is evaluated.          |`%ALLUSERSPROFILE%\CustomLogFiles` would include `C:\ProgramData\CustomLogFiles\Folder1\file1.txt`         |
+        
 
 >[!IMPORTANT]
 >If you mix a file exclusion argument with a folder exclusion argument, the rules will stop at the file argument match in the matched folder, and will not look for file matches in any subfolders.
 >
->For example, you can exclude all files that start with "date" in the folders `c:\data\final\marked` and `c:\data\review\marked` by using the rule argument <b>c:\data\\\*\marked\date*.\*</b>.
+>For example, you can exclude all files that start with "date" in the folders `c:\data\final\marked` and `c:\data\review\marked` by using the rule argument `c:\data\*\marked\date*`.
 >
->This argument, however, will not match any files in **subfolders** under `c:\data\final\marked` or `c:\data\review\marked`.
+>This argument, however, will not match any files in subfolders under `c:\data\final\marked` or `c:\data\review\marked`.
 
 <a id="review"></a>
 
@@ -362,6 +293,3 @@ You can also copy the string into a blank text file and attempt to save it with
 - [Configure and validate exclusions in Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md)
 - [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md)
 - [Configure Windows Defender Antivirus exclusions on Windows Server](configure-server-exclusions-windows-defender-antivirus.md)
-- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
-- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
-- [Handling false positives/negatives](antivirus-false-positives-negatives.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
index 94b115e1e2..1b19f98ccd 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
@@ -12,7 +12,6 @@ ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
 ms.custom: nextgen
-ms.date: 12/10/2018
 ms.reviewer: 
 manager: dansimp
 ---
diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
index be5477b03f..a487d96a32 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
@@ -11,7 +11,6 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
-ms.date: 01/09/2020
 ms.reviewer: 
 manager: dansimp
 ms.custom: nextgen
@@ -40,7 +39,7 @@ This article describes how to specify from where updates should be downloaded (t
 
 ## Fallback order
 
-Typically, you configure endpoints to individually download updates from a primary source followed by other sources in order of priority, based on your network configuration. Updates are obtained from sources in the order you specify. If a source is not available, the next source in the list is used.
+Typically, you configure endpoints to individually download updates from a primary source followed by other sources in order of priority, based on your network configuration. Updates are obtained from sources in the order you specify. If a source is not available, the next source in the list is used immediately.
 
 When updates are published, some logic is applied to minimize the size of the update. In most cases, only the differences between the latest update and the update that is currently installed (this is referred to as the delta) on the device is downloaded and applied. However, the size of the delta depends on two main factors:
 - The age of the last update on the device; and 
diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
index 5184c72aca..d444eaedc1 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
@@ -50,6 +50,7 @@ Only the main version is listed in the following table as reference information:
 
 Month	| Platform/Client	| Engine
 ---|---|---
+Mar-2020 | 4.18.2003.x| 1.1.16900.x
 Feb-2020	|	- | 1.1.16800.x
 Jan-2020 |	4.18.2001.x	| 1.1.16700.x
 Dec-2019 | - | - |
diff --git a/windows/security/threat-protection/windows-defender-antivirus/shadow-protection.md b/windows/security/threat-protection/windows-defender-antivirus/shadow-protection.md
index 8e3706c360..9fc1cbc630 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/shadow-protection.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/shadow-protection.md
@@ -24,10 +24,12 @@ ms.collection:
 
 ## What is shadow protection?
 
-Shadow protection (currently in [limited private preview](#can-i-participate-in-the-private-preview-of-shadow-protection)) extends behavioral-based blocking and containment capabilities by blocking malicious artifacts or behaviors even if [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) is not your active antivirus protection. If your organization has decided to use an antivirus solution other than Windows Defender Antivirus, you are still protected through shadow protection.
+When enabled, shadow protection extends behavioral-based blocking and containment capabilities by blocking malicious artifacts or behaviors observed through post-breach protection. This is the case even if [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) is not your active antivirus protection. Shadow protection is useful if your organization has not fully transitioned to Windows Defender Antivirus and you are presently using a third-party antivirus solution. Shadow protection works behind the scenes by remediating malicious entities identified in post-breach protection that the existing third-party antivirus solution missed. 
 
-> [!TIP]
-> To get the best protection, [deploy Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline). And see [Better together: Windows Defender Antivirus and Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus).
+> [!NOTE]
+> Shadow protection is currently in [limited private preview](#can-i-participate-in-the-private-preview-of-shadow-protection).
+
+To get the best protection, [deploy Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline). And see [Better together: Windows Defender Antivirus and Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus).
 
 ## What happens when something is detected?
 
@@ -39,6 +41,9 @@ The following images shows an instance of unwanted software that was detected an
 
 ## Turn on shadow protection
 
+> [!IMPORTANT]
+> Make sure the [requirements](#requirements-for-shadow-protection) are met before turning shadow protection on.
+
 1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. 
 
 2. Choose **Settings** > **Advanced features**.
@@ -48,18 +53,18 @@ The following images shows an instance of unwanted software that was detected an
 3. Turn shadow protection on.
 
 > [!NOTE]
-> Currently, shadow protection can be turned on only in the Microsoft Defender Security Center. You cannot use registry keys, Intune, or group policies to turn shadow protection on or off at this time.
+> Shadow protection can be turned on only in the Microsoft Defender Security Center. You cannot use registry keys, Intune, or group policies to turn shadow protection on or off.
 
 ## Requirements for shadow protection
 
 |Requirement  |Details  |
 |---------|---------|
-|Permissions |One of the following roles should be assigned in [Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal): <br/>- Security Administrator or Global Administrator <br/>- Security Reader <br/>See [Basic permissions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/basic-permissions). |
+|Permissions |Global Administrator or Security Administrator role assigned in [Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). See [Basic permissions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/basic-permissions). |
 |Operating system     |One of the following: <br/>- Windows 10 (all releases) <br/>- Windows Server 2016 or later         |
 |Windows E5 enrollment     |This is included in the following subscriptions: <br/>- Microsoft 365 E5 <br/>- Microsoft 365 E3 together with the Identity & Threat Protection offering <br/>See [Components](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview?view=o365-worldwide#components) and [Features and capabilities for each plan](https://www.microsoft.com/microsoft-365/compare-all-microsoft-365-plans).       |
 |Cloud-delivered protection |Make sure Windows Defender Antivirus is configured such that cloud-delivered protection is enabled. <br/>See [Enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus). |
-|Windows Defender Antivirus antimalware client |To make sure your client is up to date, using PowerShell, run the `Get-MpComputerStatus` cmdlet as an administrator. In the **AMProductVersion** line, you should see **4.18.2001.10** or above. |
-|Windows Defender Antivirus engine |To make sure your engine is up to date, using PowerShell, run the `Get-MpComputerStatus` cmdlet as an administrator. In the **AMEngineVersion** line, you should see **1.1.16700.2** or above. |
+|Windows Defender Antivirus antimalware client |To make sure your client is up to date, using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps) cmdlet as an administrator. In the **AMProductVersion** line, you should see **4.18.2001.10** or above. |
+|Windows Defender Antivirus engine |To make sure your engine is up to date, using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps) cmdlet as an administrator. In the **AMEngineVersion** line, you should see **1.1.16700.2** or above. |
 
 > [!IMPORTANT]
 > To get the best protection value, make sure Windows Defender Antivirus is configured to receive regular updates and other essential features, such as behavioral monitoring, IOfficeAV, tamper protection, and more. See [Protect security settings with tamper protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection) 
diff --git a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md
index d123f26a35..2efa65178d 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md
@@ -22,6 +22,9 @@ manager: dansimp
 
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
+> [!IMPORTANT]
+> On March 31, 2020, the Windows Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to define and review security compliance policies using [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager), which allows finer control over security features and updates.
+
 You can use Windows Defender Antivirus with Update Compliance. You’ll see status for E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the [Microsoft Defender ATP portal](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). To learn more about licensing options, see [Windows 10 product licensing options](https://www.microsoft.com/licensing/product-licensing/windows10.aspx).
 
 When you use [Windows Analytics Update Compliance to obtain reporting into the protection status of devices or endpoints](/windows/deployment/update/update-compliance-using#wdav-assessment) in your network that are using Windows Defender Antivirus, you might encounter problems or issues.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
index 8c86ac5722..e09392cea5 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
@@ -12,8 +12,7 @@ ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
 ms.custom: nextgen
-ms.date: 02/25/2020
-ms.reviewer: 
+ms.reviewer:
 manager: dansimp
 ---
 
@@ -23,21 +22,24 @@ manager: dansimp
 
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-Windows Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10.
+## Overview
 
-However, on endpoints and devices that are protected with a non-Microsoft antivirus or antimalware app, Windows Defender Antivirus will automatically disable itself.
+Windows Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. But what happens when another antivirus/antimalware solution is used? It depends on whether you're using [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) together with your antivirus protection.
+- When endpoints and devices are protected with a non-Microsoft antivirus/antimalware solution, and Microsoft Defender ATP is not used, Windows Defender Antivirus automatically goes into disabled mode.
+- If your organization is using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) together with a non-Microsoft antivirus/antimalware solution, then Windows Defender Antivirus automatically goes into passive mode. (Real time protection and threats are not remediated by Windows Defender Antivirus.)
+- If your organization is using Microsoft Defender ATP together with a non-Microsoft antivirus/antimalware solution, and you have [shadow protection (currently in private preview)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/shadow-protection), then Windows Defender Antivirus runs in the background and blocks/remediates malicious items that are detected, such as during a post-breach attack.
 
-If you are also using Microsoft Defender Advanced Threat Protection, then Windows Defender Antivirus will enter a passive mode. Important: Real time protection and and threats will not be remediated by Windows Defender Antivirus.
+## Antivirus and Microsoft Defender ATP
 
-The following matrix illustrates the states that Windows Defender Antivirus will enter when third-party antivirus products or Microsoft Defender ATP are also used. 
+The following table summarizes what happens with Windows Defender Antivirus when third-party antivirus products are used together or without Microsoft Defender ATP.
 
 
-|   Windows version   |                  Antimalware protection offered by                  | Organization enrolled in Microsoft Defender ATP |     Windows Defender Antivirus state     |
-|---------------------|---------------------------------------------------------------------|-------------------------------------------------|-----------------------------------|
-|     Windows 10      | A third-party product that is not offered or developed by Microsoft |                       Yes                       |           Passive mode            |
-|     Windows 10      | A third-party product that is not offered or developed by Microsoft |                       No                        |      Automatic disabled mode      |
-|     Windows 10      |                         Windows Defender Antivirus                         |                       Yes                       |            Active mode            |
-|     Windows 10      |                         Windows Defender Antivirus                         |                       No                        |            Active mode            |
+| Windows version   | Antimalware protection offered by  | Organization enrolled in Microsoft Defender ATP | Windows Defender Antivirus state     |
+|------|------|-------|-------|
+| Windows 10      | A third-party product that is not offered or developed by Microsoft |                       Yes                       |           Passive mode            |
+| Windows 10      | A third-party product that is not offered or developed by Microsoft |                       No                        |      Automatic disabled mode      |
+| Windows 10      |                         Windows Defender Antivirus                         |                       Yes                       |            Active mode            |
+| Windows 10      |                         Windows Defender Antivirus                         |                       No                        |            Active mode            |
 | Windows Server 2016 or 2019 | A third-party product that is not offered or developed by Microsoft |                       Yes                       | Active mode<sup>[[1](#fn1)]</sup> |
 | Windows Server 2016 or 2019 | A third-party product that is not offered or developed by Microsoft |                       No                        | Active mode<sup>[[1](#fn1)]<sup>  |
 | Windows Server 2016 or 2019 |                         Windows Defender Antivirus                         |                       Yes                       |            Active mode            |
@@ -45,47 +47,52 @@ The following matrix illustrates the states that Windows Defender Antivirus will
 
 (<a id="fn1">1</a>)  On Windows Server 2016 or 2019, Windows Defender Antivirus will not enter passive or disabled mode if you have also installed a third-party antivirus product. If you install a third-party antivirus product, you should [consider uninstalling Windows Defender Antivirus on Windows Server 2016 or 2019](windows-defender-antivirus-on-windows-server-2016.md#need-to-uninstall-windows-defender-antivirus) to prevent problems caused by having multiple antivirus products installed on a machine.
 
-If you are Using Windows Server, version 1803 and Windows 2019, you can enable passive mode by setting this registry key: 
-- Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection` 
-- Name: ForceDefenderPassiveMode 
+If you are Using Windows Server, version 1803 and Windows 2019, you can enable passive mode by setting this registry key:
+- Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`
+- Name: ForceDefenderPassiveMode
 - Value: 1
 
 See [Windows Defender Antivirus on Windows Server 2016 and 2019](windows-defender-antivirus-on-windows-server-2016.md) for key differences and management options for Windows Server installations.
 
-
->[!IMPORTANT]
->Windows Defender Antivirus is only available on endpoints running Windows 10, Windows Server 2016, and Windows Server 2019.  
->  
->In Windows 8.1 and Windows Server 2012, enterprise-level endpoint antivirus protection is offered as [System Center Endpoint Protection](https://technet.microsoft.com/library/hh508760.aspx), which is managed through Microsoft Endpoint Configuration Manager.  
->  
->Windows Defender is also offered for [consumer devices on Windows 8.1 and Windows Server 2012](https://technet.microsoft.com/library/dn344918#BKMK_WindowsDefender), although it does not provide enterprise-level management (or an interface on Windows Server 2012 Server Core installations). 
-
-
-This table indicates the functionality and features that are available in each state:
-
-State | Description | [Real-time protection](configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | [Limited periodic scanning availability](limited-periodic-scanning-windows-defender-antivirus.md) | [File scanning and detection information](customize-run-review-remediate-scans-windows-defender-antivirus.md) | [Threat remediation](configure-remediation-windows-defender-antivirus.md) | [Security intelligence updates](manage-updates-baselines-windows-defender-antivirus.md)
-:-|:-|:-:|:-:|:-:|:-:|:-:
-Passive mode | Windows Defender Antivirus will not be used as the antivirus app, and threats will not be remediated by Windows Defender Antivirus. Files will be scanned and reports will be provided for threat detections which are shared with the Microsoft Defender ATP service.  | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
-Automatic disabled mode | Windows Defender Antivirus will not be used as the antivirus app. Files will not be scanned and threats will not be remediated. | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] 
-Active mode | Windows Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files will be scanned and threats remediated, and detection information will be reported in your configuration tool (such as Configuration Manager or the Windows Defender Antivirus app on the machine itself). | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
-
-If you are enrolled in Microsoft Defender ATP and you are using a third party antimalware product then passive mode is enabled because [the service requires common information sharing from the Windows Defender Antivirus service](../microsoft-defender-atp/defender-compatibility.md) in order to properly monitor your devices and network for intrusion attempts and attacks. 
-
-Automatic disabled mode is enabled so that if the protection offered by a third-party antivirus product expires or otherwise stops providing real-time protection from viruses, malware or other threats, Windows Defender Antivirus will automatically enable itself to ensure antivirus protection is maintained on the endpoint. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md), which uses the Windows Defender Antivirus engine to periodically check for threats in addition to your main antivirus app.
-    
-In passive and automatic disabled mode, you can still [manage updates for Windows Defender Antivirus](manage-updates-baselines-windows-defender-antivirus.md), however you can't move Windows Defender Antivirus into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
-
- If you uninstall the other product, and choose to use Windows Defender Antivirus to provide protection to your endpoints, Windows Defender Antivirus will automatically return to its normal active mode.
-
->[!WARNING]
->You should not attempt to disable, stop, or modify any of the associated services used by Windows Defender Antivirus, Microsoft Defender ATP, or the Windows Security app.
->  
->This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks.
+> [!IMPORTANT]
+> Windows Defender Antivirus is only available on endpoints running Windows 10, Windows Server 2016, and Windows Server 2019.
 >
->It can also cause problems when using third-party antivirus apps and how their information is displayed in the [Windows Security app](windows-defender-security-center-antivirus.md).
-    
+> In Windows 8.1 and Windows Server 2012, enterprise-level endpoint antivirus protection is offered as [System Center Endpoint Protection](https://technet.microsoft.com/library/hh508760.aspx), which is managed through Microsoft Endpoint Configuration Manager.
+>
+> Windows Defender is also offered for [consumer devices on Windows 8.1 and Windows Server 2012](https://technet.microsoft.com/library/dn344918#BKMK_WindowsDefender), although it does not provide enterprise-level management (or an interface on Windows Server 2012 Server Core installations).
+
+## Functionality and features available in each state
+
+The following table summarizes the functionality and features that are available in each state:
+
+|State |[Real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) and [cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) | [Limited periodic scanning availability](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus) | [File scanning and detection information](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus) | [Threat remediation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus) | [Security intelligence updates](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus) |
+|--|--|--|--|--|--|
+|Active mode <br/><br/>  |Yes |No |Yes |Yes |Yes |
+|Passive mode  |No |No |Yes |No |Yes |
+|[Shadow protection enabled](shadow-protection.md)  |No |No |Yes |Yes |Yes |
+|Automatic disabled mode  |No |Yes |No |No |No |
+
+- In Active mode, Windows Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Windows Defender Antivirus app on the machine itself).
+- In Passive mode, Windows Defender Antivirus is not used as the antivirus app, and threats are not remediated by Windows Defender Antivirus. Files are scanned and reports are provided for threat detections which are shared with the Microsoft Defender ATP service.
+- When [shadow protection (currently in private preview)](shadow-protection.md) is turned on, Windows Defender Antivirus is not used as the primary antivirus solution, but can still detect and remediate malicious items.
+- In Automatic disabled mode, Windows Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated.
+
+## Keep the following points in mind
+
+If you are enrolled in Microsoft Defender ATP and you are using a third party antimalware product then passive mode is enabled because [the service requires common information sharing from the Windows Defender Antivirus service](../microsoft-defender-atp/defender-compatibility.md) in order to properly monitor your devices and network for intrusion attempts and attacks.
+
+When Windows Defender Antivirus is automatic disabled, it can automatically re-enable if the protection offered by a third-party antivirus product expires or otherwise stops providing real-time protection from viruses, malware or other threats. This is to ensure antivirus protection is maintained on the endpoint. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md), which uses the Windows Defender Antivirus engine to periodically check for threats in addition to your main antivirus app.
+
+In passive and automatic disabled mode, you can still [manage updates for Windows Defender Antivirus](manage-updates-baselines-windows-defender-antivirus.md); however, you can't move Windows Defender Antivirus into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
+
+If you uninstall the other product, and choose to use Windows Defender Antivirus to provide protection to your endpoints, Windows Defender Antivirus will automatically return to its normal active mode.
+
+> [!WARNING]
+> You should not attempt to disable, stop, or modify any of the associated services used by Windows Defender Antivirus, Microsoft Defender ATP, or the Windows Security app. This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks. It can also cause problems when using third-party antivirus apps and how their information is displayed in the [Windows Security app](windows-defender-security-center-antivirus.md).
+
 
 ## Related topics
 
 - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
 - [Windows Defender Antivirus on Windows Server 2016 and 2019](windows-defender-antivirus-on-windows-server-2016.md)
+- [Shadow protection in next-generation protection](shadow-protection.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.md b/windows/security/threat-protection/windows-defender-application-control/TOC.md
index 7275492629..5ade5917e6 100644
--- a/windows/security/threat-protection/windows-defender-application-control/TOC.md
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md
@@ -21,23 +21,24 @@
 ### [Audit WDAC policies](audit-windows-defender-application-control-policies.md)
 ### [Merge WDAC policies](merge-windows-defender-application-control-policies.md)
 ### [Enforce WDAC policies](enforce-windows-defender-application-control-policies.md)
-### [Allow COM object registration](allow-com-object-registration-in-windows-defender-application-control-policy.md)
 ### [Deploy WDAC policies using Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md)
 ### [Deploy WDAC policies using Intune](deploy-windows-defender-application-control-policies-using-intune.md)
+### [Allow COM object registration](allow-com-object-registration-in-windows-defender-application-control-policy.md)
 ### [Use WDAC with .NET hardening](use-windows-defender-application-control-with-dynamic-code-security.md)
-### [Query WDAC events with Advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md)
+### [Manage packaged apps with WDAC](manage-packaged-apps-with-windows-defender-application-control.md)
+### [Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules](use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md)
 ### [Use code signing to simplify application control for classic Windows applications](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md)
 #### [Optional: Use the Device Guard Signing Portal in the Microsoft Store for Business](use-device-guard-signing-portal-in-microsoft-store-for-business.md)
 #### [Optional: Create a code signing cert for WDAC](create-code-signing-cert-for-windows-defender-application-control.md)
 #### [Deploy catalog files to support WDAC](deploy-catalog-files-to-support-windows-defender-application-control.md)
-### [Manage packaged apps with WDAC](manage-packaged-apps-with-windows-defender-application-control.md)
-### [Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules](use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md)
 ### [Use signed policies to protect Windows Defender Application Control against tampering](use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md)
-#### [Signing WDAC policies with SignTool.exe](signing-policies-with-signtool.md)
 ### [Disable WDAC policies](disable-windows-defender-application-control-policies.md)
 ### [LOB Win32 Apps on S Mode](LOB-win32-apps-on-s.md)
 
 
+## [Windows Defender Application Control operational guide](windows-defender-application-control-operational-guide.md)
+### [Understanding Application Control events](event-id-explanations.md)
+### [Query WDAC events with Advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md)
 
 ## [AppLocker](applocker\applocker-overview.md) 
 ### [Administer AppLocker](applocker\administer-applocker.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
index 320db86050..b7d7885b7f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
@@ -23,7 +23,10 @@ ms.date: 10/16/2017
 - Windows 10
 - Windows Server
 
-This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.
+This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers. 
+
+> [!NOTE]
+> AppLocker is unable to control processes running under the system account on any operating system.
 
 AppLocker can help you:
 
@@ -78,6 +81,9 @@ The following are examples of scenarios in which AppLocker can be used:
 -   Some computers in your organization are shared by people who have different software usage needs, and you need to protect specific apps.
 -   In addition to other measures, you need to control the access to sensitive data through app usage.
 
+> [!NOTE]
+> AppLocker is a defense-in-depth security feature and **not** a [security boundary](https://www.microsoft.com/msrc/windows-security-servicing-criteria). [Windows Defender Application Control](https://www.microsoft.com/msrc/windows-security-servicing-criteria) should be used when the goal is to provide robust protection against a threat and there are expected to be no by-design limitations that would prevent the security feature from achieving this goal.
+
 AppLocker can help you protect the digital assets within your organization, reduce the threat of malicious software being introduced into your environment, and improve the management of application control and the maintenance of application control policies.
 
 ## Installing AppLocker
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md
index 9e6f941382..e07be3cc57 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md
@@ -27,7 +27,7 @@ ms.date: 02/28/2018
 -   Windows 10
 -   Windows Server 2016
 
-As you deploy Windows Defender Application Control (WDAC) (also part of Windows Defender Device Guard), you might need to sign catalog files or WDAC policies internally. To do this, you will either need a publicly issued code signing certificate or an internal CA. If you have purchased a code signing certificate, you can skip this topic and instead follow other topics listed in the [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md). 
+As you deploy Windows Defender Application Control (WDAC), you might need to sign catalog files or WDAC policies internally. To do this, you will either need a publicly issued code signing certificate or an internal CA. If you have purchased a code signing certificate, you can skip this topic and instead follow other topics listed in the [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md). 
 
 If you have an internal CA, complete these steps to create a code signing certificate. 
 Only RSA algorithm is supported for the code signing certificate, and signatures must be PKCS 1.5 padded. 
@@ -98,7 +98,7 @@ Now that the template is available to be issued, you must request one from the c
 >[!NOTE]
 >If a certificate manager is required to approve any issued certificates and you selected to require management approval on the template, the request will need to be approved in the CA before it will be issued to the client.
 
-This certificate must be installed in the user’s personal store on the computer that will be signing the catalog files and code integrity policies. If the signing is going to be taking place on the computer on which you just requested the certificate, exporting the certificate to a .pfx file will not be required because it already exists in your personal store. If you are signing on another computer, you will need to export the .pfx certificate with the necessary keys and properties. To do so, complete the following steps:
+This certificate must be installed in the user's personal store on the computer that will be signing the catalog files and code integrity policies. If the signing is going to be taking place on the computer on which you just requested the certificate, exporting the certificate to a .pfx file will not be required because it already exists in your personal store. If you are signing on another computer, you will need to export the .pfx certificate with the necessary keys and properties. To do so, complete the following steps:
 
 1.  Right-click the certificate, point to **All Tasks**, and then click **Export**.
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
index 484dd83dc0..1ea8df15e9 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
@@ -81,7 +81,7 @@ To create a catalog file, you use a tool called **Package Inspector**. You must
     `PackageInspector.exe Stop C: -Name $CatFileName -cdfpath $CatDefName`
 
 >[!NOTE]
->Package Inspector catalogs the hash values for each discovered binary file. If the applications that were scanned are updated, complete this process again to trust the new binaries’ hash values.
+>Package Inspector catalogs the hash values for each discovered binary file. If the applications that were scanned are updated, complete this process again to trust the new binaries' hash values.
 
 When finished, the files will be saved to your desktop. You can double-click the \*.cat file to see its contents, and you can view the \*.cdf file with a text editor. 
 
@@ -95,16 +95,16 @@ Packages can fail for the following reasons:
     - To diagnose whether USN journal size is the issue, after running through Package Inspector, click Start > install app > PackageInspector stop
         - Get the value of the reg key at HKEY\_CURRENT\_USER/PackageInspectorRegistryKey/c: (this was the most recent USN when you ran PackageInspector start)
         - `fsutil usn readjournal C: startusn=RegKeyValue > inspectedusn.txt`
-        - ReadJournal command should throw an error if the older USNs don’t exist anymore due to overflow
+        - ReadJournal command should throw an error if the older USNs don't exist anymore due to overflow
     - For USN Journal, log size can be expanded using: `fsutil usn createjournal` command with a new size and alloc delta. `Fsutil usn queryjournal` will give the current size and allocation delta, so using a multiple of that may help
     - To diagnose whether Eventlog size is the issue, look at the Microsoft/Windows/CodeIntegrity/Operational log under Applications and Services logs in Event Viewer and ensure that there are entries present from when you began Package Inspector (You can use write time as a justification; if you started the install 2 hours ago and there are only entries from 30 minutes prior, the log is definitely too small)
     - To increase Eventlog size, in Event Viewer you can right click the operational log, click properties, and then set new values (some multiple of what it was previously)
 - Package files that change hash each time the package is installed
     - Package Inspector is completely incompatible if files in the package (temporary or otherwise) change hash each time the package is installed. You can diagnose this by looking at the hash field in the 3077 block events when the package is failing in enforcement.  If each time you attempt to run the package you get a new block event with a different hash, the package will not work with Package Inspector
-- Files with an invalid signature blob or otherwise “unhashable” files
+- Files with an invalid signature blob or otherwise "unhashable" files
     - This issue arises when a file that has been signed is modified post signing in a way that invalidates the PE header and renders the file unable to be hashed by the Authenticode Spec.
-    - WDAC uses Authenticode Hashes to validate files when they are running. If the file is unhashable via the authenticode SIP, there is no way to identify the file to allow it, regardless of if you attempt to add the file to the policy directly, or re-sign the file with a Package Inspector catalog (the signature is invalidated due to file being edited, file can’t be allowed by hash due to authenticode hashing algorithm rejecting it)
-    - Recent versions of InstallShield packages that use custom actions can hit this. If the DLL input to the custom action was signed before being put through InstallShield, InstallShield adds tracking markers to the file (editing it post signature) which leaves the file in this “unhashable” state and renders the file unable to be allowed by Device Guard (regardless of if you try to allow directly by policy or resign with Package Inspector)
+    - WDAC uses Authenticode Hashes to validate files when they are running. If the file is unhashable via the authenticode SIP, there is no way to identify the file to allow it, regardless of if you attempt to add the file to the policy directly, or re-sign the file with a Package Inspector catalog (the signature is invalidated due to file being edited, file can't be allowed by hash due to authenticode hashing algorithm rejecting it)
+    - Recent versions of InstallShield packages that use custom actions can hit this. If the DLL input to the custom action was signed before being put through InstallShield, InstallShield adds tracking markers to the file (editing it post signature) which leaves the file in this "unhashable" state and renders the file unable to be allowed by Windows Defender (regardless of if you try to allow directly by policy or resign with Package Inspector)
 
 ## Catalog signing with SignTool.exe
 
@@ -124,7 +124,7 @@ To sign the existing catalog file, copy each of the following commands into an e
     
    `$CatFileName=$ExamplePath+"\LOBApp-Contoso.cat"`
 
-2. Import the code signing certificate that will be used to sign the catalog file. Import it to the signing user’s personal store. 
+2. Import the code signing certificate that will be used to sign the catalog file. Import it to the signing user's personal store. 
 
 3. Sign the catalog file with Signtool.exe:
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md
index 5c089e58ac..1700437f22 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md
@@ -24,7 +24,7 @@ ms.date: 02/28/2018
 -   Windows 10
 -   Windows Server 2016
 
-WDAC policies can easily be deployed and managed with Group Policy. A Windows Defender Device Guard administrative template will be available in Windows Server 2016 that allows you to simplify deployment of Windows Defender Device Guard hardware-based security features and Windows Defender Application Control policies. The following procedure walks you through how to deploy a WDAC policy called **DeviceGuardPolicy.bin** to a test OU called *DG Enabled PCs* by using a GPO called **Contoso GPO Test**.
+WDAC policies can easily be deployed and managed with Group Policy. Windows Defender allows you to simplify deployment Windows Defender hardware-based security features and Windows Defender Application Control policies. The following procedure walks you through how to deploy a WDAC policy called **DeviceGuardPolicy.bin** to a test OU called *DG Enabled PCs* by using a GPO called **Contoso GPO Test**.
 
 > [!NOTE]
 > This walkthrough requires that you have previously created a WDAC policy and have a computer running Windows 10 on which to test a Group Policy deployment. For more information about how to create a WDAC policy, see [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md), earlier in this topic.
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
new file mode 100644
index 0000000000..182c28dedc
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
@@ -0,0 +1,80 @@
+---
+title: Understanding Application Control events (Windows 10)
+description: Learn what different Windows Defender Application Control events signify.
+keywords: whitelisting, security, malware
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro
+ms.collection: M365-security-compliance
+author: jsuther1974
+ms.reviewer: isbrahm
+ms.author: dansimp
+manager: dansimp
+ms.date: 3/17/2020
+---
+
+# Understanding Application Control events
+
+A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. These events are generated under two locations:
+
+1. Event IDs beginning with 30 appear in Applications and Services logs – Microsoft – Windows – CodeIntegrity – Operational
+2. Event IDs beginning with 80 appear in Applications and Services logs – Microsoft – Windows – AppLocker – MSI and Script
+
+## Microsoft Windows CodeIntegrity Operational log event IDs
+
+| Event ID | Explanation |
+|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 3076 | Audit executable/dll file |
+| 3077 | Block executable/dll file |
+| 3089 | Signing information event correlated with either a 3076 or 3077 event. One 3089 event is generated for each signature of a file. Contains the total number of signatures on a file and an index as to which signature it is.<br>Unsigned files will generate a single 3089 event with TotalSignatureCount 0. Correlated in the “System” portion of the event data under “Correlation ActivityID”. |
+| 3099 | Indicates that a policy has been loaded |
+
+## Microsoft Windows Applocker MSI and Script log event IDs
+
+| Event ID | Explanation |
+|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 8028 | Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the scripthosts themselves. Note: there is no WDAC enforcement on 3rd party scripthosts. |
+| 8029 | Block script/MSI file |
+| 8038 | Signing information event correlated with either a 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. Correlated in the “System” portion of the event data under “Correlation ActivityID”. | |
+
+## Optional Intelligent Security Graph (ISG) or Managed Installer (MI) diagnostic events
+
+If either the ISG or MI is enabled in a WDAC policy, you can optionally choose to enable 3090, 3091, and 3092 events to provide additional diagnostic information. 
+
+| Event ID | Explanation |
+|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 3090 | Allow executable/dll file |
+| 3091 | Audit executable/dll file |
+| 3092 | Block executable/dll file |
+
+3090, 3091, and 3092 events are generated based on the status code of whether a binary passed the policy, regardless of what reputation it was given or whether it was allowed by a designated MI. The SmartLocker template which appears in the event should indicate why the binary passed/failed. Only one event is generated per binary pass/fail. If both ISG and MI are disabled, 3090, 3091, and 3092 events will not be generated.
+
+### SmartLocker template
+
+Below are the fields which help to diagnose what a 3090, 3091, or 3092 event indicates.
+
+| Name | Explanation |
+|-------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| StatusCode | STATUS_SUCCESS indicates a binary passed the active WDAC policies. If so, a 3090 event is generated. If not, a 3091 event is generated if the blocking policy is in audit mode, and a 3092 event is generated if the policy is in enforce mode. |
+| ManagedInstallerEnabled | Policy trusts a MI |
+| PassesManagedInstaller | File originated from a trusted MI |
+| SmartlockerEnabled | Policy trusts the ISG |
+| PassesSmartlocker | File had positive reputation |
+| AuditEnabled | True if the policy is in audit mode, otherwise it is in enforce mode |
+
+### Enabling ISG and MI diagnostic events
+
+In order to enable 3091 audit events and 3092 block events, you must create a TestFlags regkey with a value of 0x100. You can do so using the following PowerShell command:
+
+    ```powershell
+    reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x100
+    ```
+In order to enable 3090 allow events, you must create a TestFlags regkey with a value of 0x300. You can do so using the following PowerShell command:
+
+    ```powershell
+    reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x300
+    ```
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index 44fd750878..c8e505e884 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -65,10 +65,10 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru
 | **13 Enabled:Managed Installer** | Use this option to automatically allow applications installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager, that has been defined as a managed installer. |
 | **14 Enabled:Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft’s Intelligent Security Graph (ISG). |
 | **15 Enabled:Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically re-validate the reputation for files that were authorized by the ISG.| 
-| **16 Enabled:Update Policy No Reboot** | Use this option to allow future WDAC policy updates to apply without requiring a system reboot. |
-| **17 Enabled:Allow Supplemental Policies** | Use this option on a base policy to allow supplemental policies to expand it. |
-| **18 Disabled:Runtime FilePath Rule Protection** | Disable default FilePath rule protection (apps and executables allowed based on file path rules must come from a file path that’s only writable by an administrator) for any FileRule that allows a file based on FilePath. |
-| **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically-loaded libraries. |
+| **16 Enabled:Update Policy No Reboot** | Use this option to allow future WDAC policy updates to apply without requiring a system reboot. NOTE: This option is only supported on Windows 10, version 1709, and above.|
+| **17 Enabled:Allow Supplemental Policies** | Use this option on a base policy to allow supplemental policies to expand it. NOTE: This option is only supported on Windows 10, version 1903, and above. |
+| **18 Disabled:Runtime FilePath Rule Protection** | Disable default FilePath rule protection (apps and executables allowed based on file path rules must come from a file path that’s only writable by an administrator) for any FileRule that allows a file based on FilePath. NOTE: This option is only supported on Windows 10, version 1903, and above. |
+| **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically-loaded libraries. NOTE: This option is only supported on Windows 10, version 1803, and above. |
 
 ## Windows Defender Application Control file rule levels
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md b/windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md
deleted file mode 100644
index 4d6bb94c8f..0000000000
--- a/windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md
+++ /dev/null
@@ -1,91 +0,0 @@
----
-title: Signing Windows Defender Application Control policies with SignTool.exe  (Windows 10)
-description: SSigned WDAC policies give organizations the highest level of malware protection available in Windows 10. 
-keywords: whitelisting, security, malware
-ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-audience: ITPro
-ms.collection: M365-security-compliance
-author: jsuther1974
-ms.reviewer: isbrahm
-ms.author: dansimp
-manager: dansimp
-ms.date: 02/21/2018
----
-
-# Signing Windows Defender Application Control policies with SignTool.exe 
-
-**Applies to:**
-
--   Windows 10
--   Windows Server 2016
-
-Signed WDAC policies give organizations the highest level of malware protection available in Windows 10. 
-In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the computer. 
-These policies are designed to prevent administrative tampering and kernel mode exploit access. 
-With this in mind, it is much more difficult to remove signed WDAC policies. 
-Before you sign and deploy a signed WDAC policy, we recommend that you [audit the policy](audit-windows-defender-application-control-policies.md) to discover any blocked applications that should be allowed to run. 
-
-Signing WDAC policies by using an on-premises CA-generated certificate or a purchased code signing certificate is straightforward. 
-If you do not currently have a code signing certificate exported in .pfx format (containing private keys, extensions, and root certificates), see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) to create one with your on-premises CA. 
-
-Before signing WDAC policies for the first time, be sure to enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath <PathAndFilename> -Option 9` even if you're not sure whether the option is already enabled—if so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Windows Defender Application Control policy rules](select-types-of-rules-to-create.md).
-
-To sign a WDAC policy with SignTool.exe, you need the following components:
-
--   SignTool.exe, found in the Windows SDK (Windows 7 or later)
-
--   The binary format of the WDAC policy that you generated in the [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) section or another WDAC policy that you have created
-
--   An internal CA code signing certificate or a purchased code signing certificate
-
-If you do not have a code signing certificate, see the [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) section for instructions on how to create one. If you use an alternate certificate or WDAC policy, be sure to update the following steps with the appropriate variables and certificate so that the commands will function properly. To sign the existing WDAC policy, copy each of the following commands into an elevated Windows PowerShell session:
-
-1. Initialize the variables that will be used:
-
-   `$CIPolicyPath=$env:userprofile+"\Desktop\"`
-    
-   `$InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"`
-    
-   `$CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"`
-
-   > [!NOTE]
-   > This example uses the WDAC policy that you created in [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md). If you are signing another policy, be sure to update the **$CIPolicyPath** and **$CIPolicyBin** variables with the correct information.
-
-2. Import the .pfx code signing certificate. Import the code signing certificate that you will use to sign the WDAC policy into the signing user’s personal store on the computer that will be doing the signing. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md).
-
-3. Export the .cer code signing certificate. After the code signing certificate has been imported, export the .cer version to your desktop. This version will be added to the policy so that it can be updated later.
-
-4. Navigate to your desktop as the working directory:
-
-   `cd $env:USERPROFILE\Desktop`
-
-5. Use [Add-SignerRule](https://docs.microsoft.com/powershell/module/configci/add-signerrule) to add an update signer certificate to the WDAC policy:
-
-   `Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath <Path to exported .cer certificate> -Kernel -User –Update`
-
-   > [!NOTE]
-   > \<Path to exported .cer certificate> should be the full path to the certificate that you exported in   step 3.
-   Also, adding update signers is crucial to being able to modify or disable this policy in the future. 
-
-6. Use [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption) to remove the unsigned policy rule option:
-
-   `Set-RuleOption -FilePath $InitialCIPolicy -Option 6 -Delete`
-
-7. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy) to convert the policy to binary format:
-
-   `ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin`
-
-8. Sign the WDAC policy by using SignTool.exe:
-
-   `<Path to signtool.exe> sign -v /n "ContosoDGSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin`
-
-   > [!NOTE]
-   > The *&lt;Path to signtool.exe&gt;* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the WDAC policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy.
-
-9. Validate the signed file. When complete, the commands should output a signed policy file called DeviceGuardPolicy.bin.p7 to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md).
-
diff --git a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
index 04a21aa98f..1fe1a3c6b0 100644
--- a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
+++ b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
@@ -35,7 +35,7 @@ You should consider using WDAC as part of your organization's application contro
 
 -   You have deployed or plan to deploy the supported versions of Windows in your organization.
 -   You need improved control over the access to your organization's applications and the data your users access.
--   Your organization has a well-defined process for application management and deployed.
+-   Your organization has a well-defined process for application management and deployment.
 -   You have resources to test policies against the organization's requirements.
 -   You have resources to involve Help Desk or to build a self-help process for end-user application access issues.
 -   The group's requirements for productivity, manageability, and security can be controlled by restrictive policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md b/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
index 76cec7912f..da33a878fe 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
@@ -31,7 +31,7 @@ This topic covers guidelines for using code signing control classic Windows apps
 
 ## Reviewing your applications: application signing and catalog files 
 
-Typically, WDAC policies are configured to use the application's signing certificate as part or all of what identifies the application as trusted. This means that applications must either use embedded signing—where the signature is part of the binary—or catalog signing, where you generate a “catalog file” from the applications, sign it, and through the signed catalog file, configure the WDAC policy to recognize the applications as signed.
+Typically, WDAC policies are configured to use the application's signing certificate as part or all of what identifies the application as trusted. This means that applications must either use embedded signing—where the signature is part of the binary—or catalog signing, where you generate a "catalog file" from the applications, sign it, and through the signed catalog file, configure the WDAC policy to recognize the applications as signed.
 
 Catalog files can be very useful for unsigned LOB applications that cannot easily be given an embedded signature. However, catalogs need to be updated each time an application is updated. In contrast, with embedded signing, your WDAC policies typically do not have to be updated when an application is updated. For this reason, if code-signing is or can be included in your in-house application development process, it can simplify the management of WDAC (compared to using catalog signing).
 
@@ -45,7 +45,7 @@ To obtain signed applications or embed signatures in your in-house applications,
 
 To use catalog signing, you can choose from the following options:
 
-- Use the Windows Defender Device Guard signing portal available in the Microsoft Store for Business and Education. The portal is a Microsoft web service that you can use to sign your Classic Windows applications. For more information, see [Device Guard signing](https://technet.microsoft.com/itpro/windows/manage/device-guard-signing-portal).
+- Use the Windows Defender signing portal available in the Microsoft Store for Business and Education. The portal is a Microsoft web service that you can use to sign your Classic Windows applications. 
 
 - Create your own catalog files, which are described in the next section. 
 
@@ -53,12 +53,12 @@ To use catalog signing, you can choose from the following options:
 
 Catalog files (which you can create in Windows 10 with a tool called Package Inspector) contain information about all deployed and executed binary files associated with your trusted but unsigned applications. When you create catalog files, you can also include signed applications for which you do not want to trust the signer but rather the specific application. After creating a catalog, you must sign the catalog file itself by using enterprise public key infrastructure (PKI), or a purchased code signing certificate. Then you can distribute the catalog, so that your trusted applications can be handled by WDAC in the same way as any other signed application.
 
-Catalog files are simply Secure Hash Algorithm 2 (SHA2) hash lists of discovered binaries. These binaries’ hash values are updated each time an application is updated, which requires the catalog file to be updated also.
+Catalog files are simply Secure Hash Algorithm 2 (SHA2) hash lists of discovered binaries. These binaries' hash values are updated each time an application is updated, which requires the catalog file to be updated also.
 
 After you have created and signed your catalog files, you can configure your WDAC policies to trust the signer or signing certificate of those files.
 
 > [!NOTE]
-> Package Inspector only works on operating systems that support Windows Defender Device Guard, such as Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT.
+> Package Inspector only works on operating systems that support Windows Defender, such as Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT.
 
 For procedures for working with catalog files, see [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-windows-defender-application-control.md).
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
index edbac5d2b9..7386316a87 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
@@ -28,10 +28,8 @@ ms.date: 05/03/2018
 -   Windows Server 2016
 
 
-Signed WDAC policies give organizations the highest level of malware protection available in Windows 10. 
-In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the computer. 
-These policies are designed to prevent administrative tampering and kernel mode exploit access. 
-With this in mind, it is much more difficult to remove signed WDAC policies. 
+Signed WDAC policies give organizations the highest level of malware protection available in Windows 10. In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the computer. These policies are designed to prevent administrative tampering and kernel mode exploit access. With this in mind, it is much more difficult to remove signed WDAC policies. Note that SecureBoot must be enabled in order to restrict users from updating or removing signed WDAC policies.
+
 Before you sign and deploy a signed WDAC policy, we recommend that you [audit the policy](audit-windows-defender-application-control-policies.md) to discover any blocked applications that should be allowed to run. 
 
 Signing WDAC policies by using an on-premises CA-generated certificate or a purchased code signing certificate is straightforward. 
diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md
index 232b40eec6..9e0b0651d1 100644
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md
@@ -29,20 +29,20 @@ This topic provides a roadmap for planning and getting started on the Windows De
 
 1. Review requirements, especially hardware requirements for VBS. 
 
-2. Group devices by degree of control needed. Do most devices fit neatly into a few categories, or are they scattered across all categories? Are users allowed to install any application or must they choose from a list? Are users allowed to use their own peripheral devices?<br>Deployment is simpler if everything is locked down in the same way, but meeting individual departments’ needs, and working with a wide variety of devices, may require a more complicated and flexible deployment.
+2. Group devices by degree of control needed. Do most devices fit neatly into a few categories, or are they scattered across all categories? Are users allowed to install any application or must they choose from a list? Are users allowed to use their own peripheral devices?<br>Deployment is simpler if everything is locked down in the same way, but meeting individual departments' needs, and working with a wide variety of devices, may require a more complicated and flexible deployment.
 
 3. Review how much variety in software and hardware is needed by roles or departments. The following questions can help you clarify how many WDAC policies to create:
 
    - How standardized is the hardware?<br>This can be relevant because of drivers. You could create a WDAC policy on hardware that uses a particular set of drivers, and if other drivers in your environment use the same signature, they would also be allowed to run. However, you might need to create several WDAC policies on different "reference" hardware, then merge the policies together, to ensure that the resulting policy recognizes all the drivers in your environment.
 
-   - What software does each department or role need? Should they be able to install and run other departments’ software?<br>If multiple departments are allowed to run the same list of software, you might be able to merge several WDAC policies to simplify management.
+   - What software does each department or role need? Should they be able to install and run other departments' software?<br>If multiple departments are allowed to run the same list of software, you might be able to merge several WDAC policies to simplify management.
          
    - Are there departments or roles where unique, restricted software is used?<br>If one department needs to run an application that no other department is allowed, it might require a separate WDAC policy. Similarly, if only one department must run an old version of an application (while other departments allow only the newer version), it might require a separate WDAC policy.
 
    - Is there already a list of accepted applications?<br>A list of accepted applications can be used to help create a baseline WDAC policy.<br>As of Windows 10, version 1703, it might also be useful to have a list of plug-ins, add-ins, or modules that you want to allow only in a specific app (such as a line-of-business app). Similarly, it might be useful to have a list of plug-ins, add-ins, or modules that you want to block in a specific app (such as a browser).
 
    - As part of a threat review process, have you reviewed systems for software that can load arbitrary DLLs or run code or scripts? 
-     In day-to-day operations, your organization’s security policy may allow certain applications, code, or scripts to run on your systems depending on their role and the context. However, if your security policy requires that you run only trusted applications, code, and scripts on your systems, you may decide to lock these systems down securely with Windows Defender Application Control policies. 
+     In day-to-day operations, your organization's security policy may allow certain applications, code, or scripts to run on your systems depending on their role and the context. However, if your security policy requires that you run only trusted applications, code, and scripts on your systems, you may decide to lock these systems down securely with Windows Defender Application Control policies. 
     
      Legitimate applications from trusted vendors provide valid functionality. However, an attacker could also potentially use that same functionality to run malicious executable code that could bypass WDAC.
 
@@ -70,7 +70,7 @@ This topic provides a roadmap for planning and getting started on the Windows De
 
 ## Known issues
 
-This section covers known issues with WDAC and Device Guard. Virtualization-based protection of code integrity may be incompatible with some devices and applications, which might cause unexpected failures, data loss, or a blue screen error (also called a stop error). 
+This section covers known issues with WDAC. Virtualization-based protection of code integrity may be incompatible with some devices and applications, which might cause unexpected failures, data loss, or a blue screen error (also called a stop error). 
 Test this configuration in your lab before enabling it in production. 
 
 ### MSI Installations are blocked by WDAC
diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md
new file mode 100644
index 0000000000..a34e52ab58
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md
@@ -0,0 +1,42 @@
+---
+title: Managing and troubleshooting Windows Defender Application Control policies (Windows 10)
+description: Gather information about how your deployed Windows Defender Application Control policies are behaving.
+keywords: whitelisting, security, malware
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro
+ms.collection: M365-security-compliance
+author: jsuther1974
+ms.reviewer: isbrahm
+ms.author: dansimp
+manager: dansimp
+ms.date: 03/16/2020
+---
+
+#  Windows Defender Application Control operational guide
+
+**Applies to**
+-   Windows 10
+-   Windows Server 2016
+
+After designing and deploying your Windows Defender Application Control (WDAC) policies, this guide covers understanding the effects your policies are having and troubleshooting when they are not behaving as expected. It contains information on where to find events and what they mean, and also querying these events with Microsoft Defender Advanted Threat Protection (MDATP) Advanced Hunting feature.
+
+## WDAC Events Overview
+
+WDAC generates and logs events when a policy is loaded as well as when a binary attempts to execute and is blocked. These events include information that identifies the policy and gives more details about the block. Generally, WDAC does not generate events when a binary is allowed; however, there is the option to enable allow events when Managed Installer and/or the Intelligent Security Graph (ISG) is configured.
+
+WDAC events are generated under two locations:
+
+1. Applications and Services logs – Microsoft – Windows – CodeIntegrity – Operational
+2. Applications and Services logs – Microsoft – Windows – AppLocker – MSI and Script
+
+## In this section
+
+| Topic | Description |
+| - | - |
+| [Understanding Application Control events](event-id-explanations.md) | This topic explains the meaning of different WDAC events. |
+| [Query WDAC events with Advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md) | This topic covers how to view WDAC events centrally from all systems that are connected to Microsoft Defender ATP. |
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
index 2ce382c919..d02b829376 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
@@ -24,7 +24,7 @@ manager: dansimp
 - Windows 10, version 1703 and later
 
 
-The **Device performance & health** section contains information about hardware, devices, and drivers related to the machine. IT administrators and IT pros should reference the appropriate documentation library for the issues they are seeing, such as the [configure the Load and unload device drivers security policy setting](https://docs.microsoft.com/windows/device-security/security-policy-settings/load-and-unload-device-drivers) and how to [deploy drivers during Windows 10 deployment using Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager).
+The **Device performance & health** section contains information about hardware, devices, and drivers related to the machine. IT administrators and IT pros should reference the appropriate documentation library for the issues they are seeing, such as the [configure the Load and unload device drivers security policy setting](https://docs.microsoft.com/windows/device-security/security-policy-settings/load-and-unload-device-drivers) and how to [deploy drivers during Windows 10 deployment using Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager).
 
 The [Windows 10 IT pro troubleshooting topic](https://docs.microsoft.com/windows/client-management/windows-10-support-solutions), and the main [Windows 10 documentation library](https://docs.microsoft.com/windows/windows-10/) can also be helpful for resolving issues.
 
diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md
index 939db827c5..0dabbdb3b1 100644
--- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md
+++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md
@@ -1,6 +1,6 @@
 ---
 title: Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings (Windows 10)
-description: A list of all available setttings for Windows Defender SmartScreen using Group Policy and mobile device management (MDM) settings.
+description: A list of all available settings for Windows Defender SmartScreen using Group Policy and mobile device management (MDM) settings.
 keywords: SmartScreen Filter, Windows SmartScreen, Windows Defender SmartScreen
 ms.prod: w10
 ms.mktglfcycl: explore
@@ -40,7 +40,7 @@ SmartScreen uses registry-based Administrative Template policy settings. For mor
 <tr>
 <td>Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control</td>
 <td>Windows 10, version 1703</td>
-<td>This setting helps protect PCs by allowing users to install apps only from the Microsoft Store. Windows Defender SmartScreen must be enabled for this feature to work properly.<p>If you enable this setting, your employees can only install apps from the Microsoft Store.<p>If you disable this setting, your employees can install apps from anywhere, including as a download from the Internet.<p>If you don't configure this setting, your employees can choose whether they can install from anywhere or only from Microsoft Store.</td>
+<td>This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.<p>This setting does not protect against malicious content from USB devices, network shares or other non-internet sources.<p><strong>Important:</strong> Using a trustworthy browser helps ensure that these protections work as expected.</td>
 </tr>
 <tr>
 <td><strong>Windows 10, version 1703:</strong><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen<p><strong>Windows 10, Version 1607 and earlier:</strong><br>Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen</td>
@@ -176,7 +176,7 @@ To better help you protect your organization, we recommend turning on and using
 </tr>
 <tr>
 <td>Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files</td>
-<td><strong>Enable.</strong> Stops employees from ingnoring warning messages and continuing to download potentially malicious files.</td>
+<td><strong>Enable.</strong> Stops employees from ignoring warning messages and continuing to download potentially malicious files.</td>
 </tr>
 <tr>
 <td>Administrative Templates\Windows Components\File Explorer\Configure Windows Defender SmartScreen</td>
@@ -199,7 +199,7 @@ To better help you protect your organization, we recommend turning on and using
 </tr>
 <tr>
 <td>Browser/PreventSmartScreenPromptOverrideForFiles</td>
-<td><strong>1.</strong> Stops employees from ingnoring warning messages and continuing to download potentially malicious files.</td>
+<td><strong>1.</strong> Stops employees from ignoring warning messages and continuing to download potentially malicious files.</td>
 </tr>
 <tr>
 <td>SmartScreen/EnableSmartScreenInShell</td>
diff --git a/windows/security/threat-protection/windows-sandbox/images/1-dynamic-host.png b/windows/security/threat-protection/windows-sandbox/images/1-dynamic-host.png
new file mode 100644
index 0000000000..ef004facab
Binary files /dev/null and b/windows/security/threat-protection/windows-sandbox/images/1-dynamic-host.png differ
diff --git a/windows/security/threat-protection/windows-sandbox/images/2-dynamic-working.png b/windows/security/threat-protection/windows-sandbox/images/2-dynamic-working.png
new file mode 100644
index 0000000000..8f94ffe396
Binary files /dev/null and b/windows/security/threat-protection/windows-sandbox/images/2-dynamic-working.png differ
diff --git a/windows/security/threat-protection/windows-sandbox/images/3-memory-sharing.png b/windows/security/threat-protection/windows-sandbox/images/3-memory-sharing.png
new file mode 100644
index 0000000000..bad3e1c0b3
Binary files /dev/null and b/windows/security/threat-protection/windows-sandbox/images/3-memory-sharing.png differ
diff --git a/windows/security/threat-protection/windows-sandbox/images/4-integrated-kernal.png b/windows/security/threat-protection/windows-sandbox/images/4-integrated-kernal.png
new file mode 100644
index 0000000000..fe3245e60a
Binary files /dev/null and b/windows/security/threat-protection/windows-sandbox/images/4-integrated-kernal.png differ
diff --git a/windows/security/threat-protection/windows-sandbox/images/5-wddm-gpu-virtualization.png b/windows/security/threat-protection/windows-sandbox/images/5-wddm-gpu-virtualization.png
new file mode 100644
index 0000000000..ee8aa78bbc
Binary files /dev/null and b/windows/security/threat-protection/windows-sandbox/images/5-wddm-gpu-virtualization.png differ
diff --git a/windows/security/threat-protection/windows-sandbox/images/6-wddm-gpu-virtualization-2.png b/windows/security/threat-protection/windows-sandbox/images/6-wddm-gpu-virtualization-2.png
new file mode 100644
index 0000000000..94be89b74f
Binary files /dev/null and b/windows/security/threat-protection/windows-sandbox/images/6-wddm-gpu-virtualization-2.png differ
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md
new file mode 100644
index 0000000000..db22ee475a
--- /dev/null
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md
@@ -0,0 +1,62 @@
+---
+title: Windows Sandbox architecture
+description: 
+ms.prod: w10
+audience: ITPro
+author: dansimp
+ms.author: dansimp
+manager: dansimp
+ms.collection: 
+ms.topic: article
+ms.localizationpriority: 
+ms.date: 
+ms.reviewer: 
+---
+
+# Windows Sandbox architecture
+
+Windows Sandbox benefits from new container technology in Windows to achieve a combination of security, density, and performance that isn't available in traditional VMs.
+
+## Dynamically generated image
+
+Rather than requiring a separate copy of Windows to boot the sandbox, Dynamic Base Image technology leverages the copy of Windows already installed on the host.
+
+Most OS files are immutable and can be freely shared with Windows Sandbox. A small subset of operating system files are mutable and cannot be shared, so the sandbox base image contains pristine copies of them. A complete Windows image can be constructed from a combination of the sharable immutable files on the host and the pristine copies of the mutable files. By using this scheme, Windows Sandbox has a full Windows installation to boot from without needing to download or store an additional copy of Windows.
+ 
+Before Windows Sandbox is installed, the dynamic base image package is stored as a compressed 30-MB package. Once it's installed, the dynamic base image occupies about 500 MB of disk space.
+
+![A chart compares scale of dynamic image of files and links with the host file system.](images/1-dynamic-host.png)
+
+## Memory management
+
+Traditional VMs apportion statically sized allocations of host memory. When resource needs change, classic VMs have limited mechanisms for adjusting their resource needs. On the other hand, containers collaborate with the host to dynamically determine how host resources are allocated. This is similar to how processes normally compete for memory on the host. If the host is under memory pressure, it can reclaim memory from the container much like it would with a process.
+
+![A chart compares memory sharing in Windows Sandbox versus a traditional VM.](images/2-dynamic-working.png)
+
+## Memory sharing
+
+Because Windows Sandbox runs the same operating system image as the host, it has been enhanced to use the same physical memory pages as the host for operating system binaries via a technology referred to as "direct map." For example, when *ntdll.dll* is loaded into memory in the sandbox, it uses the same physical pages as those of the binary when loaded on the host. Memory sharing between the host and the sandbox results in a smaller memory footprint when compared to traditional VMs, without compromising valuable host secrets.
+
+![A chart compares the memory footprint in Windows Sandbox versus a traditional VM.](images/3-memory-sharing.png)
+
+## Integrated kernel scheduler
+
+With ordinary virtual machines, the Microsoft hypervisor controls the scheduling of the virtual processors running in the VMs. Windows Sandbox uses new technology called "integrated scheduling," which allows the host scheduler to decide when the sandbox gets CPU cycles.
+
+![A chart compares the scheduling in Windows Sandbox versus a traditional VM.](images/4-integrated-kernal.png)
+
+Windows Sandbox employs a unique policy that allows the virtual processors of the Sandbox to be scheduled like host threads. Under this scheme, high-priority tasks on the host can preempt less important work in the Sandbox. This means that the most important work will be prioritized, whether it's on the host or in the container.
+ 
+## WDDM GPU virtualization
+
+Hardware accelerated rendering is key to a smooth and responsive user experience, especially for graphics-intensive use cases. Microsoft works with its graphics ecosystem partners to integrate modern graphics virtualization capabilities directly into DirectX and Windows Display Driver Model (WDDM), the driver model used by Windows.
+
+This allows programs running inside the sandbox to compete for GPU resources with applications that are running on the host.
+
+![A chart illustrates graphics kernel use in Sandbox managed alongside apps on the host.](images/5-wddm-gpu-virtualization.png)
+
+To take advantage of these benefits, a system with a compatible GPU and graphics drivers (WDDM 2.5 or newer) is required. Incompatible systems will render apps in Windows Sandbox with Microsoft's CPU-based rendering technology, Windows Advanced Rasterization Platform (WARP).
+ 
+## Battery pass-through
+
+Windows Sandbox is also aware of the host's battery state, which allows it to optimize its power consumption. This functionality is critical for technology that is used on laptops, where battery life is often critical.
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
new file mode 100644
index 0000000000..2ac125c33b
--- /dev/null
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
@@ -0,0 +1,216 @@
+---
+title: Windows Sandbox configuration
+description: 
+ms.prod: w10
+audience: ITPro
+author: dansimp
+ms.author: dansimp
+manager: dansimp
+ms.collection: 
+ms.topic: article
+ms.localizationpriority: 
+ms.date: 
+ms.reviewer: 
+---
+
+# Windows Sandbox configuration
+
+Windows Sandbox supports simple configuration files, which provide a minimal set of customization parameters for Sandbox. This feature can be used with Windows 10 build 18342 or later.
+
+Windows Sandbox configuration files are formatted as XML and are associated with Sandbox via the .wsb file extension. To use a configuration file, double-click it to open it in the sandbox. You can also invoke it via the command line as shown here:
+
+**C:\Temp> MyConfigFile.wsb** 
+
+ A configuration file enables the user to control the following aspects of Windows Sandbox:
+- **vGPU (virtualized GPU)**: Enable or disable the virtualized GPU. If vGPU is disabled, the sandbox will use Windows Advanced Rasterization Platform (WARP).
+- **Networking**: Enable or disable network access within the sandbox.
+- **Mapped folders**: Share folders from the host with *read* or *write* permissions. Note that exposing host directories may allow malicious software to affect the system or steal data.
+- **Logon command**: A command that's executed when Windows Sandbox starts.
+- **Audio input**: Shares the host's microphone input into the sandbox.
+- **Video input**: Shares the host's webcam input into the sandbox.
+- **Protected client**: Places increased security settings on the RDP session to the sandbox.
+- **Printer redirection**: Shares printers from the host into the sandbox.
+- **Clipboard redirection**: Shares the host clipboard with the sandbox so that text and files can be pasted back and forth.
+- **Memory in MB**: The amount of memory, in megabytes, to assign to the sandbox.
+
+**Keywords, values, and limits**
+
+**vGPU**: Enables or disables GPU sharing.
+
+`<vGPU>value</vGPU>`
+
+Supported values:
+- *Enable*: Enables vGPU support in the sandbox.
+- *Disable*: Disables vGPU support in the sandbox. If this value is set, the sandbox will use software rendering, which may be slower than virtualized GPU.
+- *Default* This is the default value for vGPU support. Currently this means vGPU is disabled.
+
+> [!NOTE]
+> Enabling virtualized GPU can potentially increase the attack surface of the sandbox.
+
+**Networking**: Enables or disables networking in the sandbox. You can disable network access to decrease the attack surface exposed by the sandbox.
+
+`<Networking>value</Networking>`
+
+Supported values:
+- *Disable*: Disables networking in the sandbox.
+- *Default*: This is the default value for networking support. This value enables networking by creating a virtual switch on the host and connects the sandbox to it via a virtual NIC.
+
+> [!NOTE]
+> Enabling networking can expose untrusted applications to the internal network.
+
+**Mapped folders**: An array of folders, each representing a location on the host machine that will be shared into the sandbox at the specified path. At this time, relative paths are not supported. If no path is specified, the folder will be mapped to the container user's desktop.
+
+```xml
+<MappedFolders>
+  <MappedFolder> 
+    <HostFolder>absolute path to the host folder</HostFolder> 
+    <SandboxFolder>absolute path to the sandbox folder</SandboxFolder> 
+    <ReadOnly>value</ReadOnly> 
+  </MappedFolder>
+  <MappedFolder>  
+    ...
+  </MappedFolder>
+</MappedFolders>
+```
+
+*HostFolder*: Specifies the folder on the host machine to share into the sandbox. Note that the folder must already exist on the host, or the container will fail to start.
+
+*SandboxFolder*: Specifies the destination in the sandbox to map the folder to. If the folder doesn't exist, it will be created. If no sandbox folder is specified, the folder will be mapped to the container desktop.
+
+*ReadOnly*: If *true*, enforces read-only access to the shared folder from within the container. Supported values: *true*/*false*. Defaults to *false*.
+
+
+> [!NOTE] 
+> Files and folders mapped in from the host can be compromised by apps in the sandbox or potentially affect the host.
+
+**Logon command**: Specifies a single command that will be invoked automatically after the sandbox logs on. Apps in the sandbox are run under the container user account.
+
+```xml
+<LogonCommand>
+  <Command>command to be invoked</Command>
+</LogonCommand>
+```
+
+*Command*: A path to an executable or script inside the container that will be executed after login.
+
+> [!NOTE]
+> Although very simple commands will work (such as launching an executable or script), more complicated scenarios involving multiple steps should be placed into a script file. This script file may be mapped into the container via a shared folder, and then executed via the *LogonCommand* directive.
+
+**Audio input**: Enables or disables audio input to the sandbox.
+
+`<AudioInput>value</AudioInput>`
+
+Supported values:
+- *Enable*: Enables audio input in the sandbox. If this value is set, the sandbox will be able to receive audio input from the user. Applications that use a microphone may require this capability.
+- *Disable*: Disables audio input in the sandbox. If this value is set, the sandbox can't receive audio input from the user. Applications that use a microphone may not function properly with this setting.
+- *Default*: This is the default value for audio input support. Currently this means audio input is enabled.
+
+> [!NOTE]
+> There may be security implications of exposing host audio input to the container.
+ 
+**Video input**: Enables or disables video input to the sandbox.
+
+`<VideoInput>value</VideoInput>`
+
+Supported values:
+- *Enable*: Enables video input in the sandbox. 
+- *Disable*: Disables video input in the sandbox. Applications that use video input may not function properly in the sandbox.
+- *Default*: This is the default value for video input support. Currently this means video input is disabled. Applications that use video input may not function properly in the sandbox.
+
+> [!NOTE]
+> There may be security implications of exposing host video input to the container.
+
+**Protected client**: Applies additional security settings to the sandbox Remote Desktop client, decreasing its attack surface.
+
+`<ProtectedClient>value</ProtectedClient>`
+
+Supported values:
+- *Enable*: Runs Windows sandbox in Protected Client mode. If this value is set, the sandbox runs with extra security mitigations enabled.
+- *Disable*: Runs the sandbox in standard mode without extra security mitigations.
+- *Default*: This is the default value for Protected Client mode. Currently, this means the sandbox doesn't run in Protected Client mode.
+
+> [!NOTE]
+> This setting may restrict the user's ability to copy/paste files in and out of the sandbox.
+
+**Printer redirection**: Enables or disables printer sharing from the host into the sandbox.
+
+`<PrinterRedirection>value</PrinterRedirection>`
+
+Supported values:
+- *Enable*: Enables sharing of host printers into the sandbox.
+- *Disable*: Disables printer redirection in the sandbox. If this value is set, the sandbox can't view printers from the host.
+- *Default*: This is the default value for printer redirection support. Currently this means printer redirection is disabled.
+
+**Clipboard redirection**: Enables or disables sharing of the host clipboard with the sandbox.
+
+`<ClipboardRedirection>value</ClipboardRedirection>`
+
+Supported values:
+- *Disable*: Disables clipboard redirection in the sandbox. If this value is set, copy/paste in and out of the sandbox will be restricted. 
+- *Default*: This is the default value for clipboard redirection. Currently copy/paste between the host and sandbox are permitted under *Default*.
+
+**Memory in MB**: Specifies the amount of memory that the sandbox can use in megabytes (MB).
+
+`<MemoryInMB>value</MemoryInMB>`
+
+If the memory value specified is insufficient to boot a sandbox, it will be automatically increased to the required minimum amount.
+
+***Example 1***   
+The following config file can be used to easily test downloaded files inside the sandbox. To achieve this, networking and vGPU are disabled, and the sandbox is allowed read-only access to the shared downloads folder. For convenience, the logon command opens the downloads folder inside the sandbox when it's started.
+
+*Downloads.wsb*
+
+```xml
+<Configuration>
+  <VGpu>Disable</VGpu>
+  <Networking>Disable</Networking>
+  <MappedFolders>
+    <MappedFolder>
+      <HostFolder>C:\Users\Public\Downloads</HostFolder>
+      <SandboxFolder>C:\Users\WDAGUtilityAccount\Downloads</SandboxFolder>
+      <ReadOnly>true</ReadOnly>
+    </MappedFolder>
+  </MappedFolders>
+  <LogonCommand>
+    <Command>explorer.exe C:\users\WDAGUtilityAccount\Downloads</Command>
+  </LogonCommand>
+</Configuration>
+```
+
+***Example 2***
+
+The following config file installs Visual Studio Code in the sandbox, which requires a slightly more complicated LogonCommand setup.
+
+Two folders are mapped into the sandbox; the first (SandboxScripts) contains VSCodeInstall.cmd, which will install and run Visual Studio Code. The second folder (CodingProjects) is assumed to contain project files that the developer wants to modify using Visual Studio Code.
+
+With the Visual Studio Code installer script already mapped into the sandbox, the LogonCommand can reference it.
+
+*VSCodeInstall.cmd*
+
+```console
+REM Download Visual Studio Code
+curl -L "https://update.code.visualstudio.com/latest/win32-x64-user/stable" --output C:\users\WDAGUtilityAccount\Desktop\vscode.exe
+
+REM Install and run Visual Studio Code
+C:\users\WDAGUtilityAccount\Desktop\vscode.exe /verysilent /suppressmsgboxes
+```
+
+*VSCode.wsb*
+
+```xml
+<Configuration>
+  <MappedFolders>
+    <MappedFolder>
+      <HostFolder>C:\SandboxScripts</HostFolder>
+      <ReadOnly>true</ReadOnly>
+    </MappedFolder>
+    <MappedFolder>
+      <HostFolder>C:\CodingProjects</HostFolder>
+      <ReadOnly>false</ReadOnly>
+    </MappedFolder>
+  </MappedFolders>
+  <LogonCommand>
+    <Command>C:\Users\WDAGUtilityAccount\Desktop\SandboxScripts\VSCodeInstall.cmd</Command>
+  </LogonCommand>
+</Configuration>
+```
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
new file mode 100644
index 0000000000..fa85062872
--- /dev/null
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
@@ -0,0 +1,61 @@
+---
+title: Windows Sandbox 
+description: 
+ms.prod: w10
+audience: ITPro
+author: dansimp
+ms.author: dansimp
+manager: dansimp
+ms.collection: 
+ms.topic: article
+ms.localizationpriority: 
+ms.date: 
+ms.reviewer: 
+---
+
+# Windows Sandbox 
+
+Windows Sandbox provides a lightweight desktop environment to safely run applications in isolation. Software installed inside the Windows Sandbox environment remains "sandboxed" and runs separately from the host machine.
+
+A sandbox is temporary. When it's closed, all the software and files and the state are deleted. You get a brand-new instance of the sandbox every time you open the application.
+
+Software and applications installed on the host aren't directly available in the sandbox. If you need specific applications available inside the Windows Sandbox environment, they must be explicitly installed within the environment.
+
+Windows Sandbox has the following properties:
+- **Part of Windows**: Everything required for this feature is included in Windows 10 Pro and Enterprise. There's no need to download a VHD.
+- **Pristine**: Every time Windows Sandbox runs, it's as clean as a brand-new installation of Windows.
+- **Disposable**: Nothing persists on the device. Everything is discarded when the user closes the application.
+- **Secure**: Uses hardware-based virtualization for kernel isolation. It relies on the Microsoft hypervisor to run a separate kernel that isolates Windows Sandbox from the host.
+- **Efficient:** Uses the integrated kernel scheduler, smart memory management, and virtual GPU.
+
+The following video provides an overview of Windows Sandbox.
+
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4rFAo]
+
+
+## Prerequisites
+ 
+- Windows 10 Pro or Enterprise build 18305 or later (*Windows Sandbox is currently not supported on Home SKUs*)
+- AMD64 architecture
+- Virtualization capabilities enabled in BIOS
+- At least 4 GB of RAM (8 GB recommended)
+- At least 1 GB of free disk space (SSD recommended)
+- At least two CPU cores (four cores with hyperthreading recommended)
+
+## Installation
+
+1. Ensure that your machine is using Windows 10 Pro or Enterprise, build version 18305 or later.
+2. Enable virtualization on the machine.
+
+   - If you're using a physical machine, make sure virtualization capabilities are enabled in the BIOS.
+   - If you're using a virtual machine, run the following PowerShell command to enable nested virtualization:<br/> **Set -VMProcessor -VMName \<VMName> -ExposeVirtualizationExtensions $true**
+1. Use the search bar on the task bar and type **Turn Windows Features on and off** to access the Windows Optional Features tool. Select **Windows Sandbox** and then **OK**. Restart the computer if you're prompted.
+
+   - If the **Windows Sandbox** option is unavailable, your computer doesn't meet the requirements to run Windows Sandbox. If you think this is incorrect, review the prerequisite list as well as steps 1 and 2.
+1.   Locate and select **Windows Sandbox** on the Start menu to run it for the first time.
+
+## Usage 
+1. Copy an executable file (and any other files needed to run the application) from the host into the Windows Sandbox window.
+2. Run the executable file or installer inside the sandbox.
+3. When you're finished experimenting, close the sandbox. A dialog box will state that all sandbox content will be discarded and permanently deleted. Select **ok**.
+4. Confirm that your host machine doesn't exhibit any of the modifications that you made in Windows Sandbox.
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
index 81d06744df..d4412fe665 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
@@ -55,8 +55,8 @@ No. SCM supported only SCAP 1.0, which was not updated as SCAP evolved. The new
 **Client Versions**
 
 | Name | Build | Baseline Release Date | Security Tools |
-|---|---|---|---|
-|Windows 10 | [1709 (RS3)](https://blogs.technet.microsoft.com/secguide/2017/09/27/security-baseline-for-windows-10-fall-creators-update-v1709-draft/) <p> [1703 (RS2)](https://blogs.technet.microsoft.com/secguide/2017/08/30/security-baseline-for-windows-10-creators-update-v1703-final/) <p>[1607 (RS1)](https://blogs.technet.microsoft.com/secguide/2016/10/17/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016/) <p>[1511 (TH2)](https://blogs.technet.microsoft.com/secguide/2016/01/22/security-baseline-for-windows-10-v1511-threshold-2-final/) <p>[1507 (TH1)](https://blogs.technet.microsoft.com/secguide/2016/01/22/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update/)| October 2017 <p>August 2017 <p>October 2016 <p>January 2016<p> January 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+| ---- | ----- | --------------------- | -------------- |
+| Windows 10 | [1809 (October 2018)](https://docs.microsoft.com/archive/blogs/secguide/security-baseline-draft-for-windows-10-v1809-and-windows-server-2019) <br>[1803 (RS4)](https://docs.microsoft.com/archive/blogs/secguide/security-baseline-for-windows-10-v1803-redstone-4-draft) <br>[1709 (RS3)](https://blogs.technet.microsoft.com/secguide/2017/09/27/security-baseline-for-windows-10-fall-creators-update-v1709-draft/) <br> [1703 (RS2)](https://blogs.technet.microsoft.com/secguide/2017/08/30/security-baseline-for-windows-10-creators-update-v1703-final/) <br>[1607 (RS1)](https://blogs.technet.microsoft.com/secguide/2016/10/17/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016/) <br>[1511 (TH2)](https://blogs.technet.microsoft.com/secguide/2016/01/22/security-baseline-for-windows-10-v1511-threshold-2-final/) <br>[1507 (TH1)](https://blogs.technet.microsoft.com/secguide/2016/01/22/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update/)| October 2018 <br>March 2018 <br>October 2017 <br>August 2017 <br>October 2016 <br>January 2016<br> January 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
 Windows 8.1 |[9600 (April Update)](https://blogs.technet.microsoft.com/secguide/2014/08/13/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final/)| October 2013| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
 Windows 8 |[9200](https://technet.microsoft.com/library/jj916413.aspx) |October 2012| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)|
 Windows 7 |[7601 (SP1)](https://technet.microsoft.com/library/ee712767.aspx)| October 2009| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
index d944485086..32282b709b 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
@@ -27,6 +27,8 @@ The SCT enables administrators to effectively manage their enterprise’s Group
 The Security Compliance Toolkit consists of:
 
 -   Windows 10 security baselines
+    -   Windows 10 Version 1909 (November 2019 Update)
+    -   Windows 10 Version 1903 (April 2019 Update)
     -   Windows 10 Version 1809 (October 2018 Update)
     -   Windows 10 Version 1803 (April 2018 Update)
     -   Windows 10 Version 1709 (Fall Creators Update)
@@ -41,7 +43,11 @@ The Security Compliance Toolkit consists of:
     -   Windows Server 2012 R2
 
 -   Microsoft Office security baseline
+    -   Office 365 Pro Plus
     -   Office 2016 
+    
+-   Microsoft Edge security baseline
+    -   Edge Browser Version 80
 
 -   Tools
     -   Policy Analyzer tool