diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md
index 2afca91613..4d18fb5f5c 100644
--- a/windows/keep-secure/TOC.md
+++ b/windows/keep-secure/TOC.md
@@ -683,7 +683,6 @@
 ### [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md)
 #### [Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md)
 #### [Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md)
-#### [Windows Defender compatibility](defender-compatibility-windows-defender-advanced-threat-protection.md)
 #### [Assign user access to the portal](assign-portal-access-windows-defender-advanced-threat-protection.md)
 #### [Onboard endpoints and set up access](onboard-configure-windows-defender-advanced-threat-protection.md)
 ##### [Configure endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
@@ -711,6 +710,7 @@
 ##### [Configure HP ArcSight to consume Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
 #### [Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md)
 #### [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)
+#### [Windows Defender compatibility](defender-compatibility-windows-defender-advanced-threat-protection.md)
 ### [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
 #### [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
 #### [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)
diff --git a/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
index ad8401a51b..79d61b2019 100644
--- a/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
@@ -18,7 +18,7 @@ author: mjcaparas
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 > [!NOTE]
-> To use Group Policy (GP) updates to deploy the package, you must be on Windows Server 2008 R2 or later. 
+> To use Group Policy (GP) updates to deploy the package, you must be on Windows Server 2008 R2 or later.
 
 ### Onboard endpoints
 1.  Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
@@ -44,10 +44,11 @@ author: mjcaparas
 9. Click **OK** and close any open GPMC windows.
 
 ## Additional Windows Defender ATP configuration settings
+For each endpoint, you can state whether samples can be collected from the endpoint when a request is made through the Windows Defender ATP portal to submit a file for deep analysis.
 
 You can use Group Policy (GP) to configure settings, such as settings for the sample sharing used in the deep analysis feature.
 
-### Configure sample collection settings 
+### Configure sample collection settings
 1.  On your GP management machine, copy the following files from the
     configuration package:
 
@@ -65,6 +66,9 @@ You can use Group Policy (GP) to configure settings, such as settings for the sa
 
 6.  Choose to enable or disable sample sharing from your endpoints.
 
+>[!NOTE]
+> If you don't set a value, the default value is to enable sample collection.
+
 ### Offboard endpoints
 For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
 
@@ -74,9 +78,9 @@ For security reasons, the package used to offboard endpoints will expire 30 days
 1.	Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
 
     a. Click **Endpoint Management** on the **Navigation pane**.
-    
+
     b. Under **Endpoint offboarding** section, select **Group Policy**, click **Download package** and save the .zip file.
-    
+
 2.	Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
 
 3.	Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click Edit.
@@ -93,10 +97,10 @@ For security reasons, the package used to offboard endpoints will expire 30 days
 
 9.	Click **OK** and close any open GPMC windows.
 
-## Monitor endpoint configuration 
+## Monitor endpoint configuration
 With Group Policy there isn’t an option to monitor deployment of policies on the endpoints. Monitoring can be done directly on the portal, or by using the different deployment tools.
 
-## Monitor endpoints using the portal 
+## Monitor endpoints using the portal
 1.	Go to the [Windows Defender ATP portal](https://securitycenter.windows.com/).
 2.	Click **Machines view**.
 3.	Verify that endpoints are appearing.
diff --git a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
index 41757b17fe..0376665c6a 100644
--- a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
@@ -49,20 +49,20 @@ You can use System Center Configuration Manager’s existing functionality to cr
     a. Choose a predefined device collection to deploy the package to.
 
 ### Configure sample collection settings
+For each endpoint, you can set a configuration value to state whether samples can be collected from the endpoint when a request is made through the Windows Defender ATP portal to submit a file for deep analysis.
+
 You can set a compliance rule for configuration item in System Center Configuration Manager to change the sample share setting on an endpoint.
 This rule should be a *remediating* compliance rule configuration item that sets the value of a registry key on targeted machines to make sure they’re complaint.
 
-For each endpoint, you can set a configuration value to state whether samples can be collected from the endpoint when a request is made through the Windows Defender ATP portal to submit a file for deep analysis.
-
 The configuration is set through the following registry key entry:
 
 ```
 Path: “HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection”
-Name: "SampleSharing"
+Name: "AllowSampleCollection"
 Value: 0 or 1
 ```
 Where:<br>
-Name type is a D-WORD. <br>
+Key type is a D-WORD. <br>
 Possible values are:
 - 0 - doesn't allow sample sharing  from this endpoint
 - 1 - allows sharing of all file types from this endpoint
diff --git a/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md
index ca48cebbda..eff1476d26 100644
--- a/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md
@@ -38,15 +38,15 @@ You can also manually onboard individual endpoints to Windows Defender ATP. You
 For for information on how you can manually validate that the endpoint is compliant and correctly reports telemetry see, [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md).
 
 ## Configure sample collection settings
-You can manually configure the sample sharing setting on the endpoint by using *regedit* or creating and running a *.reg* file.  
-
 For each endpoint, you can set a configuration value to state whether samples can be collected from the endpoint when a request is made through the Windows Defender ATP portal to submit a file for deep analysis.
 
+You can manually configure the sample sharing setting on the endpoint by using *regedit* or creating and running a *.reg* file.  
+
 The configuration is set through the following registry key entry:
 
 ```
 Path: “HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection”
-Name: "SampleSharing"
+Name: "AllowSampleCollection"
 Value: 0 or 1
 ```
 Where:<br>
diff --git a/windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md b/windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md
index 999ee32bac..84503521df 100644
--- a/windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md
@@ -15,14 +15,15 @@ author: mjcaparas
 **Applies to:**
 
 - Windows 10, version 1607
+- Windows Defender
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-If an onboarded endpoint is protected by a third-party antimalware client, Windows Defender on that endpoint will enter into passive mode. 
+The Windows Defender Advanced Threat Protection agent depends on Windows Defender for some capabilities such as file scanning.
+
+If an onboarded endpoint is protected by a third-party antimalware client, Windows Defender on that endpoint will enter into passive mode.
 
 Windows Defender will continue to receive updates, and the *mspeng.exe* process will be listed as a running a service, but it will not perform scans and will not replace the running third-party antimalware client.
 
 The Windows Defender interface will be disabled, and users on the endpoint will not be able to use Windows Defender to perform on-demand scans or configure most options.
 
 For more information, see the **Compatibility** section in the [Windows Defender in Windows 10 topic](windows-defender-in-windows-10.md# compatibility-with-windows-defender-advanced-threat-protection).
-
-
diff --git a/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md b/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md
index f8a751ba98..cc1448d745 100644
--- a/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md
@@ -68,14 +68,14 @@ For example, if endpoints are not appearing in the **Machines view** list, you m
 <tr>
 <td>4</td>
 <td>Windows Defender Advanced Threat Protection service contacted the server at ```variable```.</td>
-<td>variable = URL of the Windows Defender ATP processing servers.<br>
+<td>Variable = URL of the Windows Defender ATP processing servers.<br>
 This URL will match that seen in the Firewall or network activity.</td>
 <td>Normal operating notification; no action required.</td>
 </tr>
 <tr>
 <td>5</td>
 <td>Windows Defender Advanced Threat Protection service failed to connect to the server at ```variable```.</td>
-<td>variable = URL of the Windows Defender ATP processing servers.<br>
+<td>Variable = URL of the Windows Defender ATP processing servers.<br>
 The service could not contact the external processing servers at that URL.</td>
 <td>Check the connection to the URL. See [Configure proxy and Internet connectivity](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#configure-proxy-and-Internet-connectivity).</td>
 </tr>
@@ -138,7 +138,7 @@ It may take several hours for the endpoint to appear in the portal.</td>
 <tr>
 <td>15</td>
 <td>Windows Defender Advanced Threat Protection cannot start command channel with URL: ```variable```.</td>
-<td>variable = URL of the Windows Defender ATP processing servers.<br>
+<td>Variable = URL of the Windows Defender ATP processing servers.<br>
 The service could not contact the external processing servers at that URL.</td>
 <td>Check the connection to the URL. See [Configure proxy and Internet connectivity](#configure-proxy-and-Internet-connectivity).</td>
 </tr>
@@ -246,44 +246,38 @@ See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defen
 <tr>
 <td>36</td>
 <td>Windows Defender Advanced Threat Protection Connected User Experiences and Telemetry service registration succeeded. Completion code: ```variable```.</td>
-<td>
-</td>
-<td></td>
+<td>Registering Windows Defender Advanced Threat Protection with the Connected User Experiences and Telemetry service completed successfully.</td>
+<td>Normal operating notification; no action required.</td>
 </tr>
 <tr>
 <td>37</td>
 <td>Windows Defender Advanced Threat Protection A module is about to exceed its quota. Module: %1, Quota: {%2} {%3}, Percentage of quota utilization: %4.</td>
-<td>
-</td>
-<td></td>
+<td>The machine has almost used its allocated quota of the current 24-hour window. It’s about to be throttled.</td>
+<td>Normal operating notification; no action required.</td>
 </tr>
 <tr>
 <td>38</td>
 <td>Network connection is identified as low. Windows Defender Advanced Threat Protection will contact the server every %1 minutes. Metered connection: %2, internet available: %3, free network available: %4.</td>
-<td>
-</td>
-<td></td>
+<td>The machine is using a metered/paid network and will be contacting the server less frequently.</td>
+<td>Normal operating notification; no action required.</td>
 </tr>
 <tr>
 <td>39</td>
 <td>Network connection is identified as normal. Windows Defender Advanced Threat Protection will contact the server every %1 minutes. Metered connection: %2, internet available: %3, free network available: %4.</td>
-<td>
-</td>
-<td></td>
+<td>The machine is not using a metered/paid connection and will contact the server as usual.</td>
+<td>Normal operating notification; no action required.</td>
 </tr>
 <tr>
 <td>40</td>
 <td>Battery state is identified as low. Windows Defender Advanced Threat Protection will contact the server every %1 minutes. Battery state: %2.</td>
-<td>
-</td>
-<td></td>
+<td>The machine has low battery level and will contact the server less frequently.</td>
+<td>Normal operating notification; no action required.</td>
 </tr>
 <tr>
 <td>41</td>
 <td>Battery state is identified as normal. Windows Defender Advanced Threat Protection will contact the server every %1 minutes. Battery state: %2.</td>
-<td>
-</td>
-<td></td>
+<td>The machine doesn’t have low battery level and will contact the server as usual.</td>
+<td>Normal operating notification; no action required.</td>
 </tr>
 <tr>
 <td>42</td>
@@ -306,14 +300,14 @@ See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defen
 <tr>
 <td>45</td>
 <td>Failed to register and to start the event trace session [%1]. Error code: %2</td>
-<td>An error occurred on service startup while creating ETW session. This cause service start-up failure.</td>
+<td>An error occurred on service startup while creating ETW session. This caused service start-up failure.</td>
 <td>If this error persists, contact Support.</td>
 </tr>
 <tr>
 <td>46</td>
 <td>Failed to register and start the event trace session [%1] due to lack of resources. Error code: %2. This is most likely because there are too many active event trace sessions. The service will retry in 1 minute.</td>
-<td>An error occurred on service startup while creating ETW session due to lack of resources. The service started and running but doesn’t report any sensors event until the ETW session is started.</td>
-<td>No action required. the service will try to start the session every minutes.</td>
+<td>An error occurred on service startup while creating ETW session due to lack of resources. The service started and is running, but will not report any sensor event until the ETW session is started.</td>
+<td>No action required. The service will try to start the session every minute.</td>
 </tr>
 <tr>
 <td>47</td>
diff --git a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
index 4432556804..33d9bd1f92 100644
--- a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
@@ -43,7 +43,12 @@ The hardware requirements for Windows Defender ATP on endpoints is the same as t
 > [!NOTE]
 > Endpoints that are running Windows Server and mobile versions of Windows are not supported.
 
-Internet connectivity on endpoints is also required. For more information on additional proxy configuration settings see, [Configure Windows Defender ATP endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) .
+#### Internet connectivity
+Internet connectivity on endpoints is also required.
+
+The daily bandwidth utilization on each endpoint is 5MB. The network bandwidth utilization requires ________ (ALON, PLEASE PROVIDE MISSING INFO).
+
+For more information on additional proxy configuration settings see, [Configure Windows Defender ATP endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) .
 
 Before you configure endpoints, the telemetry and diagnostics service must be enabled. The service is enabled by default in Windows 10, but if it has been disabled you can turn it on by following the instructions in the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) section.
 
@@ -92,8 +97,11 @@ If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the
     ```text
     sc qc diagtrack
     ```
+
 ## Windows Defender signature updates are configured
-The Windows Defender ATP agent depends on Windows Defender’s ability to scan files and provide information about them, If Windows Defender is not the active Anti-Malware in your organization, you may need to configure the signature updates. For more information see [Configure Windows Defender in Windows 10](windows-defender-in-windows-10.md)
+The Windows Defender ATP agent depends on Windows Defender’s ability to scan files and provide information about them. If Windows Defender is not the active antimalware in your organization, you may need to configure the signature updates. For more information see [Configure Windows Defender in Windows 10](windows-defender-in-windows-10.md).
+
+When Windows Defender is not the active antimalware in your organization and you use the Windows Defender ATP service, Windows Defender goes on passive mode. For more information, see the **Compatibility** section in the [Windows Defender in Windows 10 topic](windows-defender-in-windows-10.md# compatibility-with-windows-defender-advanced-threat-protection).
 
 ## Windows Defender Early Launch AntiMalware (ELAM) driver is enabled
 If you're running Windows Defender as the primary antimalware product on your endpoints, the Windows Defender ATP agent will successfully onboard.