diff --git a/devices/surface-hub/connect-and-display-with-surface-hub.md b/devices/surface-hub/connect-and-display-with-surface-hub.md
index 1a16c46d86..44cc9145f9 100644
--- a/devices/surface-hub/connect-and-display-with-surface-hub.md
+++ b/devices/surface-hub/connect-and-display-with-surface-hub.md
@@ -31,7 +31,7 @@ When connecting external devices and displays to a Surface Hub, there are severa
 ## Guest Mode
 
 
-Guest Mode uses a wired connection, so people can display content from their devices to the Surface Hub. If the source device is Windows-based, that device can also provide Touchback and Inkback. Surface Hub's internal PC takes video and audio from the connected device and presents them on the Surface Hub. If Surface Hub encounters a High-Bandwidth Digital Content Protection (HDCP) signal, the source will be re-routed through an alternate path, allowing the source to be displayed full-screen without violating HDCP requirements.
+Guest Mode uses a wired connection, so people can display content from their devices to the Surface Hub. If the source device is Windows-based, that device can also provide Touchback and Inkback. Surface Hub's internal PC takes video and audio from the connected device and presents them on the Surface Hub. If Surface Hub encounters a High-Bandwidth Digital Content Protection (HDCP) signal, the source will be be displayed as a black image. To display your content without violating HDCP requirements, use the keypad on the right side of the Surface Hub to directly choose the external source.
 
 >[!NOTE]
 >When an HDCP source is connected, use the side  keypad to change source inputs.
diff --git a/devices/surface-hub/create-a-device-account-using-office-365.md b/devices/surface-hub/create-a-device-account-using-office-365.md
index 47f53254f6..f6f48f6401 100644
--- a/devices/surface-hub/create-a-device-account-using-office-365.md
+++ b/devices/surface-hub/create-a-device-account-using-office-365.md
@@ -91,7 +91,7 @@ From here on, you'll need to finish the account creation process using PowerShel
 In order to run cmdlets used by these PowerShell scripts, the following must be installed for the admin PowerShell console:
 
 -   [Microsoft Online Services Sign-In Assistant for IT Professionals BETA](https://go.microsoft.com/fwlink/?LinkId=718149)
--   [Windows Azure Active Directory Module for Windows PowerShell](https://go.microsoft.com/fwlink/p/?linkid=236297)
+-   [Windows Azure Active Directory Module for Windows PowerShell](https://www.microsoft.com/web/handlers/webpi.ashx/getinstaller/WindowsAzurePowershellGet.3f.3f.3fnew.appids)
 -   [Skype for Business Online, Windows PowerShell Module](http://www.microsoft.com/download/details.aspx?id=39366)
 
 ### Connecting to online services
diff --git a/devices/surface-hub/surface-hub-start-menu.md b/devices/surface-hub/surface-hub-start-menu.md
index 0f3defa248..dccacb8551 100644
--- a/devices/surface-hub/surface-hub-start-menu.md
+++ b/devices/surface-hub/surface-hub-start-menu.md
@@ -176,4 +176,8 @@ This example shows a link to a website and a link to a .pdf file.
   </DefaultLayoutOverride>
 </LayoutModificationTemplate>
 
-```
\ No newline at end of file
+```
+
+## More information
+
+- [Blog post: Changing Surface Hub’s Start Menu](https://blogs.technet.microsoft.com/y0av/2018/02/13/47/)
\ No newline at end of file
diff --git a/windows/configuration/TOC.md b/windows/configuration/TOC.md
index 2542a03b63..e08ae3f4bd 100644
--- a/windows/configuration/TOC.md
+++ b/windows/configuration/TOC.md
@@ -2,9 +2,10 @@
 ## [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
 ## [Diagnostic Data Viewer Overview](diagnostic-data-viewer-overview.md)
 ## [Windows 10, version 1709 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md)
-## [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md)
 ## [Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md)
-## [Windows 10 diagnostic data for the Full diagnostic data level](windows-diagnostic-data-1703.md)
+## [Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md)
+## [Windows 10, version 1709 diagnostic data for the Full telemetry level](windows-diagnostic-data.md)
+## [Windows 10, version 1703 diagnostic data for the Full telemetry level](windows-diagnostic-data-1703.md)
 ## [Beginning your General Data Protection Regulation (GDPR) journey for Windows 10](gdpr-win10-whitepaper.md)
 ## [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
 ## [Manage Windows 10 connection endpoints](manage-windows-endpoints-version-1709.md)
diff --git a/windows/configuration/index.md b/windows/configuration/index.md
index e38d95e4ca..d8cfdf2e49 100644
--- a/windows/configuration/index.md
+++ b/windows/configuration/index.md
@@ -22,9 +22,10 @@ Enterprises often need to apply custom configurations to devices for their users
 | [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) | Use this article to make informed decisions about how you can configure Windows diagnostic data in your organization. |
 |[Diagnostic Data Viewer overview](diagnostic-data-viewer-overview.md) |Learn about the categories of diagnostic data your device is sending to Microsoft, along with how it's being used.|
 | [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md) | Learn about diagnostic data that is collected at the basic level in Windows 10, version 1709. |
-|[Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md)|Learn about diagnostic data that is collected by Windows Analytics.|
-| [Windows 10, version 1703 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md) | Learn about diagnostic data that is collected at the basic level in Windows 10, version 1703. |
-| [Windows 10 diagnostic data for the Full diagnostic data level](windows-diagnostic-data-1703.md) | Learn about the types of data that is collected at the full level in Windows 10, version 1703 and later. |
+| [Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md)| Learn about diagnostic data that is collected at the basic level in Windows 10, version 1703.|
+| [Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md)|Learn about diagnostic data that is collected by Windows Analytics.|
+| [Windows 10, version 1709 diagnostic data for the Full telemetry level](windows-diagnostic-data.md) | Learn about diagnostic data that is collected at the full level in Windows 10, version 1709. |
+| [Windows 10, version 1703 diagnostic data for the Full telemetry level](windows-diagnostic-data-1703.md) | Learn about diagnostic data that is collected at the full level in Windows 10, version 1703. |
 |[Beginning your General Data Protection Regulation (GDPR) journey for Windows 10](gdpr-win10-whitepaper.md)|Learn about Windows 10 and the upcoming GDPR-compliance requirements.|
 | [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Learn about the network connections that Windows components make to Microsoft and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro. |
 | [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) | Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. It can connect you to open Wi-Fi hotspots it knows about through crowdsourcing, or to Wi-Fi networks your contacts have shared with you by using Wi-Fi Sense. The initial settings for Wi-Fi Sense are determined by the options you chose when you first set up your PC with Windows 10.  |
diff --git a/windows/configuration/windows-diagnostic-data-1703.md b/windows/configuration/windows-diagnostic-data-1703.md
index 954a8fc5e0..67fd23abec 100644
--- a/windows/configuration/windows-diagnostic-data-1703.md
+++ b/windows/configuration/windows-diagnostic-data-1703.md
@@ -8,13 +8,13 @@ ms.sitesec: library
 ms.localizationpriority: high
 author: eross-msft
 ms.author: lizross
-ms.date: 04/05/2017
+ms.date: 11/28/2017
 ---
 
 # Windows 10 diagnostic data for the Full diagnostic data level
 
 **Applies to:**
-- Windows 10, version 1703 and later
+- Windows 10, version 1703
 
 Microsoft collects Windows diagnostic data to keep Windows up-to-date, secure, and operating properly. It also helps us improve Windows and, for users who have turned on “tailored experiences”, can be used to provide more relevant tips and recommendations to tailor Microsoft products to the user’s needs.   This article describes all types diagnostic data collected by Windows at the Full diagnostic data level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 10, version 1709 Basic level diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md) and [Windows 10, version 1703 Basic level diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md).
 
diff --git a/windows/configuration/windows-diagnostic-data.md b/windows/configuration/windows-diagnostic-data.md
new file mode 100644
index 0000000000..e3c5fb9fa4
--- /dev/null
+++ b/windows/configuration/windows-diagnostic-data.md
@@ -0,0 +1,262 @@
+---
+title: Windows 10, version 1709 diagnostic data for the Full level (Windows 10)
+description: Use this article to learn about the types of diagnostic data that is collected at the Full level.
+keywords: privacy,Windows 10
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.localizationpriority: high
+author: brianlic-msft
+ms.author: brianlic
+ms.date: 01/30/2018
+---
+
+# Windows 10, version 1709 diagnostic data for the Full level
+
+Applies to:
+- Windows 10, version 1709
+
+Microsoft uses Windows diagnostic data to keep Windows secure and up-to-date, troubleshoot problems, and make product improvements. For users who have turned on "Tailored experiences", it can also be used to offer you personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. This article describes all types of diagnostic data collected by Windows at the Full level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 10, version 1709 Basic level diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md).
+
+In addition, this article provides references to equivalent definitions for the data types and examples from [ISO/IEC 19944:2017 Information technology -- Cloud computing -- Cloud services and devices: Data flow, data categories and data use](https://www.iso.org/standard/66674.html). Each data type also has a Data Use statement, for diagnostics and for Tailored experiences on the device, using the terms as defined by the standard. These Data Use statements define the purposes for which Microsoft processes each type of Windows diagnostic data, using a uniform set of definitions referenced at the end of this document and based on the ISO standard. Reference to the ISO standard provides additional clarity about the information collected, and allows easy comparison with other services or guidance that also references the standard.
+
+The data covered in this article is grouped into the following types:
+
+- Common data (diagnostic header information)
+
+- Device, Connectivity, and Configuration data
+
+- Product and Service Usage data
+
+- Product and Service Performance data
+
+- Software Setup and Inventory data
+
+- Browsing History data
+
+- Inking, Typing, and Speech Utterance data
+
+## Common data
+Most diagnostic events contain a header of common data. In each example, the info in parentheses provides the equivalent definition for ISO/IEC 19944:2017.
+
+**Data Use for Common data**
+Header data supports the use of data associated with all diagnostic events. Therefore, Common data is used to [provide](#provide) Windows 10, and may be used to [improve](#improve), [personalize](#personalize), [recommend](#recommend), [offer](#offer), or [promote](#promote) Microsoft and third-party products and services, depending on the uses described in the **Data Use** statements for each data category.
+
+### Data Description for Common data type
+|Sub-type|Description and examples|
+|- |- |
+|Common Data|Information that is added to most diagnostic events, if relevant and available:<ul><li>Diagnostic level -- Basic or Full, Sample level -- for sampled data, what sample level is this device opted into (8.2.3.2.4 Observed Usage of the Service Capability)</li><li>Operating system name, version, build, and locale (8.2.3.2.2 Telemetry data)</li><li>Event collection time (8.2.3.2.2 Telemetry data)</li><li>User ID -- a unique identifier associated with the user's Microsoft Account (if one is used) or local account. The user's Microsoft Account identifier is not collected from devices configured to send Basic diagnostic data (8.2.5 Account data)</li><li>Xbox UserID (8.2.5 Account data)</li><li>Device ID -- This is not the user provided device name, but an ID that is unique for that device. (8.2.3.2.3 Connectivity data)</li><li>Device class -- Desktop, Server, or Mobile (8.2.3.2.3 Connectivity data)</li><li>Environment from which the event was logged -- Application ID of app or component that logged the event, Session GUID. Used to track events over a given period of time, such as the amount of time an app is running or between boots of the operating system (8.2.4 Cloud service provider data)</li><li>Diagnostic event name, Event ID, ETW opcode, version, schema signature, keywords, and flags (8.2.4 Cloud service provider data)</li><li>HTTP header information, including the IP address. This IP address is the source address that’s provided by the network packet header and received by the diagnostics ingestion service (8.2.4 Cloud service provider data)</li><li>Various IDs that are used to correlate and sequence related events together (8.2.4 Cloud service provider data)</li></ul>|
+
+## Device, Connectivity, and Configuration data
+This type of data includes details about the device, its configuration and connectivity capabilities, and status. Device, Connectivity, and Configuration Data is equivalent to ISO/IEC 19944:2017, 8.2.3.2.3 Connectivity data.
+
+### Data Use for Device, Connectivity, and Configuration data 
+
+**For Diagnostics:**<br>
+[Pseudonymized](#pseudo) Device, Connectivity, and Configuration data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft products and services. For example:
+
+- Device, Connectivity, and Configuration data is used to understand the unique device characteristics that can contribute to an error experienced on the device, to identify patterns, and to more quickly resolve problems that impact devices with unique hardware, capabilities, or settings. For example:
+
+    - Data about the use of cellular modems and their configuration on your devices is used to troubleshoot cellular modem issues.
+
+    - Data about the use of USB hubs use and their configuration on your devices is used to troubleshoot USB hub issues.
+
+    - Data about the use of connected Bluetooth devices is used to troubleshoot compatibility issues with Bluetooth devices.
+
+- Data about device properties, such as the operating system version and available memory, is used to determine whether the device is due to, and able to, receive a Windows update.
+
+- Data about device peripherals is used to determine whether a device has installed drivers that might be negatively impacted by a Windows update.
+
+- Data about which devices, peripherals, and settings are most-used by customers, is used to prioritize Windows 10 improvements to determine the greatest positive impact to the most Windows 10 users.  
+
+**With (optional) Tailored experiences:**<br>
+If a user has enabled Tailored experiences on the device, [Pseudonymized](#pseudo) Device, Connectivity, and Configuration data from Windows 10 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 users. Also, if a user has enabled Tailored experiences on the device, [Pseudonymized](#pseudo) Device, Connectivity, and Configuration data from Windows 10 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 users. For example:
+
+- Data about device properties and capabilities is used to provide tips about how to use or configure the device to get the best performance and user experience.
+
+- Data about device capabilities, such as whether the device is pen-enabled, is used to recommend (Microsoft and third-party) apps that are appropriate for the device. These may be free or paid apps.  
+  
+### Data Description for Device, Connectivity, and Configuration data type
+|Sub-type|Description and examples|
+|- |- |
+|Device properties |Information about the operating system and device hardware, such as:<br><ul><li>Operating system - version name, edition</li><li>Installation type, subscription status, and genuine operating system status</li><li>Processor architecture, speed, number of cores, manufacturer, and model</li><li>OEM details --manufacturer, model, and serial number</li><li>Device identifier and Xbox serial number</li><li>Firmware/BIOS operating system -- type, manufacturer, model, and version</li><li>Memory -- total memory, video memory, speed, and how much memory is available after the device has reserved memory</li><li>Storage -- total capacity and disk type</li><li>Battery -- charge capacity and InstantOn support</li><li>Hardware chassis type, color, and form factor</li><li>Is this a virtual machine?</li></ul>|
+|Device capabilities|Information about the specific device capabilities, such as:<br/><ul><li>Camera -- whether the device has a front facing camera, a rear facing camera, or both.</li><li>Touch screen -- Whether the device has a touch screen? If yes, how many hardware touch points are supported?</li><li>Processor capabilities -- CompareExchange128, LahfSahf, NX, PrefetchW, and SSE2</li><li>Trusted Platform Module (TPM) -- whether a TPM exists and if yes, what version</li><li>Virtualization hardware -- whether an IOMMU exists, whether it includes SLAT support, and whether virtualization is enabled in the firmware</li><li>Voice -- whether voice interaction is supported and the number of active microphones</li><li>Number of displays, resolutions, and DPI</li><li>Wireless capabilities</li><li>OEM or platform face detection</li><li>OEM or platform video stabilization and quality-level set</li><li>Advanced Camera Capture mode (HDR versus Low Light), OEM versus platform implementation, HDR probability, and Low Light probability</li></ul>|
+|Device preferences and settings |Information about the device settings and user preferences, such as:<br><ul><li>User Settings -- System, Device, Network &amp; Internet, Personalization, Cortana, Apps, Accounts, Time &amp; Language, Gaming, Ease of Access, Privacy, Update &amp; Security</li><li>User-provided device name</li><li>Whether device is domain-joined, or cloud-domain joined (for example, part of a company-managed network)</li><li>Hashed representation of the domain name</li><li>MDM (mobile device management) enrollment settings and status</li><li>BitLocker, Secure Boot, encryption settings, and status</li><li>Windows Update settings and status</li><li>Developer Unlock settings and status</li><li>Default app choices</li><li>Default browser choice</li><li>Default language settings for app, input, keyboard, speech, and display</li><li>App store update settings</li><li>Enterprise OrganizationID, Commercial ID</li></ul>|
+|Device peripherals |Information about the device peripherals, such as:<br><ul><li>Peripheral name, device model, class, manufacturer, and description</li><li>Peripheral device state, install state, and checksum</li><li>Driver name, package name, version, and manufacturer</li><li>HWID - A hardware vendor-defined ID to match a device to a driver [INF file](https://msdn.microsoft.com/windows/hardware/drivers/install/hardware-ids)</li><li>Driver state, problem code, and checksum</li><li>Whether driver is kernel mode, signed, and image size</li></ul>|
+|Device network info |Information about the device network configuration, such as:<br><ul><li>Network system capabilities</li><li>Local or Internet connectivity status</li><li>Proxy, gateway, DHCP, DNS details, and addresses</li><li>Whether it's a paid or free network</li><li>Whether the wireless driver is emulated</li><li>Whether it's access point mode-capable</li><li>Access point manufacturer, model, and MAC address</li><li>WDI Version</li><li>Name of networking driver service</li><li>Wi-Fi Direct details</li><li>Wi-Fi device hardware ID and manufacturer</li><li>Wi-Fi scan attempt  and item counts</li><li>Whether MAC randomization is supported and enabled</li><li>Number of supported spatial streams and channel frequencies</li><li>Whether Manual or Auto-connect is enabled</li><li>Time and result of each connection attempt</li><li>Airplane mode status and attempts</li><li>Interface description provided by the manufacturer</li><li>Data transfer rates</li><li>Cipher algorithm</li><li>Mobile Equipment ID (IMEI) and Mobile Country Code (MCCO)</li><li>Mobile operator and service provider name</li><li>Available SSIDs and BSSIDs</li><li>IP Address type -- IPv4 or IPv6</li><li>Signal Quality percentage and changes</li><li>Hotspot presence detection and success rate</li><li>TCP connection performance</li><li>Miracast device names</li><li>Hashed IP address</li></ul>
+
+## Product and Service Usage data
+This type of data includes details about the usage of the device, operating system, applications and services. Product and Service Usage data is equivalent to ISO/IEC 19944:2017, 8.2.3.2.4 Observed Usage of the Service Capability.
+
+### Data Use for Product and Service Usage data
+
+**For Diagnostics:**<br>
+[Pseudonymized](#pseudo) Product and Service Usage data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft product and services. For example:
+
+- Data about the specific apps that are in-use when an error occurs is used to troubleshoot and repair issues with Windows features and Microsoft apps. 
+
+- Data about the specific apps that are most-used by customers, is used to prioritize Windows 10 improvements to determine the greatest positive impact to the most Windows 10 users.
+
+- Data about whether devices have Suggestions turned off from the **Settings Phone** screen is to improve the Suggestions feature.
+
+- Data about whether a user canceled the authentication process in their browser is used to help troubleshoot issues with and improve the authentication process.
+
+- Data about when and what feature invoked Cortana is used to prioritize efforts for improvement and innovation in Cortana.
+
+- Data about when a context menu in the photo app is closed is used to troubleshoot and improve the photo app.
+
+**With (optional) Tailored experiences:**<br>
+If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Usage data from Windows 10 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Usage data from Windows 10 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 users. For example:
+
+- If data shows that a user has not used a particular feature of Windows, we may recommend that the user try that feature.
+
+- Data about which apps are most-used on a device is used to provide recommendations for similar or complementary (Microsoft or third-party) apps. These may be free or paid apps.
+
+
+### Data Description for Product and Service Usage data type
+|Sub-type|Description and examples |
+|- |- |
+|App usage|Information about Windows and application usage, such as:<ul><li>Operating system component and app feature usage</li><li>User navigation and interaction with app and Windows features. This could potentially include user input, such as name of a new alarm set, user menu choices, or user favorites</li><li>Time of and count of app and component launches, duration of use, session GUID, and process ID</li><li>App time in various states –- running in the foreground or background, sleeping, or receiving active user interaction</li><li>User interaction method and duration –- whether the user used a keyboard, mouse, pen, touch, speech, or game controller, and for how long</li><li>Cortana launch entry point and reason</li><li>Notification delivery requests and status</li><li>Apps used to edit images and videos</li><li>SMS, MMS, VCard, and broadcast message usage statistics on primary or secondary lines</li><li>Incoming and outgoing calls and voicemail usage statistics on primary or secondary lines</li><li>Emergency alerts are received or displayed statistics</li><li>Content searches within an app</li><li>Reading activity -- bookmarked, printed, or had the layout changed</li></ul>|
+|App or product state|Information about Windows and application state, such as:<ul><li>Start Menu and Taskbar pins</li><li>Online and offline status</li><li>App launch state –- with deep-links, such as Groove launching with an audio track to play or MMS launching to share a picture</li><li>Personalization impressions delivered</li><li>Whether the user clicked on, or hovered over, UI controls or hotspots</li><li>User provided feedback, such as Like, Dislike or a rating</li><li>Caret location or position within documents and media files -- how much has been read in a book in a single session, or how much of a song has been listened to.</li></ul>|
+|Purchasing|Information about purchases made on the device, such as:<br><ul><li>Product ID, edition ID and product URI</li><li>Offer details -- price</li><li>Date and time an order was requested</li><li>Microsoft Store client type -- web or native client</li><li>Purchase quantity and price</li><li>Payment type -- credit card type and PayPal</li></ul> |
+|Login properties|Information about logins on the device, such as:<ul><li>Login success or failure</li><li>Login sessions and state</li></ul>|
+
+## Product and Service Performance data
+This type of data includes details about the health of the device, operating system, apps, and drivers. Product and Service Performance data is equivalent to ISO/IEC 19944:2017 8.2.3.2.2 EUII Telemetry data.
+
+### Data Use for Product and Service Performance data
+
+**For Diagnostics:**<br>
+[Pseudonymized](#pseudo) Product and Service Performance data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft product and services. For example:
+
+- Data about the reliability of content that appears in the [Windows Spotlight](https://docs.microsoft.com/en-us/windows/configuration/windows-spotlight) (rotating lock screen images) is used for Windows Spotlight reliability investigations.
+
+- Timing data about how quickly Cortana responds to voice commands is used to improve Cortana listening peformance.
+
+- Timing data about how quickly the facial recognition feature starts up and finishes is used to improve facial recognition performance.
+
+- Data about when an Application Window fails to appear is used to investigate issues with Application Window reliability and performance.
+
+**With (optional) Tailored experiences:**<br>
+If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Performance data from Windows 10 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Performance data from Windows 10 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 users.
+
+- Data about battery performance on a device may be used to recommend settings changes that can improve battery performance.
+
+- If data shows a device is running low on file storage, we may recommend Windows-compatible cloud storage solutions to free up space.
+
+- If data shows the device is experiencing performance issues, we may provide recommendations for Windows apps that can help diagnose or resolve these issues. These may be free or paid apps.
+
+**Microsoft doesn't use crash and hang dump data to [personalize](#personalize), [recommend](#recommend), [offer](#offer), or [promote](#promote) any product or service.**
+
+### Data Description for Product and Service Performance data type
+|Sub-type|Description and examples |
+|- |- |
+|Device health and crash data|Information about the device and software health, such as:<br><ul><li>Error codes and error messages, name and ID of the app, and process reporting the error</li><li>DLL library predicted to be the source of the error -- for example, xyz.dll</li><li>System generated files -- app or product logs and trace files to help diagnose a crash or hang</li><li>System settings, such as registry keys</li><li>User generated files -- files that are indicated as a potential cause for a crash or hang. For example, .doc, .ppt, .csv files</li><li>Details and counts of abnormal shutdowns, hangs, and crashes</li><li>Crash failure data -- operating system, operating system component, driver, device, and 1st and 3rd-party app data</li><li>Crash and hang dumps, including:<ul><li>The recorded state of the working memory at the point of the crash</li><li>Memory in-use by the kernel at the point of the crash.</li><li>Memory in-use by the application at the point of the crash</li><li>All the physical memory used by Windows at the point of the crash</li><li>Class and function name within the module that failed.</li></li></ul>|
+|Device performance and reliability data|Information about the device and software performance, such as:<br><ul><li>User interface interaction durations -- Start menu display times, browser tab switch times, app launch and switch times, and Cortana and Search performance and reliability</li><li>Device on and off performance -- Device boot, shutdown, power on and off, lock and unlock times, and user authentication times (fingerprint and face recognition durations)</li><li>In-app responsiveness -- time to set alarm, time to fully render in-app navigation menus, time to sync reading list, time to start GPS navigation, time to attach picture MMS, and time to complete a Microsoft Store transaction</li><li>User input responsiveness -- onscreen keyboard invocation times for different languages, time to show auto-complete words, pen or touch latencies, latency for handwriting recognition to words, Narrator screen reader responsiveness, and CPU score</li><li>UI and media performance and glitches versus smoothness -- video playback frame rate, audio glitches, animation glitches (stutter when bringing up Start), graphics score, time to first frame, play/pause/stop/seek responsiveness, time to render PDF, dynamic streaming of video from OneDrive performance</li><li>Disk footprint -- Free disk space, out of memory conditions, and disk score</li><li>Excessive resource utilization -- components impacting performance or battery life through high CPU usage during different screen and power states</li><li>Background task performance -- download times, Windows Update scan duration, Windows Defender Antivirus scan times, disk defrag times, mail fetch times, service startup and state transition times, and time to index on-device files for search results</li><li>Peripheral and devices -- USB device connection times, time to connect to a wireless display, printing times, network availability and connection times (time to connect to Wi-Fi, time to get an IP address from DHCP etc.), smart card authentication times, automatic brightness, and environmental response times</li><li>Device setup -- first setup experience times (time to install updates, install apps, connect to network, and so on), time to recognize connected devices (printer and monitor), and time to set up a Microsoft Account</li><li>Power and Battery life -- power draw by component (Process/CPU/GPU/Display), hours of time the screen is off, sleep state transition details, temperature and thermal throttling, battery drain in a power state (screen off or screen on), processes and components requesting power use while the screen is off, auto-brightness details, time device is plugged into AC versus battery, and battery state transitions</li><li>Service responsiveness -- Service URI, operation, latency, service success and error codes, and protocol</li><li>Diagnostic heartbeat -- regular signal used to validate the health of the diagnostics system</li></ul>|
+|Movies|Information about movie consumption functionality on the device. This isn't intended to capture user viewing, listening, or habits.<ul><li>Video Width, height, color palette, encoding (compression) type, and encryption type</li><li>Instructions about how to stream content for the user -- the smooth streaming manifest of content file chunks that must be pieced together to stream the content based on screen resolution and bandwidth</li><li>URL for a specific two-second chunk of content if there is an error</li><li>Full-screen viewing mode details</li></ul>|
+|Music &amp; TV|Information about music and TV consumption on the device. This isn't intended to capture user viewing, listening, or habits.<ul><li>Service URL for song being downloaded from the music service -- collected when an error occurs to facilitate restoration of service</li><li>Content type (video, audio, or surround audio)</li><li>Local media library collection statistics -- number of purchased tracks and number of playlists</li><li>Region mismatch -- User's operating system region and Xbox Live region</li></ul>|
+|Reading|Information about reading consumption functionality on the device. This isn't intended to capture user viewing, listening, or habits.<ul><li>App accessing content and status and options used to open a Microsoft Store book</li><li>Language of the book</li><li>Time spent reading content</li><li>Content type and size details</li></ul>|
+|Photos App|Information about photos usage on the device. This isn't intended to capture user viewing, listening, or habits.<ul><li>File source data -- local, SD card, network device, and OneDrive</li><li>Image and video resolution, video length, file sizes types, and encoding</li><li>Collection view or full screen viewer use and duration of view</li></ul>|
+|On-device file query |Information about local search activity on the device, such as: <ul><li>Kind of query issued and index type (ConstraintIndex or SystemIndex)</li><li>Number of items requested and retrieved</li><li>File extension of search result with which the user interacted</li><li>Launched item type, file extension, index of origin, and the App ID of the opening app</li><li>Name of process calling the indexer and the amount of time to service the query</li><li>A hash of the search scope (file, Outlook, OneNote, or IE history). The state of the indices (fully optimized, partially optimized, or being built)</li></ul> |
+|Entitlements |Information about entitlements on the device, such as:<ul><li>Service subscription status and errors</li><li>DRM and license rights details -- Groove subscription or operating system volume license</li><li>Entitlement ID, lease ID, and package ID of the install package</li><li>Entitlement revocation</li><li>License type (trial, offline versus online) and duration</li><li>License usage session</li></ul>|
+
+## Software Setup and Inventory data
+This type of data includes software installation and update information on the device. Software Setup and Inventory Data is a sub-type of ISO/IEC 19944:2017 8.2.3.2.4 Observed Usage of the Service Capability.
+
+### Data Use for Software Setup and Inventory data
+
+**For Diagnostics:**<br>
+[Pseudonymized](#pseudo) Software Setup and Inventory data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft product and services. For example:
+
+- Data about the specific drivers that are installed on a device is used to understand whether there are any hardware or driver compatibility issues which should block or delay a Windows update.
+
+- Data about when a download starts and finishes on a device is used to understand and address download problems.
+
+- Data about the specific Microsoft Store apps that are installed on a device is used to determine which app updates to provide to the device.
+
+- Data about the antimalware installed on a device is used to understand malware transmissions vectors.
+
+**With (optional) Tailored experiences:**<br>
+If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Software Setup and Inventory data from Windows 10 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Software Setup and Inventory data from Windows 10 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 users. For example:
+
+- Data about the specific apps that are installed on a device is used to provide recommendations for similar or complementary apps in the Microsoft Store.
+
+### Data Description for Software Setup and Inventory data type
+|Sub-type|Description and examples |
+|- |- |
+|Installed Applications and Install History|Information about apps, drivers, update packages, or operating system components installed on the device, such as:<ul><li>App, driver, update package, or component’s Name, ID, or Package Family Name</li><li>Product, SKU, availability, catalog, content, and Bundle IDs</li><li>Operating system component, app or driver publisher, language, version and type (Win32 or UWP)</li><li>Install date, method, install directory, and count of install attempts</li><li>MSI package and product code</li><li>Original operating system version at install time</li><li>User, administrator, or mandatory installation or update</li><li>Installation type -- clean install, repair, restore, OEM, retail, upgrade, or update</li></ul>|
+|Device update information |Information about Windows Update, such as:<ul><li>Update Readiness analysis of device hardware, operating system components, apps, and drivers (progress, status, and results)</li><li>Number of applicable updates, importance, and type</li><li>Update download size and source -- CDN or LAN peers</li><li>Delay upgrade status and configuration</li><li>Operating system uninstall and rollback status and count</li><li>Windows Update server and service URL</li><li>Windows Update machine ID</li><li>Windows Insider build details</li></ul>|
+
+## Browsing History data
+This type of data includes details about web browsing in the Microsoft browsers. Browsing History data is equivalent to ISO/IEC 19944:2017 8.2.3.2.8 Client side browsing history.
+
+### Data Use for Browsing History data
+
+**For Diagnostics:**<br>
+[Pseudonymized](#pseudo) Browsing History data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft product and services. For example:
+
+- Data about when the **Block Content** dialog box has been shown is used for investigations of blocked content.
+
+- Data about potentially abusive or malicious domains is used to make updates to Microsoft Edge and Windows Defender SmartScreen to warn users about the domain.
+
+- Data about when the **Address** bar is used for navigation purposes is used to improve the Suggested Sites feature and to understand and address problems arising from navigation.
+
+- Data about when a Web Notes session starts is used to measure popular domains and URLs for the Web Notes feature.
+
+- Data about when a default **Home** page is changed by a user is used to measure which default **Home** pages are the most popular and how often users change the default **Home** page.
+
+**With (optional) Tailored experiences:**<br> 
+If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Browsing History data from Windows 10 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Browsing History data from Windows 10 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 users. For example:
+
+- We may recommend that a user download a compatible app from the Microsoft Store if they have browsed to the related website. For example, if a user uses the Facebook website, we may recommend the Facebook app.
+
+### Data Description for Browsing History data type
+|Sub-type|Description and examples |
+|- |- |
+|Microsoft browser data|Information about **Address** bar and **Search** box performance on the device, such as:<ul><li>Text typed in **Address** bar and **Search** box</li><li>Text selected for an **Ask Cortana** search</li><li>Service response time</li><li>Auto-completed text, if there was an auto-complete</li><li>Navigation suggestions provided based on local history and favorites</li><li>Browser ID</li><li>URLs (may include search terms)</li><li>Page title</li></ul>|
+
+## Inking Typing and Speech Utterance data
+This type of data gathers details about the voice, inking, and typing input features on the device. Inking, Typing and Speech Utterance data is a sub-type of ISO/IEC 19944:2017 8.2.3.2.1 End User Identifiable information.
+
+### Data Use for Inking, Typing, and Speech Utterance data
+
+**For Diagnostics:**<br>
+[Anonymized](#anon) Inking, Typing, and Speech Utterance data from Windows 10 is used by Microsoft to [improve](#improve) natural language capabilities in Microsoft products and services. For example:
+
+- Data about words marked as spelling mistakes and replaced with another word from the context menu is used to improve the spelling feature.
+
+- Data about alternate words shown and selected by the user after right-clicking is used to improve the word recommendation feature.
+
+- Data about auto-corrected words that were restored back to the original word by the user is used to improve the auto-correct feature.
+
+- Data about whether Narrator detected and recognized a touch gesture is used to improve touch gesture recognition.
+
+- Data about handwriting samples sent from the Handwriting Panel is used to help Microsoft improve handwriting recognition. 
+
+**With (optional) Tailored experiences:**
+
+**Microsoft doesn't use Windows Inking, Typing, and Speech Utterance data for Tailored experiences.**
+
+### Data Description for Inking, Typing, and Speech Utterance data type
+|Sub-type|Description and examples |
+|- |- |
+|Voice, inking, and typing|Information about voice, inking and typing features, such as:<ul><li>Type of pen used (highlighter, ball point, or pencil), pen color, stroke height and width, and how long it is used</li><li>Pen gestures (click, double click, pan, zoom, or rotate)</li><li>Palm Touch x,y coordinates</li><li>Input latency, missed pen signals, number of frames, strokes, first frame commit time, and sample rate</li><li>Ink strokes written, text before and after the ink insertion point, recognized text entered, input language -- processed to remove identifiers, sequencing information, and other data (such as email addresses and numeric values), which could be used to reconstruct the original content or associate the input to the user</li><li>Text input from Windows 10 Mobile on-screen keyboards, except from password fields and private sessions -- processed to remove identifiers, sequencing information, and other data (such as email addresses and numeric values), which could be used to reconstruct the original content or associate the input to the user</li><li>Text of speech recognition results -- result codes and recognized text</li><li>Language and model of the recognizer and the System Speech language</li><li>App ID using speech features</li><li>Whether user is known to be a child</li><li>Confidence and success or failure of speech recognition</li></ul>|
+
+## ISO/IEC 19944:2017-specific terminology
+This table provides the ISO/IEC 19944:2017-specific definitions for use and de-identification qualifiers used in this article.
+
+|Term |ISO/IEC 19944:2017 Reference |Microsoft usage notes |
+|-|-|-|
+|<a name="#provide">Provide</a> |9.3.2 Provide |Use of a specified data category by a Microsoft product or service to protect and provide the described service, including, (i) troubleshoot and fix issues with the product or service or (ii) provide product or service updates.|
+|<a name="#improve">Improve</a> |9.3.3 Improve |Use of a specified data category to improve or increase the quality of a Microsoft product or service. Those improvements may be available to end users.|
+|<a name="#personalize">Personalize</a> |9.3.4 Personalize |Use of the specified data categories to create a customized experience for the end user in any Microsoft product or service.|
+|<a name="#recommend">Recommend</a> |9.3.4 Personalize |“Recommend” means use of the specified data categories to Personalize (9.3.4) the end user’s experience by recommending Microsoft products or services that can be accessed without the need to make a purchase or pay money.<br><br>Use of the specified data categories give recommendations about Microsoft products or services the end user may act on where the recommendation is (i) contextually relevant to the product or service in which it appears, (ii) that can be accessed without the need to make a purchase or pay money, and (iii) Microsoft receives no compensation for the placement.|
+|<a name="#offer">Offer</a> |9.3.5 Offer upgrades or upsell |Implies the source of the data is Microsoft products and services, and the upgrades offered come from Microsoft products and services that are relevant to the context of the current capability. The target audience for the offer is Microsoft customers.<br><br>Specifically, use of the specified data categories to make an offer or upsell new capability or capacity of a Microsoft product or service which is (i) contextually relevant to the product or service in which it appears; (ii) likely to result in additional future revenue for Microsoft from end user; and (iii) Microsoft receives no consideration for placement.|
+|<a name="#promote">Promote</a>|9.3.6 Market/advertise/promote|Use of the specified data categories to promote a product or service in or on a first-party Microsoft product or service.|
+
+<br><br>
+|Data identification qualifiers |ISO/IEC 19944:2017 Reference |Microsoft usage notes |
+|-|-|-|
+|<a name="#pseudo">Pseudonymized Data</a> |8.3.3 Pseudonymized data|As defined|
+|<a name="#anon">Anonymized Data</a> |8.3.5 Anonymized data|As defined|
+|<a name="#aggregate">Aggregated Data</a> |8.3.6 Aggregated data|As defined|
\ No newline at end of file
diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md
index 1f0ef3d834..8e67035c39 100644
--- a/windows/deployment/mbr-to-gpt.md
+++ b/windows/deployment/mbr-to-gpt.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
-ms.date: 10/27/2017
+ms.date: 02/13/2018
 ms.localizationpriority: high
 ---
 
@@ -70,7 +70,7 @@ If any of these checks fails, the conversion will not proceed and an error will
 |/disk:\<diskNumber\>| Specifies the disk number of the disk to be converted to GPT. If not specified, the system disk is used. The mechanism used is the same as that used by the diskpart.exe tool **SELECT DISK SYSTEM** command.|
 |/logs:\<logDirectory\>| Specifies the directory where MBR2GPT.exe logs should be written. If not specified, **%windir%** is used. If specified, the directory must already exist, it will not be automatically created or overwritten.|
 |/map:\<source\>=\<destination\>| Specifies additional partition type mappings between MBR and GPT. The MBR partition number is specified in decimal notation, not hexidecimal. The GPT GUID can contain brackets, for example: **/map:42={af9b60a0-1431-4f62-bc68-3311714a69ad}**. Multiple /map options can be specified if multiple mappings are required. |
-|/allowFullOS| By default, MBR2GPT.exe is blocked unless it is run from Windows PE. This option overrides this block and enables disk conversion while running in the full Windows environment.|
+|/allowFullOS| By default, MBR2GPT.exe is blocked unless it is run from Windows PE. This option overrides this block and enables disk conversion while running in the full Windows environment. <br>**Note**: Since the existing MBR system partition is in use while running the full Windows environment, it cannot be reused. In this case, a new ESP is created by shrinking the OS partition.|
 
 ## Examples
 
@@ -236,15 +236,18 @@ The following steps illustrate high-level phases of the MBR-to-GPT conversion pr
 
 For Windows to remain bootable after the conversion, an EFI system partition (ESP) must be in place. MBR2GPT creates the ESP using the following rules:
 
-1. The existing MBR system partition is reused if it meets these requirements:
-  a. It is not also the OS or Windows Recovery Environment partition
-  b. It is at least 100MB (or 260MB for 4K sector size disks) in size
-  c. It is less than or equal to 1GB in size. This is a safety precaution to ensure it is not a data partition.
-  d. If the conversion is being performed from the full OS, the disk being converted is not the system disk.
+1. The existing MBR system partition is reused if it meets these requirements:<br>
+  a. It is not also the OS or Windows Recovery Environment partition.<br>
+  b. It is at least 100MB (or 260MB for 4K sector size disks) in size.<br>
+  c. It is less than or equal to 1GB in size. This is a safety precaution to ensure it is not a data partition.<br>
+  d. The conversion is not being performed from the full OS. In this case, the existing MBR system partition is in use and cannot be repurposed.
 2. If the existing MBR system partition cannot be reused, a new ESP is created by shrinking the OS partition. This new partition has a size of 100MB (or 260MB for 4K sector size disks) and is formatted FAT32.
 
 If the existing MBR system partition is not reused for the ESP, it is no longer used by the boot process after the conversion. Other partitions are not modified.
 
+>[!IMPORTANT]
+>If the existing MBR system partition is not reused for the ESP, it might be assigned a drive letter. If you do not wish to use this small partition, you must manually hide the drive letter.
+
 ### Partition type mapping and partition attributes
 
 Since GPT partitions use a different set of type IDs than MBR partitions, each partition on the converted disk must be assigned a new type ID. The partition type mapping follows these rules:
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index 6e06c0988e..c7591e103c 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -16,12 +16,13 @@
 
 
 ## [Windows Defender Advanced Threat Protection](windows-defender-atp\windows-defender-advanced-threat-protection.md)
-### [Minimum requirements](windows-defender-atp\minimum-requirements-windows-defender-advanced-threat-protection.md)
-### [Validate licensing and complete setup](windows-defender-atp\licensing-windows-defender-advanced-threat-protection.md)
+###Get started
+#### [Minimum requirements](windows-defender-atp\minimum-requirements-windows-defender-advanced-threat-protection.md)
+#### [Validate licensing and complete setup](windows-defender-atp\licensing-windows-defender-advanced-threat-protection.md)
 #### [Troubleshoot subscription and portal access issues](windows-defender-atp\troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md)
-### [Preview features](windows-defender-atp\preview-windows-defender-advanced-threat-protection.md)
-### [Data storage and privacy](windows-defender-atp\data-storage-privacy-windows-defender-advanced-threat-protection.md)
-### [Assign user access to the portal](windows-defender-atp\assign-portal-access-windows-defender-advanced-threat-protection.md)
+#### [Preview features](windows-defender-atp\preview-windows-defender-advanced-threat-protection.md)
+#### [Data storage and privacy](windows-defender-atp\data-storage-privacy-windows-defender-advanced-threat-protection.md)
+#### [Assign user access to the portal](windows-defender-atp\assign-portal-access-windows-defender-advanced-threat-protection.md)
 ### [Onboard endpoints and set up access](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md)
 #### [Configure client endpoints](windows-defender-atp\configure-endpoints-windows-defender-advanced-threat-protection.md)
 ##### [Configure endpoints using Group Policy](windows-defender-atp\configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
@@ -30,25 +31,29 @@
 ###### [Configure endpoints using Microsoft Intune](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-microsoft-intune)
 ##### [Configure endpoints using a local script](windows-defender-atp\configure-endpoints-script-windows-defender-advanced-threat-protection.md)
 ##### [Configure non-persistent virtual desktop infrastructure (VDI) machines](windows-defender-atp\configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
-#### [Configure non-Windows endpoints](windows-defender-atp\configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md)
 #### [Configure server endpoints](windows-defender-atp\configure-server-endpoints-windows-defender-advanced-threat-protection.md)
+#### [Configure non-Windows endpoints](windows-defender-atp\configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md)
 #### [Run a detection test on a newly onboarded endpoint](windows-defender-atp\run-detection-test-windows-defender-advanced-threat-protection.md)
 #### [Configure proxy and Internet connectivity settings](windows-defender-atp\configure-proxy-internet-windows-defender-advanced-threat-protection.md)
 #### [Troubleshoot onboarding issues](windows-defender-atp\troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
-### [Portal overview](windows-defender-atp\portal-overview-windows-defender-advanced-threat-protection.md)
-### [Use the Windows Defender ATP portal](windows-defender-atp\use-windows-defender-advanced-threat-protection.md)
+### [Understand the Windows Defender ATP portal](windows-defender-atp\use-windows-defender-advanced-threat-protection.md)
+#### [Portal overview](windows-defender-atp\portal-overview-windows-defender-advanced-threat-protection.md)
 #### [View the Security operations dashboard](windows-defender-atp\dashboard-windows-defender-advanced-threat-protection.md)
 #### [View the Security analytics dashboard](windows-defender-atp\security-analytics-dashboard-windows-defender-advanced-threat-protection.md)
-#### [View and organize the Alerts queue](windows-defender-atp\alerts-queue-windows-defender-advanced-threat-protection.md)
-#### [Investigate alerts](windows-defender-atp\investigate-alerts-windows-defender-advanced-threat-protection.md)
-##### [Alert process tree](windows-defender-atp\investigate-alerts-windows-defender-advanced-threat-protection.md#alert-process-tree)
-##### [Incident graph](windows-defender-atp\investigate-alerts-windows-defender-advanced-threat-protection.md#incident-graph)
-##### [Alert timeline](windows-defender-atp\investigate-alerts-windows-defender-advanced-threat-protection.md#alert-timeline)
-#### [Investigate files](windows-defender-atp\investigate-files-windows-defender-advanced-threat-protection.md)
-#### [Investigate an IP address](windows-defender-atp\investigate-ip-windows-defender-advanced-threat-protection.md)
-#### [Investigate a domain](windows-defender-atp\investigate-domain-windows-defender-advanced-threat-protection.md)
-#### [View and organize the Machines list](windows-defender-atp\machines-view-overview-windows-defender-advanced-threat-protection.md)
-#### [Investigate machines](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md)
+
+###Investigate and remediate threats
+####Alerts queue
+##### [View and organize the Alerts queue](windows-defender-atp\alerts-queue-windows-defender-advanced-threat-protection.md)
+##### [Manage alerts](windows-defender-atp\manage-alerts-windows-defender-advanced-threat-protection.md)
+##### [Investigate alerts](windows-defender-atp\investigate-alerts-windows-defender-advanced-threat-protection.md)
+##### [Investigate files](windows-defender-atp\investigate-files-windows-defender-advanced-threat-protection.md)
+##### [Investigate machines](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md)
+##### [Investigate an IP address](windows-defender-atp\investigate-ip-windows-defender-advanced-threat-protection.md)
+##### [Investigate a domain](windows-defender-atp\investigate-domain-windows-defender-advanced-threat-protection.md)
+##### [Investigate a user account](windows-defender-atp\investigate-user-windows-defender-advanced-threat-protection.md)
+
+####Machines list
+##### [View and organize the Machines list](windows-defender-atp\machines-view-overview-windows-defender-advanced-threat-protection.md)
 ##### [Manage machine group and tags](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags)
 ##### [Alerts related to this machine](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#alerts-related-to-this-machine)
 ##### [Machine timeline](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline)
@@ -56,8 +61,8 @@
 ###### [Filter events from a specific date](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date)
 ###### [Export machine timeline events](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events)
 ###### [Navigate between pages](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages)
-#### [Investigate a user account](windows-defender-atp\investigate-user-windows-defender-advanced-threat-protection.md)
-#### [Manage alerts](windows-defender-atp\manage-alerts-windows-defender-advanced-threat-protection.md)
+
+
 #### [Take response actions](windows-defender-atp\response-actions-windows-defender-advanced-threat-protection.md)
 ##### [Take response actions on a machine](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md)
 ###### [Collect investigation package](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package-from-machines)
@@ -77,105 +82,114 @@
 ####### [Submit files for analysis](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis)
 ####### [View deep analysis reports](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports)
 ####### [Troubleshoot deep analysis](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis)
-### [Pull alerts to your SIEM tools](windows-defender-atp\configure-siem-windows-defender-advanced-threat-protection.md)
-#### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md)
-#### [Configure Splunk to pull alerts](windows-defender-atp\configure-splunk-windows-defender-advanced-threat-protection.md)
-#### [Configure HP ArcSight to pull alerts](windows-defender-atp\configure-arcsight-windows-defender-advanced-threat-protection.md)
-#### [Windows Defender ATP alert API fields](windows-defender-atp\api-portal-mapping-windows-defender-advanced-threat-protection.md)
-#### [Pull alerts using REST API](windows-defender-atp\pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
-#### [Troubleshoot SIEM tool integration issues](windows-defender-atp\troubleshoot-siem-windows-defender-advanced-threat-protection.md)
-### [Use the threat intelligence API to create custom alerts](windows-defender-atp\use-custom-ti-windows-defender-advanced-threat-protection.md)
-#### [Understand threat intelligence concepts](windows-defender-atp\threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
-#### [Enable the custom threat intelligence application](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md)
-#### [Create custom threat intelligence alerts](windows-defender-atp\custom-ti-api-windows-defender-advanced-threat-protection.md)
-#### [PowerShell code examples](windows-defender-atp\powershell-example-code-windows-defender-advanced-threat-protection.md)
-#### [Python code examples](windows-defender-atp\python-example-code-windows-defender-advanced-threat-protection.md)
-#### [Experiment with custom threat intelligence alerts](windows-defender-atp\experiment-custom-ti-windows-defender-advanced-threat-protection.md)
-#### [Troubleshoot custom threat intelligence issues](windows-defender-atp\troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
-### [Use the Windows Defender ATP exposed APIs](windows-defender-atp\exposed-apis-windows-defender-advanced-threat-protection.md)
-#### [Supported Windows Defender ATP APIs](windows-defender-atp\supported-apis-windows-defender-advanced-threat-protection.md)
-##### Actor
-###### [Get actor information](windows-defender-atp\get-actor-information-windows-defender-advanced-threat-protection.md)
-###### [Get actor related alerts](windows-defender-atp\get-actor-related-alerts-windows-defender-advanced-threat-protection.md)
-##### Alerts
-###### [Get alerts](windows-defender-atp\get-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get alert information by ID](windows-defender-atp\get-alert-info-by-id-windows-defender-advanced-threat-protection.md)
-###### [Get alert related actor information](windows-defender-atp\get-alert-related-actor-info-windows-defender-advanced-threat-protection.md)
-###### [Get alert related domain information](windows-defender-atp\get-alert-related-domain-info-windows-defender-advanced-threat-protection.md)
-###### [Get alert related file information](windows-defender-atp\get-alert-related-files-info-windows-defender-advanced-threat-protection.md)
-###### [Get alert related IP information](windows-defender-atp\get-alert-related-ip-info-windows-defender-advanced-threat-protection.md)
-###### [Get alert related machine information](windows-defender-atp\get-alert-related-machine-info-windows-defender-advanced-threat-protection.md)
-##### Domain
-######  [Get domain related alerts](windows-defender-atp\get-domain-related-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get domain related machines](windows-defender-atp\get-domain-related-machines-windows-defender-advanced-threat-protection.md)
-###### [Get domain statistics](windows-defender-atp\get-domain-statistics-windows-defender-advanced-threat-protection.md)
-###### [Is domain seen in organization](windows-defender-atp\is-domain-seen-in-org-windows-defender-advanced-threat-protection.md)
 
-##### File
-###### [Block file API](windows-defender-atp\block-file-windows-defender-advanced-threat-protection.md)
-###### [Get file information](windows-defender-atp\get-file-information-windows-defender-advanced-threat-protection.md)
-###### [Get file related alerts](windows-defender-atp\get-file-related-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get file related machines](windows-defender-atp\get-file-related-machines-windows-defender-advanced-threat-protection.md)
-###### [Get file statistics](windows-defender-atp\get-file-statistics-windows-defender-advanced-threat-protection.md)
-###### [Get FileActions collection API](windows-defender-atp\get-fileactions-collection-windows-defender-advanced-threat-protection.md)
-###### [Unblock file API](windows-defender-atp\unblock-file-windows-defender-advanced-threat-protection.md)
+###API and SIEM support
+#### [Pull alerts to your SIEM tools](windows-defender-atp\configure-siem-windows-defender-advanced-threat-protection.md)
+##### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md)
+##### [Configure Splunk to pull alerts](windows-defender-atp\configure-splunk-windows-defender-advanced-threat-protection.md)
+##### [Configure HP ArcSight to pull alerts](windows-defender-atp\configure-arcsight-windows-defender-advanced-threat-protection.md)
+##### [Windows Defender ATP alert API fields](windows-defender-atp\api-portal-mapping-windows-defender-advanced-threat-protection.md)
+##### [Pull alerts using REST API](windows-defender-atp\pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
+##### [Troubleshoot SIEM tool integration issues](windows-defender-atp\troubleshoot-siem-windows-defender-advanced-threat-protection.md)
 
-##### IP
-###### [Get IP related alerts](windows-defender-atp\get-ip-related-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get IP related machines](windows-defender-atp\get-ip-related-machines-windows-defender-advanced-threat-protection.md)
-###### [Get IP statistics](windows-defender-atp\get-ip-statistics-windows-defender-advanced-threat-protection.md)
-###### [Is IP seen in organization](windows-defender-atp\is-ip-seen-org-windows-defender-advanced-threat-protection.md)
-##### Machines
-###### [Collect investigation package API](windows-defender-atp\collect-investigation-package-windows-defender-advanced-threat-protection.md)
-###### [Find machine information by IP](windows-defender-atp\find-machine-info-by-ip-windows-defender-advanced-threat-protection.md)
-###### [Get machines](windows-defender-atp\get-machines-windows-defender-advanced-threat-protection.md)
-###### [Get FileMachineAction object API](windows-defender-atp\get-filemachineaction-object-windows-defender-advanced-threat-protection.md)
-###### [Get FileMachineActions collection API](windows-defender-atp\get-filemachineactions-collection-windows-defender-advanced-threat-protection.md)
-###### [Get machine by ID](windows-defender-atp\get-machine-by-id-windows-defender-advanced-threat-protection.md)
-###### [Get machine log on users](windows-defender-atp\get-machine-log-on-users-windows-defender-advanced-threat-protection.md)
-###### [Get machine related alerts](windows-defender-atp\get-machine-related-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get MachineAction object API](windows-defender-atp\get-machineaction-object-windows-defender-advanced-threat-protection.md)
-###### [Get MachineActions collection API](windows-defender-atp\get-machineactions-collection-windows-defender-advanced-threat-protection.md)
-###### [Get machines](windows-defender-atp\get-machines-windows-defender-advanced-threat-protection.md)
-###### [Get package SAS URI API](windows-defender-atp\get-package-sas-uri-windows-defender-advanced-threat-protection.md)
-###### [Isolate machine API](windows-defender-atp\isolate-machine-windows-defender-advanced-threat-protection.md)
-###### [Release machine from isolation API](windows-defender-atp\unisolate-machine-windows-defender-advanced-threat-protection.md)
-###### [Remove app restriction API](windows-defender-atp\unrestrict-code-execution-windows-defender-advanced-threat-protection.md)
-###### [Request sample API](windows-defender-atp\request-sample-windows-defender-advanced-threat-protection.md)
-###### [Restrict app execution API](windows-defender-atp\restrict-code-execution-windows-defender-advanced-threat-protection.md)
-###### [Run antivirus scan API](windows-defender-atp\run-av-scan-windows-defender-advanced-threat-protection.md)
-###### [Stop and quarantine file API](windows-defender-atp\stop-quarantine-file-windows-defender-advanced-threat-protection.md)
+#### [Use the threat intelligence API to create custom alerts](windows-defender-atp\use-custom-ti-windows-defender-advanced-threat-protection.md)
+##### [Understand threat intelligence concepts](windows-defender-atp\threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
+##### [Enable the custom threat intelligence application](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md)
+##### [Create custom threat intelligence alerts](windows-defender-atp\custom-ti-api-windows-defender-advanced-threat-protection.md)
+##### [PowerShell code examples](windows-defender-atp\powershell-example-code-windows-defender-advanced-threat-protection.md)
+##### [Python code examples](windows-defender-atp\python-example-code-windows-defender-advanced-threat-protection.md)
+##### [Experiment with custom threat intelligence alerts](windows-defender-atp\experiment-custom-ti-windows-defender-advanced-threat-protection.md)
+##### [Troubleshoot custom threat intelligence issues](windows-defender-atp\troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
+#### [Use the Windows Defender ATP exposed APIs](windows-defender-atp\exposed-apis-windows-defender-advanced-threat-protection.md)
+##### [Supported Windows Defender ATP APIs](windows-defender-atp\supported-apis-windows-defender-advanced-threat-protection.md)
+######Actor
+####### [Get actor information](windows-defender-atp\get-actor-information-windows-defender-advanced-threat-protection.md)
+####### [Get actor related alerts](windows-defender-atp\get-actor-related-alerts-windows-defender-advanced-threat-protection.md)
+######Alerts
+####### [Get alerts](windows-defender-atp\get-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get alert information by ID](windows-defender-atp\get-alert-info-by-id-windows-defender-advanced-threat-protection.md)
+####### [Get alert related actor information](windows-defender-atp\get-alert-related-actor-info-windows-defender-advanced-threat-protection.md)
+####### [Get alert related domain information](windows-defender-atp\get-alert-related-domain-info-windows-defender-advanced-threat-protection.md)
+####### [Get alert related file information](windows-defender-atp\get-alert-related-files-info-windows-defender-advanced-threat-protection.md)
+####### [Get alert related IP information](windows-defender-atp\get-alert-related-ip-info-windows-defender-advanced-threat-protection.md)
+####### [Get alert related machine information](windows-defender-atp\get-alert-related-machine-info-windows-defender-advanced-threat-protection.md)
+######Domain
+#######  [Get domain related alerts](windows-defender-atp\get-domain-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get domain related machines](windows-defender-atp\get-domain-related-machines-windows-defender-advanced-threat-protection.md)
+####### [Get domain statistics](windows-defender-atp\get-domain-statistics-windows-defender-advanced-threat-protection.md)
+####### [Is domain seen in organization](windows-defender-atp\is-domain-seen-in-org-windows-defender-advanced-threat-protection.md)
+
+######File
+####### [Block file API](windows-defender-atp\block-file-windows-defender-advanced-threat-protection.md)
+####### [Get file information](windows-defender-atp\get-file-information-windows-defender-advanced-threat-protection.md)
+####### [Get file related alerts](windows-defender-atp\get-file-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get file related machines](windows-defender-atp\get-file-related-machines-windows-defender-advanced-threat-protection.md)
+####### [Get file statistics](windows-defender-atp\get-file-statistics-windows-defender-advanced-threat-protection.md)
+####### [Get FileActions collection API](windows-defender-atp\get-fileactions-collection-windows-defender-advanced-threat-protection.md)
+####### [Unblock file API](windows-defender-atp\unblock-file-windows-defender-advanced-threat-protection.md)
+
+######IP
+####### [Get IP related alerts](windows-defender-atp\get-ip-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get IP related machines](windows-defender-atp\get-ip-related-machines-windows-defender-advanced-threat-protection.md)
+####### [Get IP statistics](windows-defender-atp\get-ip-statistics-windows-defender-advanced-threat-protection.md)
+####### [Is IP seen in organization](windows-defender-atp\is-ip-seen-org-windows-defender-advanced-threat-protection.md)
+######Machines
+####### [Collect investigation package API](windows-defender-atp\collect-investigation-package-windows-defender-advanced-threat-protection.md)
+####### [Find machine information by IP](windows-defender-atp\find-machine-info-by-ip-windows-defender-advanced-threat-protection.md)
+####### [Get machines](windows-defender-atp\get-machines-windows-defender-advanced-threat-protection.md)
+####### [Get FileMachineAction object API](windows-defender-atp\get-filemachineaction-object-windows-defender-advanced-threat-protection.md)
+####### [Get FileMachineActions collection API](windows-defender-atp\get-filemachineactions-collection-windows-defender-advanced-threat-protection.md)
+####### [Get machine by ID](windows-defender-atp\get-machine-by-id-windows-defender-advanced-threat-protection.md)
+####### [Get machine log on users](windows-defender-atp\get-machine-log-on-users-windows-defender-advanced-threat-protection.md)
+####### [Get machine related alerts](windows-defender-atp\get-machine-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get MachineAction object API](windows-defender-atp\get-machineaction-object-windows-defender-advanced-threat-protection.md)
+####### [Get MachineActions collection API](windows-defender-atp\get-machineactions-collection-windows-defender-advanced-threat-protection.md)
+####### [Get machines](windows-defender-atp\get-machines-windows-defender-advanced-threat-protection.md)
+####### [Get package SAS URI API](windows-defender-atp\get-package-sas-uri-windows-defender-advanced-threat-protection.md)
+####### [Isolate machine API](windows-defender-atp\isolate-machine-windows-defender-advanced-threat-protection.md)
+####### [Release machine from isolation API](windows-defender-atp\unisolate-machine-windows-defender-advanced-threat-protection.md)
+####### [Remove app restriction API](windows-defender-atp\unrestrict-code-execution-windows-defender-advanced-threat-protection.md)
+####### [Request sample API](windows-defender-atp\request-sample-windows-defender-advanced-threat-protection.md)
+####### [Restrict app execution API](windows-defender-atp\restrict-code-execution-windows-defender-advanced-threat-protection.md)
+####### [Run antivirus scan API](windows-defender-atp\run-av-scan-windows-defender-advanced-threat-protection.md)
+####### [Stop and quarantine file API](windows-defender-atp\stop-quarantine-file-windows-defender-advanced-threat-protection.md)
 
 
 
-##### User
-###### [Get alert related user information](windows-defender-atp\get-alert-related-user-info-windows-defender-advanced-threat-protection.md)
-###### [Get user information](windows-defender-atp\get-user-information-windows-defender-advanced-threat-protection.md)
-###### [Get user related alerts](windows-defender-atp\get-user-related-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get user related machines](windows-defender-atp\get-user-related-machines-windows-defender-advanced-threat-protection.md)
+######User
+####### [Get alert related user information](windows-defender-atp\get-alert-related-user-info-windows-defender-advanced-threat-protection.md)
+####### [Get user information](windows-defender-atp\get-user-information-windows-defender-advanced-threat-protection.md)
+####### [Get user related alerts](windows-defender-atp\get-user-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get user related machines](windows-defender-atp\get-user-related-machines-windows-defender-advanced-threat-protection.md)
 
+###Reporting
+#### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md)
 
-### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md)
-### [Check sensor state](windows-defender-atp\check-sensor-status-windows-defender-advanced-threat-protection.md)
-#### [Fix unhealthy sensors](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md)
+###Check service health and sensor state
+#### [Check sensor state](windows-defender-atp\check-sensor-status-windows-defender-advanced-threat-protection.md)
+##### [Fix unhealthy sensors](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md)
 ##### [Inactive machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines)
 ##### [Misconfigured machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines)
-### [Windows Defender ATP service health](windows-defender-atp\service-status-windows-defender-advanced-threat-protection.md)
+#### [Check service health](windows-defender-atp\service-status-windows-defender-advanced-threat-protection.md)
 ### [Configure Windows Defender ATP preferences settings](windows-defender-atp\preferences-setup-windows-defender-advanced-threat-protection.md)
 #### [Update general settings](windows-defender-atp\general-settings-windows-defender-advanced-threat-protection.md)
-#### [Turn on advanced features](windows-defender-atp\advanced-features-windows-defender-advanced-threat-protection.md)
-#### [Turn on preview experience](windows-defender-atp\preview-settings-windows-defender-advanced-threat-protection.md)
+#### [Enable advanced features](windows-defender-atp\advanced-features-windows-defender-advanced-threat-protection.md)
+#### [Enable preview experience](windows-defender-atp\preview-settings-windows-defender-advanced-threat-protection.md)
 #### [Configure email notifications](windows-defender-atp\configure-email-notifications-windows-defender-advanced-threat-protection.md)
 #### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md)
 #### [Enable Threat intel API](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md)
 #### [Enable and create Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md)
 #### [Enable Security Analytics security controls](windows-defender-atp\enable-security-analytics-windows-defender-advanced-threat-protection.md)
 
-### [Windows Defender ATP settings](windows-defender-atp\settings-windows-defender-advanced-threat-protection.md)
+### [Configure Windows Defender ATP time zone settings](windows-defender-atp\settings-windows-defender-advanced-threat-protection.md)
 ### [Access the Windows Defender ATP Community Center](windows-defender-atp\community-windows-defender-advanced-threat-protection.md)
 ### [Troubleshoot Windows Defender ATP](windows-defender-atp\troubleshoot-windows-defender-advanced-threat-protection.md)
-### [Review events and errors on endpoints with Event Viewer](windows-defender-atp\event-error-codes-windows-defender-advanced-threat-protection.md)
+#### [Review events and errors on endpoints with Event Viewer](windows-defender-atp\event-error-codes-windows-defender-advanced-threat-protection.md)
 ### [Windows Defender Antivirus compatibility with Windows Defender ATP](windows-defender-atp\defender-compatibility-windows-defender-advanced-threat-protection.md)
+
+
+##	[Windows Defender Antivirus in Windows 10](windows-defender-antivirus\windows-defender-antivirus-in-windows-10.md)
+### [Windows Defender AV in the Windows Defender Security Center app](windows-defender-antivirus\windows-defender-security-center-antivirus.md)
 ##	[Windows Defender Antivirus in Windows 10](windows-defender-antivirus\windows-defender-antivirus-in-windows-10.md)
 ### [Windows Defender AV in the Windows Defender Security Center app](windows-defender-antivirus\windows-defender-security-center-antivirus.md)
 
diff --git a/windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md b/windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md
index 755ea84cfe..1475541a41 100644
--- a/windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md
+++ b/windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.localizationpriority: high
 author: brianlic-msft
-ms.date: 11/02/2017
+ms.date: 02/13/2018
 ---
 
 # Steps to Deploy Windows Defender Application Control
@@ -142,6 +142,11 @@ Microsoft recommends that you block the following Microsoft-signed applications
     <Deny  ID="ID_DENY_ADDINPROCESS"      FriendlyName="AddInProcess.exe"            FileName="AddInProcess.exe" MinimumFileVersion="65535.65535.65535.65535" />
     <Deny  ID="ID_DENY_ADDINPROCESS32"    FriendlyName="AddInProcess32.exe"          FileName="AddInProcess32.exe" MinimumFileVersion="65535.65535.65535.65535" />
     <Deny  ID="ID_DENY_ADDINUTIL"         FriendlyName="AddInUtil.exe"               FileName="AddInUtil.exe" MinimumFileVersion="65535.65535.65535.65535" />
+    <Deny  ID="ID_DENY_WSL"               FriendlyName="wsl.exe"                     FileName="wsl.exe" MinimumFileVersion = "65535.65535.65535.65535" />
+    <Deny  ID="ID_DENY_WSLCONFIG"         FriendlyName="wslconfig.exe"               FileName="wslconfig.exe" MinimumFileVersion = "65535.65535.65535.65535" />
+    <Deny  ID="ID_DENY_WSLHOST"           FriendlyName="wslhost.exe"                 FileName="wslhost.exe" MinimumFileVersion = "65535.65535.65535.65535" />   
+    <Deny  ID="ID_DENY_INFINSTALL"        FriendlyName="infdefaultinstall.exe"       FileName="infdefaultinstall.exe" MinimumFileVersion = "65535.65535.65535.65535" />
+    <Deny  ID="ID_DENY_LXRUN"             FriendlyName="lxrun.exe"                   FileName="lxrun.exe" MinimumFileVersion = "65535.65535.65535.65535" />
 
     <Deny ID="ID_DENY_D_1" FriendlyName="Powershell 1" Hash="02BE82F63EE962BCD4B8303E60F806F6613759C6" />
     <Deny ID="ID_DENY_D_2" FriendlyName="Powershell 2" Hash="13765D9A16CC46B2113766822627F026A68431DF" />
@@ -392,6 +397,46 @@ Microsoft recommends that you block the following Microsoft-signed applications
     <Deny ID="ID_DENY_D_246" FriendlyName="PowerShell 246" Hash="0C4688AACD02829850DE0F792AC06D3C87895412A910EA76F7F9BF31B3B4A3E9"/>
     <Deny ID="ID_DENY_D_247" FriendlyName="PowerShell 247" Hash="6DC048AFA50B5B1B0AD7DD3125AC83D46FED730A"/>
     <Deny ID="ID_DENY_D_248" FriendlyName="PowerShell 248" Hash="432F666CCE8CD222484E263AE02F63E0038143DD6AD07B3EB1633CD3C498C13D"/>
+    <!--pubprn.vbs-->
+    <!--rs2 x86fre-->
+    <Deny ID="ID_DENY_D_249" FriendlyName="PubPrn 249" Hash="68E96BE23748AA680D5E1E557778901F332ED5D3" />
+    <Deny ID="ID_DENY_D_250" FriendlyName="PubPrn 250" Hash="8FA30B5931806565C2058E565C06AD5F1C5A48CDBE609975EB31207C25214063" />
+    <!--rs2 amd64fre-->
+    <Deny ID="ID_DENY_D_251" FriendlyName="PubPrn 251" Hash="32C4B29FE428B1DF473F3F4FECF519D285E93521" />
+    <Deny ID="ID_DENY_D_252" FriendlyName="PubPrn 252" Hash="D44FB563198D60DFDC91608949FE2FADAD6161854D084EB1968C558AA36513C7" />
+    <!--rs2 amd64chk-->
+    <Deny ID="ID_DENY_D_253" FriendlyName="PubPrn 253" Hash="9EDBEF086D350863F29175F5AB5178B88B142C75" />
+    <Deny ID="ID_DENY_D_254" FriendlyName="PubPrn 254" Hash="9B22C98351F2B6DEDDCED0D805C65F5B166FF519A8DF41EB242CB909471892EB" />
+    <!--rs2 x86chk-->
+    <Deny ID="ID_DENY_D_255" FriendlyName="PubPrn 255" Hash="8A3B30F345C43246B3500721CFEEADBAC6B9D9C6" />
+    <Deny ID="ID_DENY_D_256" FriendlyName="PubPrn 256" Hash="37C20BF20A2BBACE50957F8D0AB3FD16174BC005E79D47E51E899AFD9E4B7724" />
+    <!--rs2 woafre-->
+    <Deny ID="ID_DENY_D_257" FriendlyName="PubPrn 257" Hash="C659DAD2B37375781E2D584E16AAE2A10B5A1156" />
+    <Deny ID="ID_DENY_D_258" FriendlyName="PubPRn 258" Hash="EBDACA86F10AC0446D60CC75628EC7A370B1E2236E6D20F22372F91033B6D429" />
+    <!--rs3 amd64chk-->
+    <Deny ID="ID_DENY_D_259" FriendlyName="PubPrn 259" Hash="C9D6394BBFF8CD9C6590F08C54EC6AFDEB5CFFB4" />
+    <Deny ID="ID_DENY_D_260" FriendlyName="PubPrn 260" Hash="518E4EA7A2B70713E1AEC6E7E75A488C39384B625C5F2779073E9294CBF2BD9F" />
+    <!--rs3 amd64fre-->
+    <Deny ID="ID_DENY_D_261" FriendlyName="PubPrn 261" Hash="C9D6394BBFF8CD9C6590F08C54EC6AFDEB5CFFB4" />
+    <Deny ID="ID_DENY_D_262" FriendlyName="PubPrn 262" Hash="518E4EA7A2B70713E1AEC6E7E75A488C39384B625C5F2779073E9294CBF2BD9F" />
+    <!--rs3 arm64chk-->
+    <Deny ID="ID_DENY_D_263" FriendlyName="PubPrn 263" Hash="763A652217A1E30F2D288B7F44E08346949A02CD" />
+    <Deny ID="ID_DENY_D_264" FriendlyName="PubPrn 264" Hash="FCDDA212B06602F642B29FC05316EF75E4EE9975E6E8A9526E842BE2EA237C5D" />
+    <!--rs3 arm64fre-->
+    <Deny ID="ID_DENY_D_265" FriendlyName="PubPrn 265" Hash="763A652217A1E30F2D288B7F44E08346949A02CD" />
+    <Deny ID="ID_DENY_D_266" FriendlyName="PubPrn 266" Hash="FCDDA212B06602F642B29FC05316EF75E4EE9975E6E8A9526E842BE2EA237C5D" />
+    <!--rs3 woachk-->
+    <Deny ID="ID_DENY_D_267" FriendlyName="PubPrn 267" Hash="60FD28D770B23A0477679311D247DA4D5C61074C" />
+    <Deny ID="ID_DENY_D_268" FriendlyName="PubPrn 268" Hash="D09A4B2EA611CDFDC6DCA44314289B622B2A5EDA09716EF4A16B91EC90BFBA8F" />
+    <!--rs3 woafre-->
+    <Deny ID="ID_DENY_D_269" FriendlyName="PubPrn 269" Hash="60FD28D770B23A0477679311D247DA4D5C61074C" />
+    <Deny ID="ID_DENY_D_270" FriendlyName="PubPrn 270" Hash="D09A4B2EA611CDFDC6DCA44314289B622B2A5EDA09716EF4A16B91EC90BFBA8F" />
+    <!--rs3 x86chk-->
+    <Deny ID="ID_DENY_D_271" FriendlyName="PubPrn 271" Hash="47CBE201ED224BF3F5C322F7A49EF64469AF2E1A" />
+    <Deny ID="ID_DENY_D_272" FriendlyName="PubPrn 272" Hash="24855B9CC420719D5AB93F4F1589CE09E4063E4FC98681BD91A1D18A3C8ACB43" />
+    <!--rs3 x86fre-->
+    <Deny ID="ID_DENY_D_273" FriendlyName="PubPrn 273" Hash="47CBE201ED224BF3F5C322F7A49EF64469AF2E1A" />
+    <Deny ID="ID_DENY_D_274" FriendlyName="PubPrn 274" Hash="24855B9CC420719D5AB93F4F1589CE09E4063E4FC98681BD91A1D18A3C8ACB43" />
 
   </FileRules>
   <!--Signers-->
@@ -430,6 +475,11 @@ Microsoft recommends that you block the following Microsoft-signed applications
           <FileRuleRef RuleID="ID_DENY_ADDINPROCESS"/>
           <FileRuleRef RuleID="ID_DENY_ADDINPROCESS32"/>
           <FileRuleRef RuleID="ID_DENY_ADDINUTIL"/>
+          <FileRuleRef RuleID="ID_DENY_WSL"/>
+          <FileRuleRef RuleID="ID_DENY_WSLCONFIG"/>
+          <FileRuleRef RuleID="ID_DENY_WSLHOST"/>
+          <FileRuleRef RuleID="ID_DENY_INFINSTALL"/>
+          <FileRuleRef RuleID="ID_DENY_LXRUN"/>
           <FileRuleRef RuleID="ID_DENY_D_1" />
           <FileRuleRef RuleID="ID_DENY_D_2" />
           <FileRuleRef RuleID="ID_DENY_D_3" />
@@ -678,6 +728,32 @@ Microsoft recommends that you block the following Microsoft-signed applications
           <FileRuleRef RuleID="ID_DENY_D_246"/>
           <FileRuleRef RuleID="ID_DENY_D_247"/>
           <FileRuleRef RuleID="ID_DENY_D_248"/>
+          <FileRuleRef RuleID="ID_DENY_D_249"/>
+          <FileRuleRef RuleID="ID_DENY_D_250"/>
+          <FileRuleRef RuleID="ID_DENY_D_251"/>
+          <FileRuleRef RuleID="ID_DENY_D_252"/>
+          <FileRuleRef RuleID="ID_DENY_D_253"/>
+          <FileRuleRef RuleID="ID_DENY_D_254"/>
+          <FileRuleRef RuleID="ID_DENY_D_255"/>
+          <FileRuleRef RuleID="ID_DENY_D_256"/>
+          <FileRuleRef RuleID="ID_DENY_D_257"/>
+          <FileRuleRef RuleID="ID_DENY_D_258"/>
+          <FileRuleRef RuleID="ID_DENY_D_259"/>
+          <FileRuleRef RuleID="ID_DENY_D_260"/>
+          <FileRuleRef RuleID="ID_DENY_D_261"/>
+          <FileRuleRef RuleID="ID_DENY_D_262"/>
+          <FileRuleRef RuleID="ID_DENY_D_263"/>
+          <FileRuleRef RuleID="ID_DENY_D_264"/>
+          <FileRuleRef RuleID="ID_DENY_D_265"/>
+          <FileRuleRef RuleID="ID_DENY_D_266"/>
+          <FileRuleRef RuleID="ID_DENY_D_267"/>
+          <FileRuleRef RuleID="ID_DENY_D_268"/>
+          <FileRuleRef RuleID="ID_DENY_D_269"/>
+          <FileRuleRef RuleID="ID_DENY_D_270"/>
+          <FileRuleRef RuleID="ID_DENY_D_271"/>
+          <FileRuleRef RuleID="ID_DENY_D_272"/>
+          <FileRuleRef RuleID="ID_DENY_D_273"/>
+          <FileRuleRef RuleID="ID_DENY_D_274"/>
         </FileRulesRef>
       </ProductSigners>
     </SigningScenario>
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md
index 6cdf425a42..e3847a41ad 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md
@@ -57,8 +57,8 @@ For more information, see [Pull Windows Defender ATP alerts using REST API](pull
 Topic | Description
 :---|:---
 [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)| Learn about enabling the SIEM integration feature in the **Preferences setup** page in the portal so that you can use and generate the required information to configure supported SIEM tools.
-[Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Windows Defender ATP alerts.
 [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to pull Windows Defender ATP alerts.
+[Configure HP ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Windows Defender ATP alerts.
 [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) | Understand what data fields are exposed as part of the alerts API and how they map to the Windows Defender ATP portal.
 [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) | Use the Client credentials OAuth 2.0 flow to pull alerts from Windows Defender ATP using REST API.
 [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md) | Address issues you might encounter when using the SIEM integration feature.
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-time-zone.png b/windows/security/threat-protection/windows-defender-atp/images/atp-time-zone.png
new file mode 100644
index 0000000000..13b0392123
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-time-zone.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md
index d928035ce4..b376019c6a 100644
--- a/windows/security/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md
@@ -1,5 +1,5 @@
 ---
-title: Windows Defender Advanced Threat Protection settings
+title: Windows Defender Advanced Threat Protection time zone settings
 description: Use the menu to configure the time zone and view license information.
 keywords: Windows Defender ATP settings, Windows Defender, cybersecurity threat intelligence, advanced threat protection, time zone, utc, local time, license
 search.product: eADQiWindows 10XVcnh
@@ -8,12 +8,12 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
-author: DulceMV
+author: mjcaparas
 ms.localizationpriority: high
-ms.date: 10/30/2017
+ms.date: 02/13/2018
 ---
 
-# Windows Defender Advanced Threat Protection settings
+# Windows Defender Advanced Threat Protection time zone settings
 
 **Applies to:**
 
@@ -27,7 +27,7 @@ ms.date: 10/30/2017
 
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-settings-abovefoldlink)
 
-Use the **Settings** menu ![Settings icon](images/settings.png) to configure the time zone and view license information.
+Use the **Time zone** menu ![Time zone settings icon](images/atp-time-zone.png) to configure the time zone and view license information.
 
 ## Time zone settings
 The aspect of time is important in the assessment and analysis of perceived and actual cyberattacks.
@@ -36,7 +36,7 @@ Cyberforensic investigations often rely on time stamps to piece together the seq
 
 Windows Defender ATP can display either Coordinated Universal Time (UTC) or local time.
 
-Your current time zone setting is shown in the Windows Defender ATP menu. You can change the displayed time zone in the **Settings** menu ![Settings icon](images/settings.png).
+Your current time zone setting is shown in the Windows Defender ATP menu. You can change the displayed time zone in the **Time zone** menu ![Time zone settings icon](images/atp-time-zone.png).
 
 ### UTC time zone
 Windows Defender ATP uses UTC time by default.
@@ -55,7 +55,7 @@ The Windows Defender ATP time zone is set by default to UTC.
 Setting the time zone also changes the times for all Windows Defender ATP views.
 To set the time zone:
 
-1.	Click the **Settings** menu ![Settings icon](images/settings.png).
+1.	Click the **Time zone** menu ![Time zone settings icon](images/atp-time-zone.png).
 2.	Select the **Timezone UTC** indicator.
 3.	Select **Timezone UTC** or your local time zone, for example -7:00. 
 
@@ -88,5 +88,4 @@ The following date and time formats are currently not supported:
 **Decimal symbol used in numbers**<br>
 Decimal symbol used is always a dot, even if a comma is selected in  the **Numbers** format settings in **Region** settings. For example, 15,5K is displayed as 15.5K.
 
-## License
-Click the license link in the **Settings** menu to view the license agreement information for Windows Defender ATP.
+
diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
index 487679607d..0dd01e9e60 100644
--- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
@@ -307,5 +307,6 @@ For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us
 
 
 ## Related topics
+- [Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md)
 - [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
 - [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md
index 114d11828b..c384aeaa9e 100644
--- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 10/16/2017
+ms.date: 02/13/2018
 ---
 
 # Troubleshoot SIEM tool integration issues
@@ -36,7 +36,7 @@ If your client secret expires or if you've misplaced the copy provided when you
 
 1. Login to the [Azure management portal](https://ms.portal.azure.com).
 
-2. Select **Active Directory**.
+2. Select **Azure Active Directory**.
 
 3. Select your tenant.
 
@@ -48,10 +48,27 @@ If your client secret expires or if you've misplaced the copy provided when you
 
 7. Copy the value and save it in a safe place.
 
+## Error when getting a refresh access token
+If you encounter an error when trying to get a refresh token when using the threat intelligence API or SIEM tools, you'll need to add reply URL for relevant application in Azure Active Directory.
+
+1. Login to the [Azure management portal](https://ms.portal.azure.com).
+
+2. Select **Azure Active Directory**.
+
+3. Select your tenant.
+
+4. Click **App Registrations**. Then in the applications list, select the application:
+    - For SIEM: `https://WindowsDefenderATPSiemConnector`
+    - For Threat intelligence API: `https://WindowsDefenderATPCustomerTiConnector`
+
+5. Add the following URL:
+   - For US:  `https://winatpmanagement-us.securitycenter.windows.com/UserAuthenticationCallback`.
+   - For Europe: `https://winatpmanagement-eu.securitycenter.windows.com/UserAuthenticationCallback`
+
+6. Click **Save**.
 
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshootsiem-belowfoldlink) 
 
-
 ## Related topics
 - [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
 - [Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md
index 336ff2d686..64bd439f18 100644
--- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md
@@ -71,6 +71,6 @@ Support of use of comma as a separator in numbers are not supported. Regions whe
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshoot-belowfoldlink)
 
 
-### Related topic
+## Related topics
 - [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
 - [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md
index 8e87ecf9ea..c4691b7324 100644
--- a/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md
@@ -40,4 +40,5 @@ Topic | Description
 [Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md) | Create custom threat intelligence alerts so that you can generate specific alerts that are applicable to your organization.
 [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md) | Use the PowerShell code examples to guide you in using the custom threat intelligence API.
 [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md) | Use the Python code examples to guide you in using the custom threat intelligence API.
+[Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md) | This article demonstrates an end-to-end usage of the threat intelligence API to get you started in using the threat intelligence API.
 [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) | Learn how to address possible issues you might encounter while using the threat intelligence API.
diff --git a/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md
index 7068cb4a06..75aed7ba70 100644
--- a/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 10/16/2017
+ms.date: 02/13/2018
 ---
 
 # Use the Windows Defender Advanced Threat Protection portal
@@ -27,32 +27,19 @@ ms.date: 10/16/2017
 
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-usewdatp-abovefoldlink) 
 
-A typical security breach investigation requires a member of a security operations team to:
+You can use the Windows Defender ATP portal to carry out an end-to-end security breach investigation through the dashboards.
 
-1. View an alert on the **Security operations dashboard** or **Alerts queue**
-2. Review the indicators of compromise (IOC) or indications of attack (IOAs)
-3. Review a timeline of alerts, behaviors, and events from the machine
-4. Manage alerts, understand the threat or potential breach, collect information to support taking action, and resolve the alert
+Use the **Security operations** dashboard to gain insight on the various alerts on machines and users in your network.
 
-![Flowchart describing the four stages of investigation](images/overview.png)
+Use the **Security analytics** dashboard to expand your visibility on the overall security posture of your organization. You'll see machines that require attention and recommendations that can help you reduce the attack surface in your organization.
 
-Security operation teams can use Windows Defender ATP portal to carry out this end-to-end process without having to leave the portal.
-
-Teams can monitor the overall status of enterprise endpoints from the **Security operations dashboard**, gain insight on the various alerts, their category, when they were observed, and how long they’ve been in the network at a glance.
 
 ### In this section
 
 Topic | Description
 :---|:---
+[Portal overview](portal-overview-windows-defender-advanced-threat-protection.md) | Understand the portal layout and area descriptions.
 [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md) | The Windows Defender ATP  **Security operations dashboard** provides a snapshot of your network. You can view aggregates of alerts, the overall status of the service of the endpoints on your network, investigate machines, files, and URLs, and see snapshots of threats seen on machines.
 [View the Windows Defender Advanced Threat Protection Security analytics dashboard](security-analytics-dashboard-windows-defender-advanced-threat-protection.md) | The **Security Analytics dashboard** expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place.
-[View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) | You can sort and filter alerts across your network, and drill down on individual alert queues such as new, in progress, or resolved queues.
-[Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)| Investigate alerts in Windows Defender ATP which might indicate possible security breaches on endpoints in your organization.
-[Investigate files](investigate-files-windows-defender-advanced-threat-protection.md) | Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach.
-[Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md) | Examine possible communication between your machines and external Internet protocol (IP) addresses.
-[Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md) | Investigate a domain to see if machines and servers in your enterprise network have been communicating with a known malicious domain.
-[View and organize the Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md)| You can sort, filter, and exporting the machine list.
-[Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md) | The **Machines list** shows a list of the machines in your network, the corresponding number of active alerts for each machine categorized by alert severity levels, as well as the number of threats.
-[Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md)| Investigate user accounts with the most active alerts.
-[Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md) | The **Manage Alert** menu on every alert lets you change an alert's status, resolve it, suppress it, or contribute comments about the alert.
-[Take response actions](response-actions-windows-defender-advanced-threat-protection.md)| Take action on a machine or file to quickly respond to detected attacks.
+
+