diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
index d68c571a53..06c5e2b538 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
@@ -64,7 +64,7 @@ A TPM virtual smart card simulates a physical smart card, and it uses the TPM to
 -   **Isolated cryptography**: TPMs provide the same properties of isolated cryptography that is offered by physical smart cards, and this is utilized by virtual smart cards. Unencrypted copies of private keys are loaded only within the TPM and never into memory that is accessible by the operating system. All cryptographic operations with these private keys occur inside the TPM.
 
 -   **Anti-hammering**: If a user enters a PIN incorrectly, the virtual smart card responds by using the anti-hammering logic of the TPM, which rejects further attempts for a period of time instead of blocking the card. This is also known as lockout.
-    For more information, see [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md).
+    For more information, see [Blocked virtual smart card](#blocked-virtual-smart-card) and [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md). 
 
 There are several options for creating virtual smart cards, depending on the size of the deployment and budget of the organization. The lowest cost option is using Tpmvscmgr.exe to create cards individually on users’ computers. Alternatively, a virtual smart card management solution can be purchased to more easily accomplish virtual smart card creation on a larger scale and aid in further phases of deployment. Virtual smart cards can be created on computers that are to be provisioned for an employee or on those that are already in an employee’s possession. In either approach, there should be some central control over personalization and provisioning. If a computer is intended for use by multiple employees, multiple virtual smart cards can be created on a computer.
 
@@ -261,7 +261,9 @@ The most common scenario in an organization is reissuing virtual smart cards, wh
 
 #### Blocked virtual smart card
 
-The anti-hammering behavior of a TPM virtual smart card is different from that of a physical smart card. A physical smart card blocks itself after the user enters the wrong PIN a few times. A TPM virtual smart card enters a timed delay after the user enters the wrong PIN a few times. If the TPM is in the timed-delay mode, when the user attempts to use the TPM virtual smart card, the user is notified that the card is blocked. Furthermore, if you enable the integrated unlock functionality, the user can see the user interface to unlock the virtual smart card. Unlocking the virtual smart card does not reset the TPM lockout. The user needs to perform an extra step to reset the TPM lockout or wait for the timed delay to expire.
+The anti-hammering behavior of a TPM virtual smart card is different from that of a physical smart card. A physical smart card blocks itself after the user enters the wrong PIN a few times. A TPM virtual smart card enters a timed delay after the user enters the wrong PIN a few times. If the TPM is in the timed-delay mode, when the user attempts to use the TPM virtual smart card, the user is notified that the card is blocked. Furthermore, if you enable the integrated unlock functionality, the user can see the user interface to unlock the virtual smart card and change the PIN. Unlocking the virtual smart card does not reset the TPM lockout. The user needs to perform an extra step to reset the TPM lockout or wait for the timed delay to expire.
+
+For more information about setting the Allow Integrated Unblock policy, see [Allow Integrated Unblock screen to be displayed at the time of logon](https://docs.microsoft.com/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings#allow-integrated-unblock-screen-to-be-displayed-at-the-time-of-logon).
 
 ## See also
 
diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md
index e69658d82e..a8defba7ee 100644
--- a/windows/security/threat-protection/windows-defender-atp/TOC.md
+++ b/windows/security/threat-protection/windows-defender-atp/TOC.md
@@ -7,6 +7,7 @@
 ### [Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md)
 ### [Assign user access to the portal](assign-portal-access-windows-defender-advanced-threat-protection.md)
 ## [Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md)
+### [Onboard previous versions of Windows](onboard-downlevel-windows-defender-advanced-threat-protection.md)
 ### [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md)
 #### [Onboard machines using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
 #### [Onboard machines using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..940c705412
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,107 @@
+---
+title: Onboard previous versions of Windows on Windows Defender ATP
+description: Onboard supported previous versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor
+keywords: onboard, windows, 7, 81, oms, sp1, enterprise, pro, down level
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 06/18/2018
+---
+
+# Onboard previous versions of Windows
+
+**Applies to:**
+
+- Windows 7 SP1 Enterprise
+- Windows 7 SP1 Pro
+- Windows 8.1 Pro
+- Windows 8.1 Enterprise
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+Windows Defender ATP extends support to include down-level operating systems, providing advanced attack detection and investigation capabilities on supported Windows versions.
+
+To onboard down-level Windows client endpoints to Windows Defender ATP, you'll need to:
+- Configure and update System Center Endpoint Protection clients.
+- Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Windows Defender ATP as instructed below.
+
+>[!TIP]
+> After onboarding the machine, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md).
+
+## Configure and update System Center Endpoint Protection clients
+>[!IMPORTANT]
+>This step is required only if your organization uses System Center Endpoint Protection (SCEP).
+
+Windows Defender ATP integrates with System Center Endpoint Protection to provide visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware. 
+
+The following steps are required to enable this integration: 
+- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/en-us/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie) 
+- Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting
+
+## Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Windows Defender ATP
+
+### Before you begin
+Review the following details to verify minimum system requirements:
+- Install the [February monthly update rollout](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598)
+  
+  >[!NOTE]
+  >Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro. 
+
+- Install the [Update for customer experience and diagnostic telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
+  
+  >[!NOTE]
+  >Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro.
+
+- Meet the Azure Log Analytics agent minimum system requirements. For more information, see [Collect data from computers in you environment with Log Analytics](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-concept-hybrid#prerequisites)
+
+1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603) or [Windows 32-bit agent](https://go.microsoft.com/fwlink/?LinkId=828604).
+
+2. Obtain the workspace ID:
+   - In the Windows Defender ATP navigation pane, select **Settings > Machine management > Onboarding**
+   - Select **Windows 7 SP1 and 8.1** as the operating system
+   - Copy the workspace ID and workspace key
+
+3. Using the Workspace ID and Workspace key choose any of the following installation methods to install the agent:
+    - Manually install the agent using setup<br>
+      On the **Agent Setup Options** page, select **Connect the agent to Azure Log Analytics (OMS)**
+    - [Install the agent using command line](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-agent-windows#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-agent-windows#add-a-workspace-using-a-script)
+
+4. If you're using a proxy to connect to the Internet see the Configure proxy settings section.
+
+Once completed, you should see onboarded endpoints in the portal within an hour.
+
+### Configure proxy and Internet connectivity settings
+ 
+- Each Windows endpoint must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the [OMS Gateway](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-oms-gateway).
+- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service:
+
+Agent Resource    |    Ports 
+:---|:---
+|    *.oms.opinsights.azure.com    |    443    |
+|    *.blob.core.windows.net    |    443    |
+|    *.azure-automation.net    |    443    |
+|    *.ods.opinsights.azure.com    |    443    |
+|    winatp-gw-cus.microsoft.com     |    443    |
+|    winatp-gw-eus.microsoft.com    |    443    |
+|    winatp-gw-neu.microsoft.com    |    443    |
+|    winatp-gw-weu.microsoft.com    |    443    |
+|winatp-gw-uks.microsoft.com | 443 |
+|winatp-gw-ukw.microsoft.com | 443 | 
+
+
+## Offboard client endpoints
+To offboard, you can uninstall the MMA agent from the endpoint or detach it from reporting to your Windows Defender ATP workspace. After offboarding the agent, the endpoint will no longer send sensor data to Windows Defender ATP. 
+
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-downlevele-belowfoldlink)
+
+
+
+
+
+
diff --git a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
index 4b90b87fb8..ed796f2f36 100644
--- a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/24/2018
+ms.date: 06/18/2018
 ---
 
 # Windows Defender ATP preview features
@@ -42,12 +42,19 @@ Turn on the preview experience setting to be among the first to try upcoming fea
 
 ## Preview features
 The following features are included in the preview release:
+- [Onboard previous versions of Windows](onboard-downlevel-windows-defender-advanced-threat-protection.md)<br>
+Onboard supported versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor
+  - Windows 7 SP1 Enterprise
+  - Windows 7 SP1 Pro
+  - Windows 8.1 Enterprise
+  - Windows 8.1 Pro 
 
 - [Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md)<br>
 Windows Defender ATP supports the onboarding of the following servers:
     - Windows Server 2012 R2
     - Windows Server 2016
     - Windows Server, version 1803
+    
 
 - [Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)<br>
 Windows Defender ATP supports the use of Power BI data connectors to enable you to connect and access Windows Defender ATP data using Microsoft Graph.