Merge pull request #11 from isbrahm/pr/10

Pr/10
2025-05-20 17:27:23 +00:00 · 2020-01-22 14:57:04 -08:00 · 2020-01-22 14:57:04 -08:00 · ce62c0fde7
commit ce62c0fde7
parent eeac6857a3 85223cb274
763 changed files with 11269 additions and 7810 deletions
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@ -45,6 +45,16 @@
 "redirect_url": "https://docs.microsoft.com/hololens/hololens1-clicker#restart-or-recover-the-clicker",
 "redirect_document_id": false
 },
 {
    "source_path": "devices/hololens/hololens-find-and-save-files.md",
    "redirect_url": "https://docs.microsoft.com/hololens/holographic-data",
    "redirect_document_id": false
 },
 {
    "source_path": "devices/hololens/hololens-management-overview.md",
    "redirect_url": "https://docs.microsoft.com/hololens",
    "redirect_document_id": false
 },
 {
 "source_path": "devices/surface/manage-surface-pro-3-firmware-updates.md",
 "redirect_url": "https://docs.microsoft.com/surface/manage-surface-driver-and-firmware-updates",
@ -956,6 +966,11 @@
 "redirect_document_id": false
 },
 {
 "source_path": "windows/security/threat-protection/windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md",
 "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview",
 "redirect_document_id": true
 },
 {
 "source_path": "windows/security/threat-protection/microsoft-defender-atp/overview-hunting.md",
 "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview",
 "redirect_document_id": false
@ -966,6 +981,51 @@
 "redirect_document_id": false
 },
 {
 "source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md",
 "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table",
 "redirect_document_id": true
 },
 {
 "source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md",
 "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table",
 "redirect_document_id": true
 },
 {
 "source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md",
 "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table",
 "redirect_document_id": true
 },
 {
 "source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md",
 "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table",
 "redirect_document_id": true
 },
 {
 "source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md",
 "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table",
 "redirect_document_id": true
 },
 {
 "source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md",
 "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table",
 "redirect_document_id": true
 },
 {
 "source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md",
 "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table",
 "redirect_document_id": true
 },
 {
 "source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md",
 "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table",
 "redirect_document_id": true
 },
 {
 "source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md",
 "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table",
 "redirect_document_id": true
 },
 {
 "source_path": "windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md",
 "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection",
 "redirect_document_id": true
@ -1657,11 +1717,6 @@
 "redirect_document_id": true
 },
 {
 "source_path": "windows/security/threat-protection/windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md",
 "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview",
 "redirect_document_id": true
 },
 {
 "source_path": "windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md",
 "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score",
 "redirect_document_id": true
--- a/5
+++ b/5
@ -0,0 +1,5 @@
 docfx.json                          @microsoftdocs/officedocs-admin
 .openpublishing.build.ps1           @microsoftdocs/officedocs-admin
 .openpublishing.publish.config.json @microsoftdocs/officedocs-admin
 CODEOWNERS                          @microsoftdocs/officedocs-admin
 .acrolinx-config.edn                @microsoftdocs/officedocs-admin
--- a/browsers/edge/group-policies/index.yml
+++ b/browsers/edge/group-policies/index.yml
@ -2,19 +2,19 @@
 documentType: LandingData
-title: Microsoft Edge group policies 
+title: Microsoft Edge Legacy group policies 
 metadata:
  document_id: 
-  title: Microsoft Edge group policies  
+  title: Microsoft Edge Legacy group policies  
-  description: Learn how to configure group policies in Microsoft Edge on Windows 10.
+  description: Learn how to configure group policies in Microsoft Edge Legacy on Windows 10.
-  text: Some of the features in Microsoft Edge gives you the ability to set a custom URL for the New Tab page or Home button. Another new feature allows you to hide or show the Favorites bar, giving you more control over the favorites bar. 
+  text: Some of the features in Microsoft Edge Legacy gives you the ability to set a custom URL for the New Tab page or Home button. Another new feature allows you to hide or show the Favorites bar, giving you more control over the favorites bar. (To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).)
-  keywords: Microsoft Edge, Windows 10, Windows 10 Mobile
+  keywords: Microsoft Edge Legacy, Windows 10, Windows 10 Mobile
  ms.localizationpriority: medium
@ -36,7 +36,7 @@ sections:
  - type: markdown
-    text: Microsoft Edge works with Group Policy and Microsoft Intune to help you manage your organization's computer settings. Group Policy objects (GPOs) can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences.
+    text: (Note - You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).) Microsoft Edge Legacy works with Group Policy and Microsoft Intune to help you manage your organization's computer settings. Group Policy objects (GPOs) can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences.
 - items:
--- a/browsers/edge/index.yml
+++ b/browsers/edge/index.yml
@ -2,19 +2,19 @@
 documentType: LandingData
-title: Microsoft Edge Group Policy configuration options 
+title: Microsoft Edge Legacy Group Policy configuration options 
 metadata:
  document_id: 
-  title: Microsoft Edge Group Policy configuration options  
+  title: Microsoft Edge Group Legacy Policy configuration options  
  description: 
-  text: Learn how to deploy and configure group policies in Microsoft Edge on Windows 10. Some of the features coming to Microsoft Edge gives you the ability to set a custom URL for the New Tab page or Home button. Another new feature allows you to hide or show the Favorites bar, giving you more control over the favorites bar. 
+  text: (Note - You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).) Learn how to deploy and configure group policies in Microsoft Edge Legacy on Windows 10. Some of the features coming to Microsoft Edge Legacy gives you the ability to set a custom URL for the New Tab page or Home button. Another new feature allows you to hide or show the Favorites bar, giving you more control over the favorites bar.
-  keywords: Microsoft Edge, Windows 10
+  keywords: Microsoft Edge Legacy, Windows 10
  ms.localizationpriority: medium
@ -36,7 +36,7 @@ sections:
  - type: markdown
-    text: Learn about interoperability goals and enterprise guidance along with system requirements, language support and frequently asked questions.
+    text: (Note - You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).) Learn about interoperability goals and enterprise guidance along with system requirements, language support and frequently asked questions.
 - items:
--- a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md
+++ b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md
@ -1,6 +1,6 @@
 ---
-title: Deploy Microsoft Edge kiosk mode
+title: Deploy Microsoft Edge Legacy kiosk mode
-description: Microsoft Edge kiosk mode works with assigned access to allow IT admins to create a tailored browsing experience designed for kiosk devices. To use Microsoft Edge kiosk mode, you must configure Microsoft Edge as an application in assigned access.
+description: Microsoft Edge Legacy kiosk mode works with assigned access to allow IT admins to create a tailored browsing experience designed for kiosk devices. To use Microsoft Edge Legacy kiosk mode, you must configure Microsoft Edge Legacy as an application in assigned access.
 ms.assetid: 
 ms.reviewer: 
 audience: itpro
@ -11,20 +11,24 @@ ms.prod: edge
 ms.sitesec: library
 ms.topic: article
 ms.localizationpriority: medium
-ms.date: 10/29/2018
+ms.date: 01/17/2020
 ---
-# Deploy Microsoft Edge kiosk mode
+# Deploy Microsoft Edge Legacy kiosk mode
->Applies to: Microsoft Edge on Windows 10, version 1809  
+>Applies to: Microsoft Edge Legacy (version 45 and earlier) on Windows 10, version 1809 or later 
 >Professional, Enterprise, and Education
 > [!NOTE]
-> You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).
+> You've reached the documentation for Microsoft Edge Legacy (version 45 and earlier.) To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/). For information about kiosk mode in the new version of Microsoft Edge, see [Microsoft Edge kiosk mode](https://docs.microsoft.com/DeployEdge/microsoft-edge-kiosk-mode).
-In the Windows 10 October 2018 Update, we added the capability to use Microsoft Edge as a kiosk using assigned access. With assigned access, you create a tailored browsing experience locking down a Windows 10 device to only run as a single-app or multi-app kiosk.  Assigned access restricts a local standard user account so that it only has access to one or more Windows app, such as Microsoft Edge in kiosk mode.
+In the Windows 10 October 2018 Update, we added the capability to use Microsoft Edge Legacy as a kiosk using assigned access. With assigned access, you create a tailored browsing experience locking down a Windows 10 device to only run as a single-app or multi-app kiosk.  Assigned access restricts a local standard user account so that it only has access to one or more Windows app, such as Microsoft Edge Legacy in kiosk mode.
-In this topic, you learn how to configure the behavior of Microsoft Edge when it's running in kiosk mode with assigned access.  You also learn how to set up your kiosk device using either Windows Setting or Microsoft Intune or other MDM service. 
+In this topic, you'll learn: 
 - How to configure the behavior of Microsoft Edge Legacy when it's running in kiosk mode with assigned access.
 - What's required to run Microsoft Edge Legacy kiosk mode on your kiosk devices.  
 - You'll also learn how to set up your kiosk device using either Windows Setting or Microsoft Intune or an other MDM service. 
 At the end of this topic, you can find a list of [supported policies](#supported-policies-for-kiosk-mode) for kiosk mode and a [feature comparison](#feature-comparison-of-kiosk-mode-and-kiosk-browser-app) of the kiosk mode policy and kiosk browser app.  You also find instructions on how to provide us feedback or get support. 
@ -33,7 +37,7 @@ At the end of this topic, you can find a list of [supported policies](#supported
 >**Policy** = Configure kiosk mode (ConfigureKioskMode)
-Microsoft Edge kiosk mode supports four configurations types that depend on how Microsoft Edge is set up with assigned access, either as a single-app or multi-app kiosk. These configuration types help you determine what is best suited for your kiosk device or scenario.  
+Microsoft Edge Legacy kiosk mode supports four configurations types that depend on how Microsoft Edge Legacy is set up with assigned access, either as a single-app or multi-app kiosk. These configuration types help you determine what is best suited for your kiosk device or scenario.  
 - Learn about [creating a kiosk experience](https://docs.microsoft.com/windows-hardware/customize/enterprise/create-a-kiosk-image)
@ -44,15 +48,17 @@ Microsoft Edge kiosk mode supports four configurations types that depend on how
 - Learn about configuring a more secure kiosk experience: [Other settings to lock down](https://docs.microsoft.com/windows/configuration/setup-kiosk-digital-signage#other-settings-to-lock-down).
-### Important things to remember before getting started
+### Important things to note before getting started
-  The public browsing kiosk types run Microsoft Edge InPrivate mode to protect user data with a browsing experience designed for public kiosks. 
+- There are [required steps to follow](#setup- required-for-microsoft-edge-legacy-kiosk-mode) in order to use the following Microsoft Edge Legacy kiosk mode types either alongside the new version of Microsoft Edge or prevent the new version of Microsoft Edge from being installed on your kiosk device. 
-  Microsoft Edge kiosk mode has a built-in timer to help keep data safe in public browsing sessions. When the idle time (no user activity) meets the time limit, a confirmation message prompts the user to continue, and if no user activity Microsoft Edge resets the session to the default URL. By default, the idle timer is 5 minutes, but you can choose a value of your own.
+-  The public browsing kiosk types run Microsoft Edge Legacy InPrivate mode to protect user data with a browsing experience designed for public kiosks. 
 -  Microsoft Edge Legacy kiosk mode has a built-in timer to help keep data safe in public browsing sessions. When the idle time (no user activity) meets the time limit, a confirmation message prompts the user to continue, and if no user activity Microsoft Edge Legacy resets the session to the default URL. By default, the idle timer is 5 minutes, but you can choose a value of your own.
 -  Optionally, you can define a single URL for the Home button, Start page, and New Tab page. See [Supported policies for kiosk mode](#supported-policies-for-kiosk-mode) to learn more.
-  No matter which configuration type you choose, you must set up Microsoft Edge in assigned access; otherwise, Microsoft Edge ignores the settings in this policy (Configure kiosk mode/ConfigureKioskMode).<p>Learn more about assigned access:
+-  No matter which configuration type you choose, you must set up Microsoft Edge Legacy in assigned access; otherwise, Microsoft Edge Legacy ignores the settings in this policy (Configure kiosk mode/ConfigureKioskMode).<p>Learn more about assigned access:
   - [Configure kiosk and shared devices running Windows desktop editions](https://aka.ms/E489vw).
@ -65,46 +71,58 @@ Microsoft Edge kiosk mode supports four configurations types that depend on how
 [!INCLUDE [configure-kiosk-mode-supported-values-include](includes/configure-kiosk-mode-supported-values-include.md)]
-## Set up Microsoft Edge kiosk mode
+## Set up Microsoft Edge Legacy kiosk mode
-Now that you're familiar with the different kiosk mode configurations and have the one you want to use in mind, you can use one of the following methods to set up Microsoft Edge kiosk mode:
+Now that you're familiar with the different kiosk mode configurations and have the one you want to use in mind, you can use one of the following methods to set up Microsoft Edge Legacy kiosk mode:
 -   **Windows Settings.** Use only to set up a couple of single-app devices because you perform these steps physically on each device.  For a multi-app kiosk device, use Microsoft Intune or other MDM service. 
-   **Microsoft Intune or other MDM service.** Use to set up several single-app or multi-app kiosk devices. Microsoft Intune and other MDM service providers offer more options for customizing the Microsoft Edge kiosk mode experience using any of the [Supported policies for kiosk mode](#supported-policies-for-kiosk-mode).  
+-   **Microsoft Intune or other MDM service.** Use to set up several single-app or multi-app kiosk devices. Microsoft Intune and other MDM service providers offer more options for customizing the Microsoft Edge Legacy kiosk mode experience using any of the [Supported policies for kiosk mode](#supported-policies-for-kiosk-mode).  
 ### Prerequisites
- Microsoft Edge on Windows 10, version 1809 (Professional, Enterprise, and Education).
+- Microsoft Edge Legacy on Windows 10, version 1809 (Professional, Enterprise, and Education).
 - See [Setup required for Microsoft Edge Legacy kiosk mode](#setup-required-for-microsoft-edge-legacy-kiosk-mode).
 - URL to load when the kiosk launches. The URL that you provide sets the Home button, Start page, and New Tab page.
- _**For Microsoft Intune or other MDM service**_, you must have the AppUserModelID (AUMID) to set up Microsoft Edge:
+- _**For Microsoft Intune or other MDM service**_, you must have the AppUserModelID (AUMID) to set up Microsoft Edge Legacy:
  ```
  Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge
  ```
 ### Setup required for Microsoft Edge Legacy kiosk mode
 When the new version of Microsoft Edge Stable channel is installed, Microsoft Edge Legacy is hidden and all attempts to launch Microsoft Edge Legacy are redirected to the new version of Microsoft Edge. 
 To continue using Microsoft Edge Legacy kiosk mode on your kiosk devices take one of the following actions:
 - If you plan to install Microsoft Edge Stable channel, want to allow it to be installed, or it is already installed on your kiosk device set the Microsoft Edge [Allow Microsoft Edge Side by Side browser experience](https://docs.microsoft.com/DeployEdge/microsoft-edge-update-policies#allowsxs) policy to **Enabled**.
 - To prevent Microsoft Edge Stable channel from being installed on your kiosk devices deploy the Microsoft Edge [Allow installation default](https://docs.microsoft.com/DeployEdge/microsoft-edge-update-policies#installdefault) policy for Stable channel or consider using the [Blocker toolkit](https://docs.microsoft.com/DeployEdge/microsoft-edge-blocker-toolkit) to disable automatic delivery of Microsoft Edge.
 > [!NOTE]
 > For more information about accessing Microsoft Edge Legacy after installing Microsoft Edge, see [How to access the old version of Microsoft Edge](https://docs.microsoft.com/DeployEdge/microsoft-edge-sysupdate-access-old-edge).  
 ### Use Windows Settings
 Windows Settings is the simplest and the only way to set up one or a couple of single-app devices.  
 1.  On the kiosk device, open Windows Settings, and in the search field type **kiosk** and then select **Set up a kiosk (assigned access)**.
 2.  On the **Set up a kiosk** page, click **Get started**.
 3.  Type a name to create a new kiosk account, or choose an existing account from the populated list and click **Next**.
-4.  On the **Choose a kiosk app** page, select **Microsoft Edge** and then click **Next**.
+4.  On the **Choose a kiosk app** page, select **Microsoft Edge Legacy** and then click **Next**.
-5.  Select how Microsoft Edge displays when running in kiosk mode:
+5.  Select how Microsoft Edge Legacy displays when running in kiosk mode:
-    -   **As a digital sign or interactive display** - Displays a specific site in full-screen mode, running Microsoft Edge InPrivate protecting user data.   
+    -   **As a digital sign or interactive display** - Displays a specific site in full-screen mode, running Microsoft Edge Legacy InPrivate protecting user data.   
-    -   **As a public browser** - Runs a limited multi-tab version of Microsoft Edge, protecting user data.   
+    -   **As a public browser** - Runs a limited multi-tab version of Microsoft Edge Legacy, protecting user data.   
 6.  Select **Next**.
@ -124,42 +142,42 @@ Windows Settings is the simplest and the only way to set up one or a couple of s
 - User your new kiosk device. <p>
   OR<p>
- Make changes to your kiosk device. In Windows Settings, on the **Set up a kiosk** page, make your changes to **Choose a kiosk mode** and **Set up Microsoft Edge**.
+- Make changes to your kiosk device. In Windows Settings, on the **Set up a kiosk** page, make your changes to **Choose a kiosk mode** and **Set up Microsoft Edge Legacy**.
 ---  
 ### Use Microsoft Intune or other MDM service
-With this method, you can use Microsoft Intune or other MDM services to configure Microsoft Edge kiosk mode in assigned access and how it behaves on a kiosk device. To learn about a few app fundamentals and requirements before adding them to Intune, see [Add apps to Microsoft Intune](https://docs.microsoft.com/intune/apps-add).
+With this method, you can use Microsoft Intune or other MDM services to configure Microsoft Edge Legacy kiosk mode in assigned access and how it behaves on a kiosk device. To learn about a few app fundamentals and requirements before adding them to Intune, see [Add apps to Microsoft Intune](https://docs.microsoft.com/intune/apps-add).
 >[!IMPORTANT]
 >If you are using a local account as a kiosk account in Microsoft Intune, make sure to sign into this account and then sign out before configuring the kiosk device.
 1. In Microsoft Intune or other MDM service, configure [AssignedAccess](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) to prevent users from accessing the file system, running executables, or other apps.
-2. Configure the following MDM settings to setup Microsoft Edge kiosk mode on the kiosk device and then restart the device.
+2. Configure the following MDM settings to setup Microsoft Edge Legacy kiosk mode on the kiosk device and then restart the device.
   |   |   |
   |---|---|
-   | **[ConfigureKioskMode](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode)**<p>![](images/icon-thin-line-computer.png) | Configure the display mode for Microsoft Edge as a kiosk app.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode<p>**Data type:**  Integer<p>**Allowed values:**<ul><li>**Single-app kiosk experience**<ul><li>**0** - Digital signage and interactive display</li><li>**1** - InPrivate Public browsing</li></ul></li><li>**Multi-app kiosk experience**<ul><li>**0** - Normal Microsoft Edge running in assigned access</li><li>**1** - InPrivate public browsing with other apps</li></ul></li></ul> |
+   | **[ConfigureKioskMode](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode)**<p>![](images/icon-thin-line-computer.png) | Configure the display mode for Microsoft Edge Legacy as a kiosk app.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode<p>**Data type:**  Integer<p>**Allowed values:**<ul><li>**Single-app kiosk experience**<ul><li>**0** - Digital signage and interactive display</li><li>**1** - InPrivate Public browsing</li></ul></li><li>**Multi-app kiosk experience**<ul><li>**0** - Normal Microsoft Edge Legacy running in assigned access</li><li>**1** - InPrivate public browsing with other apps</li></ul></li></ul> |
-   | **[ConfigureKioskResetAfterIdleTimeout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout)**<p>![](images/icon-thin-line-computer.png) | Change the time in minutes from the last user activity before Microsoft Edge kiosk mode resets the user's session.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout<p>**Data type:** Integer<p>**Allowed values:**<ul><li>**0** - No idle timer</li><li>**1-1440 (5 minutes is the default)** - Set reset on idle timer</li></ul>  |
+   | **[ConfigureKioskResetAfterIdleTimeout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout)**<p>![](images/icon-thin-line-computer.png) | Change the time in minutes from the last user activity before Microsoft Edge Legacy kiosk mode resets the user's session.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout<p>**Data type:** Integer<p>**Allowed values:**<ul><li>**0** - No idle timer</li><li>**1-1440 (5 minutes is the default)** - Set reset on idle timer</li></ul>  |
-   | **[HomePages](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-homepages)**<p>![](images/icon-thin-line-computer.png)  | Set one or more start pages, URLs, to load when Microsoft Edge launches.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/HomePages<p>**Data type:** String<p>**Allowed values:**<p>Enter one or more URLs, for example,<br>&nbsp;&nbsp;&nbsp;\<https://www.msn.com\>\<https:/www.bing.com\>  |
+   | **[HomePages](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-homepages)**<p>![](images/icon-thin-line-computer.png)  | Set one or more start pages, URLs, to load when Microsoft Edge Legacy launches.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/HomePages<p>**Data type:** String<p>**Allowed values:**<p>Enter one or more URLs, for example,<br>&nbsp;&nbsp;&nbsp;\<https://www.msn.com\>\<https:/www.bing.com\>  |
   | **[ConfigureHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton)**<p>![](images/icon-thin-line-computer.png)  | Configure how the Home Button behaves.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton<p>**Data type:** Integer<p> **Allowed values:**<ul><li>**0 (default)** - Not configured. Show home button, and load the default Start page.</li><li>**1** - Enabled. Show home button and load New Tab page</li><li>**2** - Enabled. Show home button & set a specific page.</li><li>**3** - Enabled. Hide the home button.</li></ul>   |
   | **[SetHomeButtonURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl)**<p>![](images/icon-thin-line-computer.png)   | If you set ConfigureHomeButton to 2, configure the home button URL.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL <p>**Data type:** String<p>**Allowed values:** Enter a URL, for example, https://www.bing.com   |
   | **[SetNewTabPageURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl)**<p>![](images/icon-thin-line-computer.png)   | Set a custom URL for the New Tab page.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL <p>**Data type:** String<p>**Allowed values:** Enter a URL, for example, https://www.msn.com    |
-**_Congratulations!_** <p>You’ve just finished setting up a kiosk or digital signage with policies for Microsoft Edge kiosk mode using Microsoft Intune or other MDM service.
+**_Congratulations!_** <p>You’ve just finished setting up a kiosk or digital signage with policies for Microsoft Edge Legacy kiosk mode using Microsoft Intune or other MDM service.
-**_What's next?_** <p>Now it's time to use your new kiosk device. Sign into the device with the kiosk account selected to run Microsoft Edge kiosk mode.
+**_What's next?_** <p>Now it's time to use your new kiosk device. Sign into the device with the kiosk account selected to run Microsoft Edge Legacy kiosk mode.
 ---
 ## Supported policies for kiosk mode
-Use any of the Microsoft Edge policies listed below to enhance the kiosk experience depending on the Microsoft Edge kiosk mode type you configure. To learn more about these policies, see [Policy CSP - Browser](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser). 
+Use any of the Microsoft Edge Legacy policies listed below to enhance the kiosk experience depending on the Microsoft Edge Legacy kiosk mode type you configure. To learn more about these policies, see [Policy CSP - Browser](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser). 
 Make sure to check with your provider for instructions.
@ -236,10 +254,11 @@ Make sure to check with your provider for instructions.
 ---  
 ## Feature comparison of kiosk mode and kiosk browser app
-In the following table, we show you the features available in both Microsoft Edge kiosk mode and Kiosk Browser app available in Microsoft Store. Both kiosk mode and kiosk browser app work in assigned access.
+
 In the following table, we show you the features available in both Microsoft Edge Legacy kiosk mode and Kiosk Browser app available in Microsoft Store. Both kiosk mode and kiosk browser app work in assigned access.
-|                        **Feature**                        |                                                                  **Microsoft Edge kiosk mode**                                                                  |                                                             **Microsoft Kiosk browser app**                                                             |
+|                        **Feature**                        |                                                                  **Microsoft Edge Legacy kiosk mode**                                                                  |                                                             **Microsoft Kiosk browser app**                                                             |
 |-----------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------:|:-------------------------------------------------------------------------------------------------------------------------------------------------------:|
 |                       Print support                       |                                                                 ![Supported](images/148767.png)                                                                 |                                                           ![Not supported](images/148766.png)                                                           |
 |                     Multi-tab support                     |                                                                 ![Supported](images/148767.png)                                                                 |                                                           ![Not supported](images/148766.png)                                                           |
@ -261,9 +280,6 @@ To prevent access to unwanted websites on your kiosk device, use Windows Defende
 ## Provide feedback or get support
-To provide feedback on Microsoft Edge kiosk mode in Feedback Hub, select **Microsoft Edge** as the  **Category**, and **All other issues** as the subcategory. 
+To provide feedback on Microsoft Edge Legacy kiosk mode in Feedback Hub, select **Microsoft Edge** as the  **Category**, and **All other issues** as the subcategory. 
 **_For multi-app kiosk only._** If you have set up the Feedback Hub in assigned access, you can you submit the feedback from the device running Microsoft Edge in kiosk mode in which you can include diagnostic logs. In the Feedback Hub, select **Microsoft Edge** as the **Category**, and **All other issues** as the subcategory.
--- a/browsers/internet-explorer/TOC.md
+++ b/browsers/internet-explorer/TOC.md
@ -186,3 +186,6 @@
 ### [IExpress Wizard command-line options](ie11-ieak/iexpress-command-line-options.md)
 ### [Internet Explorer Setup command-line options and return codes](ie11-ieak/ie-setup-command-line-options-and-return-codes.md)
 ## Troubleshooting
 ### [Clear the Internet Explorer cache from a command line](/../troubleshooting/clear-ie-cache-from-command-line.md)
 ### [IE and Microsoft Edge FAQ for IT Pros](/../troubleshooting/ie-edge-faqs.md)
--- a/browsers/troubleshooting/clear-ie-cache-from-command-line.md
+++ b/browsers/troubleshooting/clear-ie-cache-from-command-line.md
@ -0,0 +1,133 @@
 ---
 title: Clear the Internet Explorer cache from a command line
 description: Introduces command-line commands and a sample batch file for clearing the IE cache.
 author: ramakoni
 manager: dcscontentpm
 ms.prod: internet-explorer
 ms.topic: troubleshooting 
 ms.author: ramakoni
 ms.custom: CI=111020
 ms.reviewer: ramakoni, DEV_Triage
 audience: ITPro
 ms.localizationpriority: Normal
 ms.date: 01/20/2020
 ---
 # How to clear Internet Explorer cache by using the command line
 This article outlines the procedure to clear the Internet Explorer cache by using the command line.
 ## Command line commands to clear browser cache
 1. Delete history from the Low folder  
   `del /s /q C:\Users\\%username%\AppData\Local\Microsoft\Windows\History\low\* /ah`
 2. Delete history     
   `RunDll32.exe InetCpl.cpl, ClearMyTracksByProcess 1`
 3. Delete cookies     
   `RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 2`
 4. Delete temporary internet files     
   `RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 8`
 5. Delete form data     
   `RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 16`
 6. Delete stored passwords     
   `RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 32`
 7. Delete all  
   `RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255`
 8. Delete files and settings stored by add-ons     
   `InetCpl.cpl,ClearMyTracksByProcess 4351`
 If you upgraded from a previous version of Internet Explorer, you have to use the following commands to delete the files from older versions:  
 `RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 9`  
 Command to reset Internet Explorer settings:  
 `Rundll32.exe inetcpl.cpl ResetIEtoDefaults`
 ## Sample batch file to clear Internet Explorer cache files
 A sample batch file is available that you can use to clear Internet Explorer cache files and other items. You can download the file from https://msdnshared.blob.core.windows.net/media/2017/09/ClearIE_Cache.zip.
 The batch file offers the following options:
 - Delete Non-trusted web History (low-level hidden cleanup) 
 - Delete History 
 - Delete Cookies 
 - Delete Temporary Internet Files 
 - Delete Form Data 
 - Delete Stored Passwords 
 - Delete All 
 - Delete All "Also delete files and settings stored by add-ons"
 - Delete IE10 and IE9 Temporary Internet Files
 - Resets IE Settings
 - EXIT
 **Contents of the batch file**
 ```console
@echo off
 ::  AxelR Test Batch
 ::  tested on Windows 8 + IE10, Windows7 + IE9
 :home
 cls
 COLOR 00
 echo Delete IE History
 echo Please select the task you wish to run.
 echo Pick one: 
 echo.
 echo  1. Delete Non-trusted web History(low level hidden clean up) 
 echo  2. Delete History 
 echo  3. Delete Cookies 
 echo  4. Delete Temporary Internet Files 
 echo  5. Delete Form Data 
 echo  6. Delete Stored Passwords 
 echo  7. Delete All 
 echo  8. Delete All "Also delete files and settings stored by add-ons"
 echo  9. Delete IE10 and 9 Temporary Internet Files
 echo  10. Reset IE Settings
 echo  77. EXIT
 :choice
 Echo Hit a number [1-10] and press enter. 
 set /P CH=[1-10]
 if "%CH%"=="1" set x=del /s /q C:\Users\%username%\AppData\Local\Microsoft\Windows\History\low\* /ah 
 if "%CH%"=="2" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 1 
 if "%CH%"=="3" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 2 
 if "%CH%"=="4" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 8 
 if "%CH%"=="5" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 16 
 if "%CH%"=="6" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 32 
 if "%CH%"=="7" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255 
 if "%CH%"=="8" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 4351 
 if "%CH%"=="9" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 9  
 if "%CH%"=="10" set x=rundll32.exe inetcpl.cpl ResetIEtoDefaults
 if "%CH%"=="77" goto quit
 %x%
 goto Home
 ::Temporary Internet Files > Delete files - To delete copies of web pages, images, and media 
 ::that  are saved for faster viewing.
 ::Cookies > Delete cookies - To delete cookies, which are files that are stored on your computer by 
 ::websites to save preferences such as login information.
 ::History > Delete history - To delete the history of the websites you have visited.
 ::Form data > Delete forms - To delete all the saved information that you have typed into 
 ::forms.
 ::Passwords > Delete passwords - To delete all the passwords that are automatically filled in 
 ::when you log on to a website that you've previously visited.
 ::Delete all - To delete all of these listed items in one operation.
 ::enter below in search/run to see Low  history dir if exists
 ::C:\Users\%username%\AppData\Local\Microsoft\Windows\History\low
 ::Delete all low(untrusted history) very hidden 
 ::this will clean any unlocked  files under the dir and not delete the dir structure 
 ::del /s /q low\* /ah ::del /s /q C:\Users\%username%\AppData\Local\Microsoft\Windows\History\low\* /ah
 goto Home
 ```
--- a/browsers/troubleshooting/ie-edge-faqs.md
+++ b/browsers/troubleshooting/ie-edge-faqs.md
@ -0,0 +1,229 @@
 ---
 title: IE and Microsoft Edge FAQ for IT Pros
 description: Describes frequently asked questions about Internet Explorer and Microsoft Edge for IT professionals.
 author: ramakoni
 manager: dcscontentpm
 ms.prod: internet-explorer
 ms.topic: troubleshooting 
 ms.author: ramakoni
 ms.custom: CI=111020
 ms.reviewer: ramakoni
 audience: ITPro
 ms.localizationpriority: Normal
 ms.date: 01/20/2020
 ---
 # Internet Explorer and Microsoft Edge frequently asked questions (FAQ) for IT Pros
 ## Cookie-related questions
 ### What is a cookie?
 An HTTP cookie (the web cookie or browser cookie) is a small piece of data that a server sends to the user's web browser. The web browser may store the cookie and return it to the server together with the next request. For example, a cookie might be used to indicate whether two requests come from the same browser in order to allow the user to remain logged-in. The cookie records stateful information for the stateless HTTP protocol.
 ### How does Internet Explorer handle cookies?
 For more information about how Internet Explorer handles cookies, see the following articles:
 - [Beware Cookie Sharing in Cross-Zone Scenarios](https://blogs.msdn.microsoft.com/ieinternals/2011/03/10/beware-cookie-sharing-in-cross-zone-scenarios/)
 - [A Quick Look at P3P](https://blogs.msdn.microsoft.com/ieinternals/2013/09/17/a-quick-look-at-p3p/)
 - [Internet Explorer Cookie Internals FAQ](https://blogs.msdn.microsoft.com/ieinternals/2009/08/20/internet-explorer-cookie-internals-faq/)
 - [Privacy Beyond Blocking Cookies](https://blogs.msdn.microsoft.com/ie/2008/08/25/privacy-beyond-blocking-cookies-bringing-awareness-to-third-party-content/)
 - [Description of Cookies](https://support.microsoft.com/help/260971/description-of-cookies)
 ### Where does Internet Explorer store cookies?
 To see where Internet Explorer stores its cookies, follow these steps:
 1. Start File Explorer.
 2. Select **Views** > **Change folder and search options**.
 3. In the **Folder Options** dialog box, select **View**.
 4. In **Advanced settings**, select **Do not show hidden files, folders, or drivers**.
 5. Clear **Hide protected operation system files (Recommended)**.
 6. Select **Apply**.
 7. Select **OK**.
 The following are the folder locations where the cookies are stored:
 **In Windows 10**  
 C:\Users\username\AppData\Local\Microsoft\Windows\INetCache
 **In Windows 8 and Windows 8.1**  
 C:\Users\username\AppData\Local\Microsoft\Windows\INetCookies
 **In Windows 7**  
 C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies  
 C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies\Low
 ### What is the per-domain cookie limit?
 Since the June 2018 cumulative updates for Internet Explorer and Microsoft Edge, the per-domain cookie limit is increased from 50 to 180 for both browsers. The cookies vary by path. So, if the same cookie is set for the same domain but for different paths, it's essentially a new cookie.
 There's still a 5 Kilobytes (KB) limit on the size of the cookie header that is sent out. This limit can cause some cookies to be lost after they exceed that value.
 The JavaScript limitation was updated to 10 KB from 4 KB.
 For more information, see [Internet Explorer Cookie Internals (FAQ)](https://blogs.msdn.microsoft.com/ieinternals/2009/08/20/internet-explorer-cookie-internals-faq/).
 #### Additional information about cookie limits
 **What does the Cookie RFC allow?** 
 RFC 2109 defines how cookies should be implemented, and it defines minimum values that browsers support. According to the RFC, browsers would ideally have no limits on the size and number of cookies that a browser can handle. To meet the specifications, the user agent should support the following:
 - At least 300 cookies total
 - At least 20 cookies per unique host or domain name
 For practicality, individual browser makers set a limit on the total number of cookies that any one domain or unique host can set. They also limit the total number of cookies that can be stored on a computer.
 ### Cookie size limit per domain
 Some browsers also limit the amount of space that any one domain can use for cookies. This means that if your browser sets a limit of 4,096 bytes per domain for cookies, 4,096 bytes is the maximum available space in that domain even though you can set up to 180 cookies.
 ## Proxy Auto Configuration (PAC)-related questions
 ### Is an example Proxy Auto Configuration (PAC) file available?
 Here is a simple PAC file:
 ```vb
 function FindProxyForURL(url, host)
 {
 return "PROXY proxyserver:portnumber";
 }
 ```
 > [!NOTE]
 > The previous PAC always returns the **proxyserver:portnumber** proxy.
 For more information about how to write a PAC file and about the different functions in a PAC file, see [the FindProxyForURL website](https://findproxyforurl.com/).
 **Third-party information disclaimer**
 The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.
 ### How to improve performance by using PAC scripts
 - [Browser is slow to respond when you use an automatic configuration script](https://support.microsoft.com/help/315810/browser-is-slow-to-respond-when-you-use-an-automatic-configuration-scr)
 - [Optimizing performance with automatic Proxyconfiguration scripts (PAC)](https://blogs.msdn.microsoft.com/askie/2014/02/07/optimizing-performance-with-automatic-proxyconfiguration-scripts-pac/)
 ## Other questions
 ### How to set home and start pages in Microsoft Edge and allow user editing
 For more information, see the following blog article:
 [How do I set the home page in Microsoft Edge?](https://blogs.msdn.microsoft.com/askie/2017/10/04/how-do-i-set-the-home-page-in-edge/)
 ### How to add sites to the Enterprise Mode (EMIE) site list
 For more information about how to add sites to an EMIE list, see [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool).
 ### What is Content Security Policy (CSP)?
 By using [Content Security Policy](https://docs.microsoft.com/microsoft-edge/dev-guide/security/content-security-policy), you create an allow list of sources of trusted content in the HTTP headers. You also pre-approve certain servers for content that is loaded into a webpage, and instruct the browser to execute or render only resources from those sources. You can use this technique to prevent malicious content from being injected into sites.
 Content Security Policy is supported in all versions of Microsoft Edge. It lets web developers lock down the resources that can be used by their web application. This helps prevent [cross-site scripting](https://en.wikipedia.org/wiki/Cross-site_scripting) attacks that remain a common vulnerability on the web. However, the first version of Content Security Policy was difficult to implement on websites that used inline script elements that either pointed to script sources or contained script directly.
 CSP2 makes these scenarios easier to manage by adding support for nonces and hashes for script and style resources. A nonce is a cryptographically strong random value that is generated on each page load that appears in both the CSP policy and in the script tags on the page. Using nonces can help minimize the need to maintain a list of allowed source URL values while also allowing trusted scripts that are declared in script elements to run.
 For more information, see the following articles:
 - [Introducing support for Content Security Policy Level 2](https://blogs.windows.com/msedgedev/2017/01/10/edge-csp-2/)
 - [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy)
 ### Where to find Internet Explorer security zones registry entries
 Most of the Internet Zone entries can be found in [Internet Explorer security zones registry entries for advanced users](https://support.microsoft.com/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users). 
 This article was written for Internet Explorer 6 but is still applicable to Internet Explorer 11.
 The default Zone Keys are stored in the following locations:
 - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
 - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
 ### Why don't HTML5 videos play in Internet Explorer 11?
 To play HTML5 videos in the Internet Zone, use the default settings or make sure that the registry key value of **2701** under **Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3** is set to **0**.
 - 0 (the default value): Allow
 - 3: Disallow
 This key is read by the **URLACTION_ALLOW_AUDIO_VIDEO 0x00002701** URL action flag that determines whether media elements (audio and video) are allowed in pages in a URL security zone.
 For more information, see [Unable to play HTML5 Videos in IE](https://blogs.msdn.microsoft.com/askie/2014/12/31/unable-to-play-html5-videos-in-ie/).
 For Windows 10 N and Windows KN editions, you must also download the feature pack that is discussed in [Media feature pack for Windows 10 N and Windows 10 KN editions](https://support.microsoft.com/help/3010081/media-feature-pack-for-windows-10-n-and-windows-10-kn-editions).
 For more information about how to check Windows versions, see [Which version of Windows operating system am I running?](https://support.microsoft.com/help/13443/windows-which-version-am-i-running)
 ### What is the Enterprise Mode Site List Portal? 
 This is a new feature to add sites to your enterprise mode site list XML. For more information, see [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal).
 ### What is Enterprise Mode Feature?
 For more information about this topic, see [Enterprise Mode and the Enterprise Mode Site List](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode).
 ### Where can I obtain a list of HTTP Status codes?
 For information about this list, see [HTTP Status Codes](https://docs.microsoft.com/windows/win32/winhttp/http-status-codes).
 ### What is end of support for Internet Explorer 11?
 Internet Explorer 11 is the last major version of Internet Explorer. Internet Explorer 11 will continue receiving security updates and technical support for the lifecycle of the version of Windows on which it is installed.
 For more information, see [Lifecycle FAQ — Internet Explorer and Edge](https://support.microsoft.com/help/17454/lifecycle-faq-internet-explorer).
 ### How to configure TLS (SSL) for Internet Explorer
 For more information about how to configure TLS/SSL for Internet Explorer, see [Group Policy Setting to configure TLS/SSL](https://gpsearch.azurewebsites.net/#380).
 ### What is Site to Zone?
 Site to Zone usually refers to one of the following:
 **Site to Zone Assignment List**
 This is a Group Policy policy setting that can be used to add sites to the various security zones.
 The Site to Zone Assignment List policy setting associates sites to zones by using the following values for the Internet security zones:
 - Intranet zone
 - Trusted Sites zone
 - Internet zone 
 - Restricted Sites zone
 If you set this policy setting to **Enabled**, you can enter a list of sites and their related zone numbers. By associating a site to a zone, you can make sure that the security settings for the specified zone are applied to the site.
 **Site to Zone Mapping**
 Site to Zone Mapping is stored as the name of the key. The protocol is a registry value that has a number that assigns it to the corresponding zone. Internet Explorer will read from the following registry subkeys for the sites that are deployed through the Site to Zone assignment list:
 - HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
 - HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey
 **Site to Zone Assignment List policy**
 This policy setting is available for both Computer Configuration and User Configuration:
 - Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
 - User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
 **References**
 [How to configure Internet Explorer security zone sites using group polices](https://blogs.msdn.microsoft.com/askie/2012/06/05/how-to-configure-internet-explorer-security-zone-sites-using-group-polices/)
 ### What are the limits for MaxConnectionsPerServer, MaxConnectionsPer1_0Server for the current versions of Internet Explorer?
 For more information about these settings and limits, see [Connectivity Enhancements in Windows Internet Explorer 8](https://docs.microsoft.com/previous-versions/cc304129(v=vs.85)).
 ### What is the MaxConnectionsPerProxy setting, and what are the maximum allowed values for this setting?
 The **MaxConnectionsPerProxy** setting controls the number of connections that a single-user client can maintain to a given host by using a proxy server. 
 For more information, see [Understanding Connection Limits and New Proxy Connection Limits in WinInet and Internet Explorer](https://blogs.msdn.microsoft.com/jpsanders/2009/06/29/understanding-connection-limits-and-new-proxy-connection-limits-in-wininet-and-internet-explorer/).
--- a/devices/hololens/TOC.md
+++ b/devices/hololens/TOC.md
@ -28,10 +28,11 @@
 # Navigating Windows Holographic
 ## [Start menu and mixed reality home](holographic-home.md)
 ## [Use your voice with HoloLens](hololens-cortana.md)
-## [Find and save files](hololens-find-and-save-files.md)
+## [Find and save files](holographic-data.md)
 ## [Create, share, and view photos and video](holographic-photos-and-videos.md)
 # User management and access management
 ## [Accounts on HoloLens](hololens-identity.md)
 ## [Share your HoloLens with multiple people](hololens-multiple-users.md)
 ## [Set up HoloLens as a kiosk (single application access)](hololens-kiosk.md)
 ## [Set up limited application access](hololens-kiosk.md)
@ -53,15 +54,14 @@
 ## [Spatial mapping on HoloLens](hololens-spaces.md)
 # Update, troubleshoot, or recover HoloLens
 ## [Update, troubleshoot, or recover HoloLens](hololens-management-overview.md)
 ## [Update HoloLens](hololens-update-hololens.md)
 ## [Restart, reset, or recover](hololens-recovery.md)
 ## [Troubleshoot HoloLens](hololens-troubleshooting.md)
 ## [Known issues](hololens-known-issues.md)
 ## [Frequently asked questions](hololens-faq.md)
 ## [Hololens services status](hololens-status.md)
 # [Release Notes](hololens-release-notes.md)
 # [Hololens status](hololens-status.md)
 # [Give us feedback](hololens-feedback.md)
 # [Join the Windows Insider program](hololens-insider.md)
 # [Change history for Microsoft HoloLens documentation](change-history-hololens.md)
--- a/devices/hololens/holographic-data.md
+++ b/devices/hololens/holographic-data.md
@ -0,0 +1,100 @@
 ---
 title: Find and save files on HoloLens
 description: Use File Explorer on HoloLens to view and manage files on your device
 keywords: how-to, file picker, files, photos, videos, pictures, OneDrive, storage, file explorer
 ms.assetid: 77d2e357-f65f-43c8-b62f-6cd9bf37070a
 author: mattzmsft
 ms.author: mazeller
 manager: v-miegge
 ms.reviewer: jarrettrenshaw
 ms.date: 12/30/2019
 keywords: hololens
 ms.prod: hololens
 ms.sitesec: library
 ms.topic: article
 audience: ITPro
 ms.localizationpriority: medium
 appliesto:
 - HoloLens (1st gen)
 - HoloLens 2
 ---
 # Find, open, and save files on HoloLens
 Files you create on HoloLens, including photos and videos, are saved directly to your HoloLens device. View and manage them in the same way you would manage files on Windows 10:
 - Using the File Explorer app to access local folders.
 - Within an app's storage.
 - In a special folder (such as the video or music library).
 - Using a storage service that includes an app and file picker (such as OneDrive).
 - Using a desktop PC connected to your HoloLens by using a USB cable, using MTP (Media Transfer Protocol) support.
 ## View files on HoloLens using File Explorer
 > Applies to all HoloLens 2 devices and HoloLens (1st gen) as of the [Windows 10 April 2018 Update (RS4) for HoloLens](https://docs.microsoft.com/windows/mixed-reality/release-notes-april-2018).
 Use File Explorer on HoloLens to view and manage files on your device, including 3D objects, documents, and pictures. Go to **Start**  > **All apps**  > **File Explorer** to get started.
 > [!TIP]
 > If there are no files listed in File Explorer, select **This Device** in the top left pane.
 If you don’t see any files in File Explorer, the "Recent" filter may be active (clock icon is highlighted in left pane). To fix this, select the **This Device** document icon in the left pane (beneath the clock icon), or open the menu and select **This Device**.
 ## Find and view your photos and videos
 [Mixed reality capture](holographic-photos-and-videos.md) lets you take mixed reality photos and videos on HoloLens.  These photos and videos are saved to the device's Camera Roll folder.
 You can access photos and videos taken with HoloLens by:
 - accessing the Camera Roll directly through the [Photos app](holographic-photos-and-videos.md).
 - uploading photos and videos to cloud storage by syncing your photos and videos to OneDrive.
 - using the Mixed Reality Capture page of the [Windows Device Portal](https://docs.microsoft.com/windows/mixed-reality/using-the-windows-device-portal#mixed-reality-capture).
 ### Photos app
 The Photos app is one of the default apps on the **Start** menu, and comes built-in with HoloLens. Learn more about [using the Photos app to view content](holographic-photos-and-videos.md).
 You can also install the [OneDrive app](https://www.microsoft.com/p/onedrive/9wzdncrfj1p3) from the Microsoft Store to sync photos to other devices.
 ### OneDrive app
 [OneDrive](https://onedrive.live.com/) lets you access, manage, and share your photos and videos with any device and with any user. To access the photos and videos captured on HoloLens, download the [OneDrive app](https://www.microsoft.com/p/onedrive/9wzdncrfj1p3) from the Microsoft Store on your HoloLens. Once downloaded, open the OneDrive app and select **Settings** > **Camera upload**, and turn on **Camera upload**.
 ### Connect to a PC
 If your HoloLens is running the [Windows 10 April 2018 update](https://docs.microsoft.com/windows/mixed-reality/release-notes-april-2018) or later, you can connect your HoloLens to a Windows 10 PC by using a USB cable to browse photos and videos on the device by using MTP (media transfer protocol). You'll need to make sure the device is unlocked to browse files if you have a PIN or password set up on your device.  
 If you have enabled the [Windows Device Portal](https://docs.microsoft.com/windows/mixed-reality/using-the-windows-device-portal), you can use it to browse, retrieve, and manage the photos and videos stored on your device.
 ## Access files within an app
 If an application saves files on your device, you can use that application to access them.
 ### Requesting files from another app
 An application can request to save a file or open a file from another app by using [file pickers](https://docs.microsoft.com/windows/mixed-reality/app-model#file-pickers).
 ### Known folders
 HoloLens supports a number of [known folders](https://docs.microsoft.com/windows/mixed-reality/app-model#known-folders) that apps can request permission to access.
 ## View HoloLens files on your PC
 Similar to other mobile devices, connect HoloLens to your desktop PC using MTP (Media Transfer Protocol) and open File Explorer on the PC to access your HoloLens libraries for easy transfer.
 To see your HoloLens files in File Explorer on your PC:
 1. Sign in to HoloLens, then plug it into the PC using the USB cable that came with the HoloLens.
 1. Select **Open Device to view files with File Explorer**, or open File Explorer on the PC and navigate to the device.
 To see info about your HoloLens, right-click the device name in File Explorer on your PC, then select **Properties**.
 > [!NOTE]
 > HoloLens (1st gen) does not support connecting to external hard drives or SD cards.
 ## Sync to the cloud
 To sync photos and other files from your HoloLens to the cloud, install and set up OneDrive on HoloLens. To get OneDrive, search for it in the Microsoft Store on your HoloLens.
 HoloLens doesn't back up app files and data, so it's a good idea to save your important stuff to OneDrive. That way, if you reset your device or uninstall an app, your info will be backed up.
--- a/devices/hololens/hololens-FAQ.md
+++ b/devices/hololens/hololens-FAQ.md
@ -137,7 +137,7 @@ Try walking around and looking at the area where you're placing the app so HoloL
 Free up some storage space by doing one or more of the following:
- Remove some of the holograms you've placed, or remove some saved data from within apps. [How do I find my data?](hololens-find-and-save-files.md)
+- Remove some of the holograms you've placed, or remove some saved data from within apps. [How do I find my data?](holographic-data.md)
 - Delete some pictures and videos in the Photos app.
 - Uninstall some apps from your HoloLens. In the All apps list, tap and hold the app you want to uninstall, then select **Uninstall**. (This will also delete any of the app's data stored on the device.)
--- a/devices/hololens/hololens-calibration.md
+++ b/devices/hololens/hololens-calibration.md
@ -99,7 +99,7 @@ You can also disable the calibration prompt by following these steps:
 1. Turn off **When a new person uses this HoloLens, automatically ask to run eye calibration**.
 > [!IMPORTANT]
-> Please understand that this setting may adversely affect hologram rendering quality and comfort.
+> This setting may adversely affect hologram rendering quality and comfort.  When you turn off this setting, features that depend on eye tracking (such as text scrolling) no longer work in immersive applications.
 ### HoloLens 2 eye-tracking technology
--- a/devices/hololens/hololens-cortana.md
+++ b/devices/hololens/hololens-cortana.md
@ -36,6 +36,9 @@ Get around HoloLens faster with these basic commands. In order to use these you
 Use these commands throughout Windows Mixed Reality to get around faster. Some commands use the gaze cursor, which you bring up by saying “select.”
 >[!NOTE]
 >Hand rays are not supported on HoloLens (1st Gen).
 | Say this | To do this |
 | - | - |
 | "Select" | Say "select" to bring up the gaze cursor. Then, turn your head to position the cursor on the thing you want to select, and say “select” again. |
@ -56,7 +59,7 @@ To use these commands, gaze at a 3D object, hologram, or app window.
 | "Face me" | Turn it to face you |
 | "Move this" | Move it (follow your gaze) |
 | "Close" | Close it |
-| "Follow" / "Stop following" | Make it follow you as you move around |
+| "Follow me" / "Stop following" | Make it follow you as you move around |
 ### See it, say it
@ -64,7 +67,7 @@ Many buttons and other elements on HoloLens also respond to your voice—for exa
 ### Dictation mode
-Tired of typing? Switch to dictation mode any time that the holographic keyboard is active. To get started, select the microphone icon or say "Start dictating." To stop dictating, select **Done** or say "Stop dictating." To delete what you just dictated, say "Delete that."
+Tired of typing? Switch to dictation mode any time that the holographic keyboard is active. To get started, select the microphone button or say "Start dictating." To stop dictating, select the button again or say "Stop dictating." To delete what you just dictated, say "Delete that."
 > [!NOTE]
 > To use dictation mode, you have to have an internet connection.
--- a/devices/hololens/hololens-find-and-save-files.md
+++ b/devices/hololens/hololens-find-and-save-files.md
@ -1,50 +0,0 @@
 ---
 title: Find and save files on HoloLens
 description: Use File Explorer on HoloLens to view and manage files on your device
 ms.assetid: 77d2e357-f65f-43c8-b62f-6cd9bf37070a
 ms.reviewer: jarrettrenshaw
 ms.date: 07/01/2019
 manager: v-miegge
 keywords: hololens
 ms.prod: hololens
 ms.sitesec: library
 author: v-miegge
 ms.author: v-miegge
 ms.topic: article
 ms.localizationpriority: medium
 appliesto:
 - HoloLens (1st gen)
 - HoloLens 2
 ---
 # Find and save files on HoloLens
 Add content from [Find and save files](https://docs.microsoft.com/windows/mixed-reality/saving-and-finding-your-files)
 Files you create on HoloLens, including Office documents, photos, and videos, are saved to your HoloLens. To view and manage them, you can use the File Explorer app on HoloLens or File Explorer on your PC. To sync photos and other files to the cloud, use the OneDrive app on HoloLens.
 ## View files on HoloLens
 Use File Explorer on HoloLens to view and manage files on your device, including 3D objects, documents, and pictures. Go to Start  > All apps  > File Explorer  on HoloLens to get started.
 >[!TIP]
 >If there are no files listed in File Explorer, select **This Device** in the top left pane.
 ## View HoloLens files on your PC
 To see your HoloLens files in File Explorer on your PC:
 1. Sign in to HoloLens, then plug it into the PC using the USB cable that came with the HoloLens.
 1. Select **Open Device to view files with File Explorer**, or open File Explorer on the PC and navigate to the device.
 >[!TIP]
 >To see info about your HoloLens, right-click the device name in File Explorer on your PC, then select **Properties**.
 ## Sync to the cloud
 To sync photos and other files from your HoloLens to the cloud, install and set up OneDrive on HoloLens. To get OneDrive, search for it in the Microsoft Store on your HoloLens.
 >[!TIP]
 >HoloLens doesn't back up app files and data, so it's a good idea to save your important stuff to OneDrive. That way, if you reset your device or uninstall an app, your info will be backed up.
--- a/devices/hololens/hololens-identity.md
+++ b/devices/hololens/hololens-identity.md
@ -0,0 +1,111 @@
 ---
 title: Managing user identity and login on HoloLens
 description: Manage user identity, security, and login on HoloLens.
 keywords: HoloLens, user, account, aad, adfs, microsoft account, msa, credentials, reference
 ms.assetid: 728cfff2-81ce-4eb8-9aaa-0a3c3304660e
 author: scooley
 ms.author: scooley
 ms.date: 1/6/2019
 ms.prod: hololens
 ms.topic: article
 ms.sitesec: library
 ms.topic: article
 ms.localizationpriority: medium
 audience: ITPro
 manager: jarrettr
 appliesto:
 - HoloLens (1st gen)
 - HoloLens 2
 ---
 # User identity and signin
 > [!NOTE]
 > This article is a technical reference for IT Pros and tech enthusiasts. If you're looking for HoloLens set up instructions, read "[Setting up your HoloLens (1st gen)](hololens1-start.md)" or "[Setting up your HoloLens 2](hololens2-start.md)".
 Like other Windows devices, HoloLens always operates under a user context. There is always a user identity. HoloLens treats identity in almost the same manner as other Windows 10 devices do. This article is a deep-dive reference for identity on HoloLens, and focuses on how HoloLens differs from other Windows 10 devices.
 HoloLens supports several kinds of user identities. You can use one or more user accounts to sign in. Here's an overview of the identity types and authentication options on HoloLens:
 | Identity type | Accounts per device | Authentication options |
 | --- | --- | --- |
 | [Azure Active Directory (AAD)](https://docs.microsoft.com/azure/active-directory/) | 32 (see details) | <ul><li>Azure web credential provider</li><li>Azure Authenticator App</li><li>Biometric (Iris) &ndash; HoloLens 2 only</li><li>PIN &ndash; Optional for HoloLens (1st gen), required for HoloLens 2</li><li>Password</li></ul> |
 | [Microsoft Account (MSA)](https://docs.microsoft.com/windows/security/identity-protection/access-control/microsoft-accounts) | 1 | <ul><li>Biometric (Iris) &ndash; HoloLens 2 only</li><li>PIN &ndash; Optional for HoloLens (1st gen), required for HoloLens 2</li><li>Password</li></ul> |
 | [Local account](https://docs.microsoft.com/windows/security/identity-protection/access-control/local-accounts) | 1 | Password |
 Cloud-connected accounts (AAD and MSA) offer more features because they can use Azure services.  
 ## Setting up users
 The most common way to set up a new user is during the HoloLens out-of-box experience (OOBE). During setup, HoloLens prompts for a user to sign in by using the account that they want to use on the device. This account can be a consumer Microsoft account or an enterprise account that has been configured in Azure. See Setting up your [HoloLens (1st gen)](hololens1-start.md) or [HoloLens 2](hololens2-start.md).
 Like Windows on other devices, signing in during setup creates a user profile on the device. The user profile stores apps and data. The same account also provides Single Sign-on for apps such as Edge or Skype by using the Windows Account Manager APIs.  
 If you use an enterprise or organizational account to sign in to HoloLens, HoloLens enrolls in the organization's IT infrastructure. This enrollment allows your IT Admin to configure Mobile Device Management (MDM) to send group policies to your HoloLens.
 By default, as for other Windows 10 devices, you'll have to sign in again when HoloLens restarts or resumes from standby. You can use the Settings app to change this behavior, or the behavior can be controlled by group policy.
 ### Linked accounts
 As in the Desktop version of Windows, you can link additional web account credentials to your HoloLens account. Such linking makes it easier to access resources across or within apps (such as the Store) or to combine access to personal and work resources. After you connect an account to the device, you can grant permission to use the device to apps so that you don't have to sign in to each app individually.
 Linking accounts does not separate the user data created on the device, such as images or downloads.  
 ### Setting up multi-user support (AAD only)
 > [!NOTE]
 > **HoloLens (1st gen)** began supporting multiple AAD users in the [Windows 10 April 2018 Update](https://docs.microsoft.com/windows/mixed-reality/release-notes-april-2018) as part of [Windows Holographic for Business](hololens-upgrade-enterprise.md).
 HoloLens supports multiple users from the same AAD tenant. To use this feature, you must use an account that belongs to your organization to set up the device. Subsequently, other users from the same tenant can sign in to the device from the sign-in screen or by tapping the user tile on the Start panel. Only one user can be signed in at a time. When a user signs in, HoloLens signs out the previous user.  
 All users can use the apps installed on the device. However, each user has their own app data and preferences. Removing an app from the device removes it for all users.  
 ## Removing users
 You can remove a user from the device by going to **Settings** > **Accounts** > **Other people**. This action also reclaims space by removing all of that user's app data from the device.  
 ## Using single sign-on within an app
 As an app developer, you can take advantage of linked identities on HoloLens by using the [Windows Account Manager APIs](https://docs.microsoft.com/uwp/api/Windows.Security.Authentication.Web.Core), just as you would on other Windows devices. Some code samples for these APIs are available [here](https://go.microsoft.com/fwlink/p/?LinkId=620621).
 Any account interrupts that might occur, such as requesting user consent for account information, two-factor authentication, and so forth, must be handled when the app requests an authentication token.
 If your app requires a specific account type that hasn't been linked previously, your app can ask the system to prompt the user to add one. This request triggers the account settings pane to launch as a modal child of your app. For 2D apps, this window renders directly over the center of your app. For Unity apps, this request briefly takes the user out of your holographic app to render the child window. For information about customizing the commands and actions on this pane, see [WebAccountCommand Class](https://docs.microsoft.com/uwp/api/Windows.UI.ApplicationSettings.WebAccountCommand).
 ## Enterprise and other authentication
 If your app uses other types of authentication, such as NTLM, Basic, or Kerberos, you can use [Windows Credential UI](https://docs.microsoft.com/uwp/api/Windows.Security.Credentials.UI) to collect, process, and store the user's credentials. The user experience for collecting these credentials is very similar to other cloud-driven account interrupts, and appears as a child app on top of your 2D app or briefly suspends a Unity app to show the UI.
 ## Deprecated APIs
 One way in which developing for HoloLens differs from developing for Desktop is that the [OnlineIDAuthenticator](https://docs.microsoft.com/uwp/api/Windows.Security.Authentication.OnlineId.OnlineIdAuthenticator) API is not fully supported. Although the API returns a token if the primary account is in good-standing, interrupts such as those described in this article do not display any UI for the user and fail to correctly authenticate the account.
 ## Frequently asked questions
 ### Is Windows Hello for Business supported on HoloLens?
 Windows Hello for Business (which supports using a PIN to sign in) is supported for HoloLens. To allow Windows Hello for Business PIN sign-in on HoloLens:
 1. The HoloLens device must be [managed by MDM](hololens-enroll-mdm.md).
 1. You must enable Windows Hello for Business for the device. ([See instructions for Microsoft Intune.](https://docs.microsoft.com/intune/windows-hello))
 1. On HoloLens, the user can then use **Settings** > **Sign-in Options** > **Add PIN** to set up a PIN.
 > [!NOTE]
 > Users who sign in by using a Microsoft account can also set up a PIN in **Settings** > **Sign-in Options** > **Add PIN**. This PIN is associated with [Windows Hello](https://support.microsoft.com/help/17215/windows-10-what-is-hello), rather than [Windows Hello for Business](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-overview).
 #### Does the type of account change the sign-in behavior?
 Yes, the behavior for the type of account affects the sign-in behavior. If you apply policies for sign-in, the policy is always respected. If no policy for sign-in is applied, these are the default behaviors for each account type:
 - **Microsoft account**: signs in automatically
 - **Local account**: always asks for password, not configurable in **Settings**
 - **Azure AD**: asks for password by default, and configurable by **Settings** to no longer ask for password.
 > [!NOTE]
 > Inactivity timers are currently not supported, which means that the **AllowIdleReturnWithoutPassword** policy is only respected when the device goes into StandBy.
 ## Additional resources
 Read much more about user identity protection and authentication on [the Windows 10 security and identity documentation](https://docs.microsoft.com/windows/security/identity-protection/).
 Learn more about setting up hybrid identity infrastructure thorough the [Azure Hybrid identity documentation](https://docs.microsoft.com/azure/active-directory/hybrid/).
--- a/devices/hololens/hololens-insider.md
+++ b/devices/hololens/hololens-insider.md
@ -3,11 +3,12 @@ title: Insider preview for Microsoft HoloLens (HoloLens)
 description: It’s simple to get started with Insider builds and to provide valuable feedback for our next major operating system update for HoloLens.
 ms.prod: hololens
 ms.sitesec: library
-author: dansimp
+author: scooley
-ms.author: dansimp
+ms.author: scooley
 ms.topic: article
 ms.localizationpriority: medium
-ms.date: 10/23/2018
+audience: ITPro
 ms.date: 1/6/2020
 ms.reviewer: 
 manager: dansimp
 appliesto:
@ -19,36 +20,35 @@ appliesto:
 Welcome to the latest Insider Preview builds for HoloLens!  It’s simple to get started and provide valuable feedback for our next major operating system update for HoloLens.
-## How do I install the Insider builds? 
+## Start receiving Insider builds
-On a device running the Windows 10 April 2018 Update, go to <strong>Settings -&gt; Update &amp; Security -&gt; Windows Insider Program</strong> and select <strong>Get started</strong>. Link the account you used to register as a Windows Insider. 
+On a device running the Windows 10 April 2018 Update, go to **Settings** -> **Update & Security** -> **Windows Insider Program** and select **Get started**. Link the account you used to register as a Windows Insider.
 Then, select **Active development of Windows**, choose whether you’d like to receive **Fast** or **Slow** builds, and review the program terms.
 Select **Confirm -> Restart Now** to finish up. After your device has rebooted, go to **Settings -> Update & Security -> Check for updates** to get the latest build.
-## How do I stop receiving Insider builds?
+## Stop receiving Insider builds
-If you no longer want to receive Insider builds of Windows Holographic, you can opt out when your HoloLens is running a production build, or you can [recover your device](https://docs.microsoft.com/windows/mixed-reality/reset-or-recover-your-hololens#perform-a-full-device-recovery) using the Windows Device Recovery Tool to recover your device to a non-Insider version of Windows Holographic.
+If you no longer want to receive Insider builds of Windows Holographic, you can opt out when your HoloLens is running a production build, or you can [recover your device](hololens-recovery.md) using the Windows Device Recovery Tool to recover your device to a non-Insider version of Windows Holographic.
 To verify that your HoloLens is running a production build:
 - Go to **Settings > System > About**, and find the build number.
- If the build number is 10.0.17763.1, your HoloLens is running a production build. [See the list of production build numbers.](https://www.microsoft.com/itpro/windows-10/release-information)
+- [See the release notes for production build numbers.](hololens-release-notes.md)
 To opt out of Insider builds:
 - On a HoloLens running a production build, go to **Settings > Update & Security > Windows Insider Program**, and select **Stop Insider builds**.
 - Follow the instructions to opt out your device.
 ## Note for developers
 You are welcome and encouraged to try developing your applications using Insider builds of HoloLens.  Check out the [HoloLens Developer Documentation](https://developer.microsoft.com/windows/mixed-reality/development) to get started. Those same instructions work with Insider builds of HoloLens.  You can use the same builds of Unity and Visual Studio that you're already using for HoloLens development.
 ## Provide feedback and report issues
-Please use [the Feedback Hub app](https://docs.microsoft.com/windows/mixed-reality/give-us-feedback) on your HoloLens or Windows 10 PC to provide feedback and report issues. Using Feedback Hub ensures that all necessary diagnostics information is included to help our engineers quickly debug and resolve the problem.  Issues with the Chinese and Japanese version of HoloLens should be reported the same way.
+Please use [the Feedback Hub app](hololens-feedback.md) on your HoloLens to provide feedback and report issues. Using Feedback Hub ensures that all necessary diagnostics information is included to help our engineers quickly debug and resolve the problem.  Issues with the Chinese and Japanese version of HoloLens should be reported the same way.
 >[!NOTE]
 >Be sure to accept the prompt that asks whether you’d like Feedback Hub to access your Documents folder (select **Yes** when prompted).
 ## Note for developers
 You are welcome and encouraged to try developing your applications using Insider builds of HoloLens.  Check out the [HoloLens Developer Documentation](https://developer.microsoft.com/windows/mixed-reality/development) to get started. Those same instructions work with Insider builds of HoloLens.  You can use the same builds of Unity and Visual Studio that you're already using for HoloLens development.
--- a/devices/hololens/hololens-management-overview.md
+++ b/devices/hololens/hololens-management-overview.md
@ -1,32 +0,0 @@
 ---
 title: Update, troubleshoot, or recover HoloLens
 description: 
 author: Teresa-Motiv
 ms.author: v-tea
 ms.date: 11/27/2019
 ms.prod: hololens
 ms.topic: article
 ms.custom: CSSTroubleshooting
 audience: ITPro
 keywords: issues, bug, troubleshoot, fix, help, support, HoloLens
 manager: jarrettr
 ms.localizationpriority: medium
 appliesto:
 - HoloLens (1st gen)
 - HoloLens 2
 ---
 # Update, troubleshoot, or recover HoloLens
 The articles in this section help you keep your HoloLens up-to-date and help you resolve any issues that you encounter.
 **In this section**
 | Article | Description |
 | --- | --- |
 | [Update HoloLens](hololens-update-hololens.md) | Describes how to identify the build number of your device, and how to update your device manually. |
 | [Manage updates on many HoloLens](hololens-updates.md) | Describes how to use policies to manage device updates. |
 | [Restart, reset, or recover](hololens-recovery.md) | Describes how to restart, reset, or recover a HoloLens device |
 | [Troubleshoot HoloLens](hololens-troubleshooting.md) | Describes solutions to common HoloLens problems. |
 | [Known issues](hololens-known-issues.md) | Describes known HoloLens issues. |
 | [Frequently asked questions](hololens-faq.md) | Provides answers to common questions about HoloLens.|
--- a/devices/hololens/hololens-multiple-users.md
+++ b/devices/hololens/hololens-multiple-users.md
@ -37,7 +37,7 @@ To use HoloLens, each user follows these steps:
 1. If another user has been using the device, do one of the following:
   - Press the power button once to go to standby, and then press the power button again to return to the lock screen
-   - Select the user tile on the upper right of the Pins panel to sign out the current user.
+   - HoloLens 2 users may select the user tile on the top of the Pins panel to sign out the current user.
 1. Use your Azure AD account credentials to sign in to the device.  
    If this is the first time that you have used the device, you have to [calibrate](hololens-calibration.md) HoloLens to your own eyes.
--- a/devices/hololens/hololens-recovery.md
+++ b/devices/hololens/hololens-recovery.md
@ -106,6 +106,14 @@ The Advanced Recovery Companion is a new app in Microsoft Store restore the oper
 5. On the **Device info** page, select **Install software** to install the default package. (If you have a Full Flash Update (FFU) image that you want to install instead, select **Manual package selection**.)
 6. Software installation will begin. Do not use the device or disconnect the cable during installation. When you see the **Installation finished** page, you can disconnect and use your device.
 >[!TIP]
 >In the event that a HoloLens 2 gets into a state where Advanced Recovery Companion cannot recognize the device, and it does not boot, try forcing the device into Flashing Mode and recovering it with Advanced Recovery Companion:
 1.	Connect the HoloLens 2 to a PC with Advanced Recovery Companion installed.
 1.	Press and hold the **Volume Up and Power buttons** until the device reboots.  Release the Power button, but continue to hold the Volume Up button until the third LED is lit. It will the the only lit LED.
   1.	The device should be visible in **Device Manager** as a **Microsoft HoloLens Recovery** device:
 1.	Launch Advanced Recovery Companion, and follow the on-screen prompts to reflash the OS to the HoloLens 2.
 ### HoloLens (1st gen)
 If necessary, you can install a completely new operating system on your HoloLens (1st gen) with the Windows Device Recovery Tool.
--- a/devices/hololens/hololens-release-notes.md
+++ b/devices/hololens/hololens-release-notes.md
@ -22,6 +22,10 @@ appliesto:
 > [!Note]
 > HoloLens Emulator Release Notes can be found [here](https://docs.microsoft.com/windows/mixed-reality/hololens-emulator-archive).
 ### January Update - build 18362.1043
 - Stability improvements for exclusive apps when working with the HoloLens 2 emulator.
 ### December Update - build 18362.1042
 - Introduces LSR (Last Stage Reproduction) fixes. Improves visual rendering of holograms to appear more stable and crisp by more accurately accounting for their depth. This will be more noticeable if apps do not set the depth of holograms correctly, after this update.
--- a/devices/hololens/hololens-troubleshooting.md
+++ b/devices/hololens/hololens-troubleshooting.md
@ -33,24 +33,26 @@ If your HoloLens becomes frozen or unresponsive:
 If these steps don't work, you can try [recovering your device](hololens-recovery.md).
-## Holograms don't look good or are moving around
+## Holograms don't look good
-If your holograms are unstable, jumpy, or don’t look right, try one of these fixes:
+If your holograms are unstable, jumpy, or don’t look right, try:
- Clean your device visor and make sure that nothing is obstructing the sensors.
+- Cleaning your device visor and sensor bar on the front of your HoloLens.
- Make sure that there’s enough light in your room.
+- Increasing the light in your room.
- Try walking around and looking at your surroundings so that HoloLens can scan them more completely.
+- Walking around and looking at your surroundings so that HoloLens can scan them more completely.
- Try running the Calibration app. It calibrates your HoloLens to work best for your eyes. Go to **Settings** > **System** > **Utilities**. Under **Calibration**, select **Open Calibration**.
+- Calibrating your HoloLens for your eyes. Go to **Settings** > **System** > **Utilities**. Under **Calibration**, select **Open Calibration**.
-## HoloLens doesn’t respond to my gestures
+## HoloLens doesn’t respond to gestures
-To make sure that HoloLens can see your gestures, keep your hand in the gesture frame. The gesture frame extends a couple of feet on either side of you. When HoloLens can see your hand, the cursor changes from a dot to a ring. Learn more about [using gestures](hololens1-basic-usage.md#use-hololens-with-your-hands).
+To make sure that HoloLens can see your gestures.  Keep your hand in the gesture frame - when HoloLens can see your hand, the cursor changes from a dot to a ring.
 Learn more about using gestures on [HoloLens (1st gen)](hololens1-basic-usage.md#use-hololens-with-your-hands) or [HoloLens 2](hololens2-basic-usage.md#the-hand-tracking-frame).
 If your environment is too dark, HoloLens might not see your hand, so make sure that there’s enough light.
 If your visor has fingerprints or smudges, use the microfiber cleaning cloth that came with the HoloLens to clean your visor gently.
-## HoloLens doesn’t respond to my voice commands.
+## HoloLens doesn’t respond to my voice commands
 If Cortana isn’t responding to your voice commands, make sure Cortana is turned on. On the All apps list, select **Cortana** > **Menu** > **Notebook** > **Settings** to make changes. To learn more about what you can say, see [Use your voice with HoloLens](hololens-cortana.md).
@ -64,10 +66,6 @@ If HoloLens can’t map or load your space, it enters Limited mode and you won
 - To see if the correct space is active, or to manually load a space, go to **Settings** > **System** > **Spaces**.
 - If the correct space is loaded and you’re still having problems, the space may be corrupt. To fix this issue, select the space, then select **Remove**. After you remove the space, HoloLens starts to map your surroundings and create a new space.
 ## My HoloLens frequently enters Limited mode or shows a “Tracking lost” message
 If your device often shows a "Limited mode" or "Tracking lost" message, try the suggestions listed in [My Holograms don't look good or are moving around](#holograms-dont-look-good-or-are-moving-around).
 ## My HoloLens can’t tell what space I’m in
 If your HoloLens can’t identify and load the space you’re in automatically, check the following factors:
@ -90,3 +88,7 @@ You’ll need to free up some storage space by doing one or more of the followin
 ## My HoloLens can’t create a new space
 The most likely problem is that you’re running low on storage space. Try one of the [previous tips](#im-getting-a-low-disk-space-error) to free up some disk space.
 ## The HoloLens emulators isn't working
 Information about the HoloLens emulator is located in our developer documentation.  Read more about [troubleshooting the HoloLens emulator](https://docs.microsoft.com/windows/mixed-reality/using-the-hololens-emulator#troubleshooting).
--- a/devices/hololens/hololens2-basic-usage.md
+++ b/devices/hololens/hololens2-basic-usage.md
@ -105,8 +105,8 @@ To **close** the Start menu, do the Start gesture when the Start menu is open.
 > [!IMPORTANT]
 > For the one-handed Start gesture to work:
 >
-> 1. You must update to the November 2019 update (build 18363) or later.
+> 1. You must update to the November 2019 update (build 18363.1039) or later.
-> 1. Your eyes must be calibrated on the device so that eye tracking functions correctly. If you do not see orbiting dots around the Start icon when you look at it, your eyes are not calibrated on the device.
+> 1. Your eyes must be calibrated on the device so that eye tracking functions correctly. If you do not see orbiting dots around the Start icon when you look at it, your eyes are not [calibrated](https://docs.microsoft.com/hololens/hololens-calibration#calibrating-your-hololens-2) on the device.
 You can also perform the Start gesture with only one hand. To do this, hold out your hand with your palm facing you and look at the **Start icon** on your inner wrist. **While keeping your eye on the icon**, pinch your thumb and index finger together.
--- a/devices/hololens/hololens2-fit-comfort-faq.md
+++ b/devices/hololens/hololens2-fit-comfort-faq.md
@ -43,6 +43,15 @@ Try adjusting the position of your device visor so the holographic frame matches
 - **If you need to look up to see holograms**. First, shift the back of the headband a bit higher on your head. Then use one hand to hold the headband in place and the other to gently rotate the visor so you have a good view of the holographic frame.
 - **If you need to look down to see holograms**. First, shift the back of the headband a bit lower on your head. Then place your thumbs under the device arms and your index fingers on top of the headband, and gently squeeze with your thumbs to rotate the visor so you have a good view of the holographic frame.
 ## Hologram image color or brightness does not look right
 For HoloLens 2, take the following steps to ensure the highest visual quality of holograms presented in displays:
 - **Increase brightness of the display.** Holograms look best when the display is at its brightest level.
 - **Bring visor closer to your eyes.** Swing the visor down to the closest position to your eyes.
 - **Shift visor down.** Try moving the brow pad on your forehead down, which will result in the visor moving down closer to your nose.
 - **Run eye calibration.** The display uses your IPD and eye gaze to optimize images on the display. If you don't run eye calibration, the image quality may be made worse.
 ## The device slides down when I'm using it, or I need to make the headband too tight to keep it secure
 The overhead strap can help keep your HoloLens secure on your head, particularly if you're moving around a lot. The strap may also let you loosen the headband a bit. [Learn how to use it](hololens2-setup.md#adjust-fit).
--- a/devices/hololens/hololens2-language-support.md
+++ b/devices/hololens/hololens2-language-support.md
@ -17,7 +17,7 @@ appliesto:
 # Supported languages for HoloLens 2
-HoloLens 2 supports the following languages. This support includes voice commands and dictation features.
+HoloLens 2 supports the following languages, including voice commands and dictation features, keyboard layouts, and OCR recognition within apps.
 - Chinese Simplified (China)
 - English (Australia)
@ -39,7 +39,35 @@ HoloLens 2 is also available in the following languages. However, this support d
 ## Changing language or keyboard
 The setup process configures your HoloLens for a region and language. You can change this configuration by using the **Time & language** section of **Settings**.
 > [!NOTE]
 > Your speech and dictation language depends on the Windows display language.
 ## To change the Windows display language
 1. Go to the **Start** menu, and then select **Settings** > **Time and language** > **Language**.
 2. Select **Windows display language**, and then select a language.  
 If the supported language you’re looking for is not in the menu, follow these steps: 
 1. Under **Preferred languages** select **Add a language**. 
 2. Search for and add the language.
 3. Select the **Windows display language** menu again and choose the language you added.
 The Windows display language affects the following settings for Windows and for apps that support localization:
 - The user interface text language.
 - The speech language.
 - The default layout of the on-screen keyboard.
 ## To change the keyboard layout
 To add or remove a keyboard layout, open the **Start** menu and then select **Settings** > **Time & language** > **Keyboard**.
 If your HoloLens has more than one keyboard layout, use the **Layout** key to switch between them. The **Layout** key is in the lower right corner of the on-screen keyboard.
 > [!NOTE]
 > The on-screen keyboard can use Input Method Editor (IME) to enter characters in languages such as Chinese. However, HoloLens does not support external Bluetooth keyboards that use IME.
 > 
-To change the Windows display language, region, or keyboard settings, use the start gesture to open the **Start** menu, and then select **Settings** > **Time and Language** > **Language**.
+> While you use IME with the on-screen keyboard, you can continue to use a Bluetooth keyboard to type in English. To switch between keyboards, press ~.
--- a/devices/hololens/hololens2-setup.md
+++ b/devices/hololens/hololens2-setup.md
@ -62,7 +62,7 @@ To turn on your HoloLens 2, press the Power button.  The LED lights below the Po
 | To turn on | Single button press. | All five lights turn on, then change to indicate the battery level. After four seconds, a sound plays. |
 | To sleep | Single button press. | All five lights turn on, then fade off one at a time. After the lights turn off, a sound plays and the screen displays "Goodbye." |
 | To wake from sleep | Single button press. | All five lights turn on, then change to indicate the battery level. A sound immediately plays. |
-| To turn off | Press and for hold 5s. |  All five lights turn on, then fade off one at a time. After the lights turn off, a sound plays and the screen displays "Goodbye." |
+| To turn off | Press and hold for 5s. |  All five lights turn on, then fade off one at a time. After the lights turn off, a sound plays and the screen displays "Goodbye." |
 | To force the Hololens to restart if it is unresponsive | Press and hold for 10s. | All five lights turn on, then fade off one at a time. After the lights turn off. |
 ## HoloLens behavior reference
--- a/devices/hololens/index.md
+++ b/devices/hololens/index.md
@ -55,4 +55,4 @@ appliesto:
 ## Related resources
 * [Documentation for Holographic app development](https://developer.microsoft.com/windows/mixed-reality/development)
-* [HoloLens release notes](https://developer.microsoft.com/windows/mixed-reality/release_notes)
+* [HoloLens release notes](https://docs.microsoft.com/hololens/hololens-release-notes)
--- a/devices/surface-hub/TOC.md
+++ b/devices/surface-hub/TOC.md
@ -7,6 +7,7 @@
 ### [Surface Hub 2S tech specs](surface-hub-2s-techspecs.md) 
 ### [Operating system essentials (Surface Hub)](differences-between-surface-hub-and-windows-10-enterprise.md)
 ### [Adjust Surface Hub 2S brightness, volume, and input](surface-hub-2s-onscreen-display.md)
 ### [Use Microsoft Whiteboard on a Surface Hub](https://support.office.com/article/use-microsoft-whiteboard-on-a-surface-hub-5c594985-129d-43f9-ace5-7dee96f7621d)
 ## Plan
 ### [Surface Hub 2S Site Readiness Guide](surface-hub-2s-site-readiness-guide.md) 
@ -58,6 +59,7 @@
 ### [Operating system essentials (Surface Hub)](differences-between-surface-hub-and-windows-10-enterprise.md)
 ### [Technical information for 55” Microsoft Surface Hub](surface-hub-technical-55.md)
 ### [Technical information for 84” Microsoft Surface Hub](surface-hub-technical-84.md)
 ### [Use Microsoft Whiteboard on a Surface Hub](https://support.office.com/article/use-microsoft-whiteboard-on-a-surface-hub-5c594985-129d-43f9-ace5-7dee96f7621d)
 ## Plan
 ### [Prepare your environment for Microsoft Surface Hub](prepare-your-environment-for-surface-hub.md)
--- a/devices/surface-hub/index.md
+++ b/devices/surface-hub/index.md
@ -30,7 +30,6 @@ Surface Hub 2S is an all-in-one digital interactive whiteboard, meetings platfor
                        <p><a href="https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/Behind-the-design-Surface-Hub-2S/ba-p/464099" target="_blank">Behind the design: Surface Hub 2S</a></p>
                        <p><a href="surface-hub-2s-whats-new.md">What's new in Surface Hub 2S</a></p>
                        <p><a href="differences-between-surface-hub-and-windows-10-enterprise.md">Operating system essentials</a></p>
                        <p><a href="https://support.office.com/article/use-microsoft-whiteboard-on-a-surface-hub-5c594985-129d-43f9-ace5-7dee96f7621d">Enable Microsoft Whiteboard on Surface Hub</a></p>
                    </div>
                </div>
            </div>
--- a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
@ -49,6 +49,8 @@ If you have a single-forest on-premises deployment with Microsoft Exchange 2013
   ```PowerShell
   New-Mailbox -UserPrincipalName HUB01@contoso.com -Alias HUB01 -Name "Hub-01" -Room -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String <password> -AsPlainText -Force)
   ```
 > [!IMPORTANT] 
 > ActiveSync Virtual Directory Basic Authentication is required to be enabled as the Surface Hub is unable to authenticate using other authentication methods.
 3. After setting up the mailbox, you will need to either create a new Exchange ActiveSync policy, or use a compatible existing policy.
--- a/devices/surface-hub/surface-hub-2s-account.md
+++ b/devices/surface-hub/surface-hub-2s-account.md
@ -47,7 +47,7 @@ Create the account using the Microsoft 365 admin center or by using PowerShell.
 - **Skype for Business:** For Skype for Business only (on-premises or online), you can enable the Skype for Business object by running **Enable-CsMeetingRoom** to enable features such as Meeting room prompt for audio and Lobby hold.
- **Calendar:** Set **Calendar Auto processing** for this account.
+- **Microsoft Teams and Skype for Business Calendar:** Set [**Calendar Auto processing**](https://docs.microsoft.com/surface-hub/surface-hub-2s-account?source=docs#set-calendar-auto-processing) for this account.
 ## Create account using PowerShell
 Instead of using the Microsoft Admin Center portal, you can create the account using PowerShell.
--- a/devices/surface-hub/surface-hub-2s-adoption-kit.md
+++ b/devices/surface-hub/surface-hub-2s-adoption-kit.md
@ -15,7 +15,7 @@ ms.localizationpriority: Medium
 # Surface Hub 2S adoption and training guides
-Whether you are a small or large business, a Surface Hub adoption plan is critical in generating the right use cases and helping your users become comfortable with the device. Check out these downloadable guides designed to help you deliver training across your organization.
+Whether you're a small or large business, a Surface Hub adoption plan is critical in generating the right use cases and helping your users become comfortable with the device. Check out these downloadable guides designed to help you deliver training across your organization.
 ## On-demand training
--- a/devices/surface-hub/surface-hub-2s-manage-intune.md
+++ b/devices/surface-hub/surface-hub-2s-manage-intune.md
@ -28,7 +28,7 @@ Surface Hub 2S allows IT administrators to manage settings and policies using a
 ### Auto registration — Azure Active Directory Affiliated
-When affiliating Surface Hub 2S with a tenant that has Intune auto enrollment enabled, the device will automatically enroll with Intune. For more information, refer to [Intune enrollment methods for Windows devices](https://docs.microsoft.com/intune/enrollment/windows-enrollment-methods).
+During the initial setup process, when affiliating a Surface Hub with an Azure AD tenant that has Intune auto enrollment enabled, the device will automatically enroll with Intune. For more information, refer to [Intune enrollment methods for Windows devices](https://docs.microsoft.com/intune/enrollment/windows-enrollment-methods). Azure AD affiliation and Intune auto enrollment is required for the Surface Hub to be a "compliant device" in Intune. 
 ## Windows 10 Team Edition settings
@ -69,6 +69,6 @@ You can set the Microsoft Teams app mode using Intune. Surface Hub 2S comes inst
 To set modes, add the following settings to a custom Device Configuration Profile.
 |**Name**|**Description**|**OMA-URI**|**Type**|**Value**|
-|:------ |:------------- |:--------- |:------ |:------- |
+|:--- |:--- |:--- |:--- |:--- |
-|**Teams App ID**| App name | ./Vendor/MSFT/SurfaceHub/Properties/VtcAppPackageId | String  | Microsoft.MicrosoftTeamsforSurfaceHub_8wekyb3d8bbwe!Teams |
+|**Teams App ID**|App name|./Vendor/MSFT/SurfaceHub/Properties/VtcAppPackageId|String| Microsoft.MicrosoftTeamsforSurfaceHub_8wekyb3d8bbwe!Teams|
-|**Teams App Mode**| Teams mode | ./Vendor/MSFT/SurfaceHub/Properties/SurfaceHubMeetingMode | Integer | 0 or 1 or 2 |
+|**Teams App Mode**|Teams mode|./Vendor/MSFT/SurfaceHub/Properties/SurfaceHubMeetingMode|Integer| 0 or 1 or 2|
--- a/devices/surface-hub/surface-hub-2s-prepare-environment.md
+++ b/devices/surface-hub/surface-hub-2s-prepare-environment.md
@ -17,34 +17,34 @@ ms.localizationpriority: Medium
 ## Office 365 readiness
-You may use Exchange and Skype for Business on-premises with Surface Hub 2S. However, if you use Exchange Online, Skype for Business Online, Microsoft Teams or Microsoft Whiteboard, and intend to manage Surface Hub 2S with Intune, first review the [Office 365 requirements for endpoints](https://docs.microsoft.com/office365/enterprise/office-365-endpoints).
+If you use Exchange Online, Skype for Business Online, Microsoft Teams, or Microsoft Whiteboard, and intend to manage Surface Hub 2S with Intune, first review the [Office 365 requirements for endpoints](https://docs.microsoft.com/office365/enterprise/office-365-endpoints).
-Office 365 endpoints help optimize your network by sending all trusted Office 365 network requests directly through your firewall, bypassing all additional packet level inspection or processing. This feature reduces latency and your perimeter capacity requirements.
+Office 365 endpoints help optimize your network by sending all trusted Office 365 network requests directly through your firewall, bypassing all additional packet-level inspection or processing. This feature reduces latency and your perimeter capacity requirements.
-Microsoft regularly updates the Office 365 service with new features and functionality, which may alter required ports, URLs, and IP addresses. To evaluate, configure, and stay up-to-date with changes, subscribe to the [Office 365 IP Address and URL Web service](https://docs.microsoft.com/office365/enterprise/office-365-ip-web-service).
+Microsoft regularly updates the Office 365 service with new features and functionality, which may alter required ports, URLs, and IP addresses. To evaluate, configure, and stay up to date with changes, subscribe to the [Office 365 IP Address and URL Web service](https://docs.microsoft.com/office365/enterprise/office-365-ip-web-service).
 ## Device affiliation
 Use Device affiliation to manage user access to the Settings app on Surface Hub 2S.
-With the Windows 10 Team Edition operating system  —  that runs on Surface Hub 2S —  only authorized users can  adjust settings via the Settings app. Since choosing the affiliation can impact feature availability, plan appropriately to ensure that users can access features as intended.
+With the Windows 10 Team Edition operating system (that runs on Surface Hub 2S),  only authorized users can adjust settings using the Settings app. Since choosing the affiliation can impact feature availability, plan appropriately to ensure that users can access features as intended.
 > [!NOTE]
 > You can only set Device affiliation during the initial out-of-box experience (OOBE) setup. If you need to reset Device affiliation, you’ll have to repeat OOBE setup.
 ## No affiliation
-No affiliation is like having Surface Hub 2S in a workgroup with a different local Administrator account on each Surface Hub 2S. If you choose No affiliation, you must locally save the [Bitlocker Key to a USB thumb drive](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-key-management-faq). You can still enroll the device with Intune, however only the local admin can access the Settings app using the account credentials configured during OOBE. You can change the Administrator account password from the Settings app.
+No affiliation is like having Surface Hub 2S in a workgroup with a different local Administrator account on each Surface Hub 2S. If you choose No affiliation, you must locally save the [BitLocker Key to a USB thumb drive](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-key-management-faq). You can still enroll the device with Intune; however, only the local admin can access the Settings app using the account credentials configured during OOBE. You can change the Administrator account password from the Settings app.
 ## Active Directory Domain Services
-If you affiliate Surface Hub 2S with on-premises Active Directory Domain Services, you need to manage access to the Settings app via a security group on your domain, ensuring that all security group members have permissions to change settings on Surface Hub 2S. Note also the following:
+If you affiliate Surface Hub 2S with on-premises Active Directory Domain Services, you need to manage access to the Settings app using a security group on your domain. This helps ensure that all security group members have permissions to change settings on Surface Hub 2S. Also note the following:
- When Surface Hub 2S affiliates with your on-premises Active Directory Domain Services, the Bitlocker key can be saved in the AD Schema. For more information, see [Prepare your organization for BitLocker: Planning and policies](https://docs.microsoft.com/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies). 
+- When Surface Hub 2S affiliates with your on-premises Active Directory Domain Services, the BitLocker key can be saved in the Active Directory Schema. For more information, see [Prepare your organization for BitLocker: Planning and policies](https://docs.microsoft.com/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies). 
 - Your organization’s Trusted Root CAs are pushed to the same container in Surface Hub 2S, which means you don’t need to import them using a provisioning package.
 - You can still enroll the device with Intune to centrally manage settings on your Surface Hub 2S.
 ## Azure Active Directory
-When choosing to affiliate your Surface Hub 2S with Azure AD, any user in the Global Admins Security Group can sign in to the Settings app on Surface Hub 2S. Currently, no other group can be delegated to sign in to the Settings app on Surface Hub 2S.
+When you choose to affiliate your Surface Hub 2S with Azure Active Directory (Azure AD), any user in the Global Admins Security Group can sign in to the Settings app on Surface Hub 2S. Currently, no other group can be delegated to sign in to the Settings app on Surface Hub 2S.
-If you enabled Intune Automatic Enrollment for your organization, Surface Hub 2S will automatically enroll itself with Intune. The device’s Bitlocker key is automatically saved in Azure AD. When affiliating Surface Hub 2S with Azure AD, single sign-on and Easy Authentication will not work.
+If you enabled Intune Automatic Enrollment for your organization, Surface Hub 2S will automatically enroll itself with Intune. The device’s BitLocker key is automatically saved in Azure AD. When affiliating Surface Hub 2S with Azure AD, single sign-on and Easy Authentication will not work.
--- a/devices/surface-hub/surface-hub-2s-recover-reset.md
+++ b/devices/surface-hub/surface-hub-2s-recover-reset.md
@ -15,46 +15,55 @@ ms.localizationpriority: Medium
 # Reset and recovery for Surface Hub 2S
-If you encounter problems with Surface Hub 2S, you can reset the device to factory settings or recover using a USB drive.
+If you encounter problems with Surface Hub 2S, you can reset the device to factory settings or restore by using a USB drive.
-To begin, sign into Surface Hub 2S with admin credentials, open the **Settings** app, select **Update & security**, and then select **Recovery**.
+To begin, sign in to Surface Hub 2S with admin credentials, open the **Settings** app, select **Update & security**, and then select **Recovery**.
-## Reset device
+## Reset the device
-1. To reset, select **Get Started**.
+1. To reset the device, select **Get Started**.
-2. When the **Ready to reset this device** window appears, select **Reset**. Surface Hub 2S reinstalls the operating system from the recovery partition and may take up to one hour to complete.
+2. When the **Ready to reset this device** window appears, select **Reset**. 
-3. Run **the first time Setup program** to reconfigure the device.
+  >[!NOTE]
-4. If you manage the device using Intune or other mobile device manager (MDM) solution, retire and delete the previous record and re-enroll the new device. For more information, see [Remove devices by using wipe, retire, or manually unenrolling the device](https://docs.microsoft.com/intune/devices-wipe).
+  >Surface Hub 2S reinstalls the operating system from the recovery partition. This may take up to one hour to complete.
 3. To reconfigure the device, run the first-time Setup program.
 4. If you manage the device using Microsoft Intune or another mobile device management solution, retire and delete the previous record, and then re-enroll the new device. For more information, see [Remove devices by using wipe, retire, or manually unenrolling the device](https://docs.microsoft.com/intune/devices-wipe).
 ![*Reset and recovery for Surface Hub 2S*](images/sh2-reset.png)<br>
-*Figure 1. Reset and recovery for Surface Hub 2S.* 
+*Figure 1. Reset and recovery for Surface Hub 2S* 
-## Recover Surface Hub 2S using USB recovery drive
+## Recover Surface Hub 2S by using a USB recovery drive
-New in Surface Hub 2S, you can now reinstall the device using a recovery image.
+New in Surface Hub 2S, you can now reinstall the device by using a recovery image.
-### Recover from USB drive
+### Recovery from a USB drive
-Surface Hub 2S lets you reinstall the device using a recovery image, which allows you to reinstall the device to factory settings if you lost the Bitlocker key or no longer have admin credentials to the Settings app.
+Using Surface Hub 2S, you can reinstall the device by using a recovery image. By doing this, you can reinstall the device to the factory settings if you lost the BitLocker key, or if you no longer have admin credentials to the Settings app.
-1. Begin with a USB 3.0 drive with 8 GB or 16 GB of storage, formatted as FAT32.
+>[!NOTE]
-2. From a separate PC, download the .zip file recovery image from the [Surface Recovery website](https://support.microsoft.com/surfacerecoveryimage?devicetype=surfacehub2s) and then return to these instructions. 
+>Use a USB 3.0 drive with 8 GB or 16 GB of storage, formatted as FAT32.
 3. Unzip the downloaded file onto the root of the USB drive.  
 4. Connect the USB drive to any USB-C or USB-A port on Surface Hub 2S.
 5. Turn off the device. While holding down the Volume down button, press the Power button. Keep holding both buttons until you see the Windows logo. Release the Power button but continue to hold the Volume until the Install UI begins.
-![*Use Volume down and power buttons to initiate recovery*](images/sh2-keypad.png) <br>
+1. From a separate PC, download the .zip file recovery image from the [Surface Recovery website](https://support.microsoft.com/surfacerecoveryimage?devicetype=surfacehub2s) and then return to these instructions. 
 1. Unzip the downloaded file onto the root of the USB drive.  
 1. Connect the USB drive to any USB-C or USB-A port on Surface Hub 2S.
 1. Turn off the device:
   1. While holding down the Volume down button, press the Power button.
   1. Keep holding both buttons until you see the Windows logo.
   1. Release the Power button but continue to hold the Volume until the Install UI begins.
-6. In the language selection screen, select the display language for your Surface Hub 2S.
+    ![*Use Volume down and power buttons to initiate recovery*](images/sh2-keypad.png) <br>
-7. Choose **Recover from a drive** and **Fully clean the drive** and then select **Recover**. If prompted for a BitLocker key, select **Skip this drive**. Surface Hub 2S reboots several times and takes approximately 30 minutes to complete the recovery process.
+   **Figure 2. Volume and Power buttons**
-Remove the USB drive when the first time setup screen appears.
+
 1. On the language selection screen, select the display language for your Surface Hub 2S.
 1. Select **Recover from a drive** and **Fully clean the drive**, and then select **Recover**. If you're prompted for a BitLocker key, select **Skip this drive**. Surface Hub 2S reboots several times and takes approximately 30 minutes to complete the recovery process.
 When the first-time setup screen appears,remove the USB drive.
 ## Recover a locked Surface Hub
-On rare occasions, Surface Hub 2S may encounter an error during cleanup of user and app data at the end of a session. If this occurs, the device will automatically reboot and resume data cleanup. But if this operation fails repeatedly, the device will be automatically locked to protect user data.
+At the end of a session, Surface Hub 2S may occasionally encounter an error during the cleanup of user and app data at the end of a session. If this occurs, the device automatically reboots and resumes the data cleanup. However, if this operation repeatedly fails, the device automatically locks to protect user data.
-**To unlock Surface Hub 2S:** <br>
+**To unlock a Surface Hub 2S:** <br>
-Reset or recover the device from Windows Recovery Environment (Windows RE). For more information, see [What is Windows RE?](https://technet.microsoft.com/library/cc765966.aspx)
+- Reset or recover the device from the Windows Recovery Environment. For more information, see [What is Windows RE?](https://technet.microsoft.com/library/cc765966.aspx)
 > [!NOTE]
-> To enter recovery mode, you need to physically unplug and replug the power cord three times.
+> To enter recovery mode, unplug the power cord and plug it in again three times.
--- a/devices/surface-hub/surface-hub-site-readiness-guide.md
+++ b/devices/surface-hub/surface-hub-site-readiness-guide.md
@ -1,12 +1,12 @@
 ---
 title: Surface Hub Site Readiness Guide
 ms.reviewer: 
-manager: dansimp
+manager: laurawi
 description: Use this Site Readiness Guide to help plan your Surface Hub installation.
 ms.prod: surface-hub
 ms.sitesec: library
-author: dansimp
+author: greg-lindsay
-ms.author: dansimp
+ms.author: greglin
 ms.topic: article
 ms.localizationpriority: medium
 ---
@ -28,7 +28,7 @@ The room needs to be large enough to provide good viewing angles, but small enou
 - The screen is not in direct sunlight, which could affect viewing or damage the screen.
 - Ventilation openings are not blocked.
 - Microphones are not affected by noise sources, such as fans or vents.
-You can find more details in the [55” Microsoft Surface Hub technical information](surface-hub-technical-55.md) or [84” Microsoft Surface Hub technical information](surface-hub-technical-84.md) sections.  For cleaning, care, and safety information, see the mounting guides and user guide at http://www.microsoft.com/surface/support/surface-hub.
+You can find more details in the [55” Microsoft Surface Hub technical information](surface-hub-technical-55.md) or [84” Microsoft Surface Hub technical information](surface-hub-technical-84.md) sections.  For cleaning, care, and safety information, see the mounting guides and user guide at https://www.microsoft.com/surface/support/surface-hub.
 ### Hardware considerations
@ -47,7 +47,7 @@ For details about cable ports, see the [55” Microsoft Surface Hub technical in
 Microsoft Surface Hub has an internal PC and does not require an external computer system. 
-For power recommendations, see [55” Microsoft Surface Hub technical information](surface-hub-technical-55.md) or [84” Microsoft Surface Hub technical information](surface-hub-technical-84.md). For power cable safety warnings, see the mounting guides at http://www.microsoft.com/surface/support/surface-hub.
+For power recommendations, see [55” Microsoft Surface Hub technical information](surface-hub-technical-55.md) or [84” Microsoft Surface Hub technical information](surface-hub-technical-84.md). For power cable safety warnings, see the mounting guides at https://www.microsoft.com/surface/support/surface-hub.
 ### Data and other connections
@ -77,7 +77,7 @@ Before you move Surface Hub, make sure that all the doorways, thresholds, hallwa
 ### Unpacking Surface Hub
-For unpacking information, refer to the unpacking guide included in the shipping container. You can open the unpacking instructions before you open the shipping container.  These instructions can also be found here: http://www.microsoft.com/surface/support/surface-hub
+For unpacking information, refer to the unpacking guide included in the shipping container. You can open the unpacking instructions before you open the shipping container.  These instructions can also be found here: https://www.microsoft.com/surface/support/surface-hub
 >[!IMPORTANT]
 >Retain and store all Surface Hub shipping materials—including the pallet, container, and screws—in case you need to ship Surface Hub to a new location or send it
@ -85,17 +85,17 @@ for repairs. For the 84” Surface Hub, retain the lifting handles.
 ### Lifting Surface Hub
-The 55” Surface Hub requires two people to safely lift and mount. The 84” Surface Hub requires four people to safely lift and mount. Those assisting must be able to lift 70 pounds to waist height. Review the unpacking and mounting guide for details on lifting Surface Hub. You can find it at http://www.microsoft.com/surface/support/surface-hub.
+The 55” Surface Hub requires two people to safely lift and mount. The 84” Surface Hub requires four people to safely lift and mount. Those assisting must be able to lift 70 pounds to waist height. Review the unpacking and mounting guide for details on lifting Surface Hub. You can find it at https://www.microsoft.com/surface/support/surface-hub.
 ## Mounting and setup
-See your mounting guide at http://www.microsoft.com/surface/support/surface-hub for detailed instructions. 
+See your mounting guide at https://www.microsoft.com/surface/support/surface-hub for detailed instructions. 
 There are three ways to mount your Surface Hub:
 - **Wall mount**: Lets you permanently hang Surface Hub on a conference space wall.
 - **Floor support mount**: Supports Surface Hub on the floor while it is permanently anchored to a conference space wall.
- **Rolling stand**: Supports Surface Hub and lets you move it to other conference locations. For links to guides that provide details about each mounting method, including building requirements, see http://www.microsoft.com/surface/support/surface-hub.
+- **Rolling stand**: Supports Surface Hub and lets you move it to other conference locations. For links to guides that provide details about each mounting method, including building requirements, see https://www.microsoft.com/surface/support/surface-hub.
 For specifications on available mounts for the original Surface Hub, see the following:
@ -129,13 +129,10 @@ For example, to provide audio, video, and touchback capability to all three vide
 When you create your wired connect cable bundles, check the [55” Microsoft Surface Hub technical information](surface-hub-technical-55.md) or [84” Microsoft Surface Hub technical information](surface-hub-technical-84.md) sections for specific technical and physical details and port locations for each type of Surface Hub. Make the cables long enough to reach from Surface Hub to where the presenter will sit or stand.
-For details on Touchback and Inkback, see the user guide at http://www.microsoft.com/surface/support/surface-hub. 
+For details on Touchback and Inkback, see the user guide at https://www.microsoft.com/surface/support/surface-hub. 
 ## See also
-[Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/27/aa/27aa7dd7-7cb7-40ea-9bd6-c7de0795f68c.mov?n=04.07.16_installation_video_01_site_readiness.mov)  
+[Watch the video (opens in a pop-up media player)](https://compass.xbox.com/assets/27/aa/27aa7dd7-7cb7-40ea-9bd6-c7de0795f68c.mov?n=04.07.16_installation_video_01_site_readiness.mov)  
--- a/devices/surface-hub/surface-hub-start-menu.md
+++ b/devices/surface-hub/surface-hub-start-menu.md
@ -182,7 +182,3 @@ This example shows a link to a website and a link to a .pdf file. The secondary
 >[!NOTE]
 >The default value for `ForegroundText` is light; you don't need to include `ForegroundText` in your XML unless you're changing the value to dark.
 ## More information
 - [Blog post: Changing Surface Hub’s Start Menu](https://blogs.technet.microsoft.com/y0av/2018/02/13/47/)
--- a/devices/surface-hub/surface-hub-update-history.md
+++ b/devices/surface-hub/surface-hub-update-history.md
@ -442,7 +442,7 @@ This update brings the Windows 10 Team Anniversary Update to Surface Hub and inc
 * General
  * Enabled Audio Device Selection (for Surface Hubs attached using external audio devices)
  * Enabled support for HDCP on DisplayPort output connector
-  * System UI changes to settings for usability optimization (refer to [User and Admin Guides](http://www.microsoft.com/surface/support/surface-hub) for additional details)
+  * System UI changes to settings for usability optimization (refer to [User and Admin Guides](https://www.microsoft.com/surface/support/surface-hub) for additional details)
  * Bug fixes and performance optimizations to speed up the Azure Active Directory sign-in flow
  * Significantly improved time needed to reset and restore Surface Hub
  * Windows Defender UI has been added within settings
@ -520,9 +520,9 @@ This update to the Surface Hub includes quality improvements and security fixes.
 ## Related topics
-* [Windows 10 feature road map](http://go.microsoft.com/fwlink/p/?LinkId=785967)
+* [Windows 10 feature roadmap](https://go.microsoft.com/fwlink/p/?LinkId=785967)
-* [Windows 10 release information](http://go.microsoft.com/fwlink/p/?LinkId=724328)
+* [Windows 10 release information](https://go.microsoft.com/fwlink/p/?LinkId=724328)
-* [Windows 10 November update: FAQ](http://windows.microsoft.com/windows-10/windows-update-faq)
+* [Windows 10 November update: FAQ](https://windows.microsoft.com/windows-10/windows-update-faq)
-* [Microsoft Surface update history](http://go.microsoft.com/fwlink/p/?LinkId=724327)
+* [Microsoft Surface update history](https://go.microsoft.com/fwlink/p/?LinkId=724327)
-* [Microsoft Lumia update history](http://go.microsoft.com/fwlink/p/?LinkId=785968)
+* [Microsoft Lumia update history](https://go.microsoft.com/fwlink/p/?LinkId=785968)
-* [Get Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=616447)
+* [Get Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=616447)
--- a/devices/surface-hub/surface-hub-wifi-direct.md
+++ b/devices/surface-hub/surface-hub-wifi-direct.md
@ -1,6 +1,6 @@
 ---
 title: How Surface Hub addresses Wi-Fi Direct security issues
-description: This topic provides guidance on Wi-Fi Direct security risks.
+description: Guidance about Wi-Fi Direct security risks.
 keywords: change history
 ms.prod: surface-hub
 ms.sitesec: library
@ -15,101 +15,103 @@ ms.localizationpriority: medium
 # How Surface Hub addresses Wi-Fi Direct security issues
-Microsoft Surface Hub is an all-in-one productivity device that enables teams to better brainstorm, collaborate, and share ideas. Surface Hub relies on Miracast for wireless projection by using Wi-Fi Direct.
+Microsoft Surface Hub is an all-in-one productivity device that enables teams to better brainstorm, collaborate, and share ideas. Surface Hub relies on Miracast for wireless projection through Wi-Fi Direct.
-This topic provides guidance on Wi-Fi Direct security vulnerabilities, how Surface Hub has addressed those risks, and how Surface Hub administrators can configure the device for the highest level of security. This hardening information will help customers with high security requirements understand how best to protect their Surface Hub connected networks and data in transit.
+This article describes Wi-Fi Direct security vulnerabilities, how Surface Hub addresses those risks, and how administrators can configure Surface Hub for the highest level of security. This information will help customers who have high security requirements protect their Surface Hub-connected networks and data in transit.
-The intended audiences for this topic include IT and network administrators interested in deploying Microsoft Surface Hub in their corporate environment with optimal security settings.
+The intended audiences for this article are IT and network administrators who want to deploy Surface Hub in their corporate environment with optimal security settings.
 ## Overview
-Microsoft Surface Hub's security depends extensively on Wi-Fi Direct / Miracast and the associated 802.11, Wi-Fi Protected Access (WPA2), and Wireless Protected Setup (WPS) standards. Since the device only supports WPS (as opposed to WPA2 Pre-Shared Key (PSK) or WPA2 Enterprise), issues traditionally associated with 802.11 encryption are simplified by design. 
+Security for Surface Hub depends extensively on Wi-Fi Direct/Miracast and the associated 802.11, Wi-Fi Protected Access (WPA2), and Wireless Protected Setup (WPS) standards. Because the device only supports WPS (as opposed to WPA2 Pre-Shared Key [PSK] or WPA2 Enterprise), the issues often associated with 802.11 encryption are simplified.
-It is important to note Surface Hub operates on par with the field of Miracast receivers, meaning that it is protected from, and vulnerable to, a similar set of exploits as all WPS-based wireless network devices. But Surface Hub’s implementation of WPS has extra precautions built in, and its internal architecture helps prevent an attacker – even after compromising the Wi-Fi Direct / Miracast layer – to move past the network interface onto other attack surfaces and connected enterprise networks. 
+Surface Hub operates on par with the field of Miracast receivers. So, it's vulnerable to a similar set of exploits as all WPS-based wireless network devices. But the Surface Hub implementation of WPS has extra precautions built in. Also, its internal architecture helps prevent an attacker who has compromised the Wi-Fi Direct/Miracast layer from moving past the network interface onto other attack surfaces and connected enterprise networks.
 ## Wi-Fi Direct background
-Miracast is part of the Wi-Fi Display standard, which itself is supported by the Wi-Fi Direct protocol. These standards are supported in modern mobile devices for screen sharing and collaboration.
+Miracast is part of the Wi-Fi Display standard, which is supported by the Wi-Fi Direct protocol. These standards are supported in modern mobile devices for screen sharing and collaboration.
-Wi-Fi Direct or Wi-Fi "Peer to Peer" (P2P) is a standard released by the Wi-Fi Alliance for "Ad-Hoc" networks. This allows supported devices to communicate directly and create groups of networks without requiring a traditional Wi-Fi Access Point or an Internet connection.
+Wi-Fi Direct or Wi-Fi "peer to peer" (P2P) is a standard from the Wi-Fi Alliance for "Ad-Hoc" networks. Supported devices can communicate directly and create groups of networks without a conventional Wi-Fi access point or Internet connection.
-Security for Wi-Fi Direct is provided by WPA2 using the WPS standard.  Authentication mechanism for devices can be a numerical pin (WPS-PIN), a physical or virtual Push Button (WPS-PBC), or an out-of-band message such as Near Field Communication (WPS-OOO). The Microsoft Surface Hub supports both Push Button (which is the default) and PIN methods.
+Security for Wi-Fi Direct is provided by WPA2 under the WPS standard. The authentication mechanism for devices can be a numerical pin (WPS-PIN), a physical or virtual push button (WPS-PBC), or an out-of-band message such as near field communication (WPS-OOO). Surface Hub supports both the PIN method and the push-button method, which is the default.
-In Wi-Fi Direct, groups are created as either "persistent," allowing for automatic reconnection using stored key material, or "temporary," where devices cannot re-authenticate without user intervention or action. Wi-Fi Direct groups will typically determine a Group Owner (GO) through a negotiation protocol, which mimics the "station" or "Access Point" functionality for the established Wi-Fi Direct Group. This Wi-Fi Direct GO provides authentication (via an “Internal Registrar”), and facilitate upstream network connections. For Surface Hub, this GO negotiation does not take place, as the network only operates in "autonomous" mode, where Surface Hub is always the Group Owner. Finally, Surface Hub does not and will not join other Wi-Fi Direct networks itself as a client.
+In Wi-Fi Direct, groups are created as one of the following types:
 - *Persistent*, in which automatic reconnection can occur by using stored key material
 - *Temporary*, in which devices can't re-authenticate without user action
 Wi-Fi Direct groups determine a *group owner* (GO) through a negotiation protocol, which mimics the "station" or "access point" functionality for the established Wi-Fi Direct group. The Wi-Fi Direct GO provides authentication (via an "internal registrar") and facilitates upstream network connections. For Surface Hub, this GO negotiation doesn't occur. The network only operates in "autonomous" mode, and Surface Hub is always the group owner. Finally, Surface Hub itself doesn't join other Wi-Fi Direct networks as a client.
-## Wi-Fi Direct vulnerabilities and how Surface Hub addresses them
+## How Surface Hub addresses Wi-Fi Direct vulnerabilities
-**Vulnerabilities and attacks in the Wi-Fi Direct invitation, broadcast, and discovery process**: Wi-Fi Direct / Miracast attacks may target weaknesses in the group establishment, peer discovery, device broadcast, or invitation processes.
+**Vulnerabilities and attacks in the Wi-Fi Direct invitation, broadcast, and discovery process:** Wi-Fi Direct/Miracast attacks may target weaknesses in the group establishment, peer discovery, device broadcast, or invitation processes.
-|Wi-Fi Direct Vulnerability |	Surface Hub Mitigation |
+|Wi-Fi Direct vulnerability | Surface Hub mitigation |
 | --- | --- |
-| The discovery process may remain active for an extended period of time, which could allow Invitations and connections to be established without the intent of the device owner.	| Surface Hub only operates as the Group Owner (GO), which does not perform the client Discovery or GO negotiation process. Broadcast can be turned off by fully disabling wireless projection. |
+| The discovery process may remain active for an extended period of time, which could allow invitations and connections to be established without the approval of the device owner. | Surface Hub only operates as the group owner, which doesn't perform the client discovery or GO negotiation processes. You can fully disable wireless projection to turn off broadcast. |
-| Invitation and discovery using PBC allows an unauthenticated attacker to perform repeated connection attempts or unauthenticated connections are automatically accepted.	| By requiring WPS PIN security, Administrators can reduce the potential for such unauthorized connections or "Invitation bombs" (where invitations are repeatedly sent until a user mistakenly accepts one). |
+| Invitation and discovery through PBC allows an unauthenticated attacker to perform repeated connection attempts, or unauthenticated connections are automatically accepted. | By requiring WPS PIN security, administrators can reduce the potential for such unauthorized connections or "invitation bombs," in which invitations are repeatedly sent until a user mistakenly accepts one. |
-**Wi-Fi Protected Setup (WPS) Push Button Connect (PBC) vs PIN Entry**: Public weaknesses have been demonstrated in WPS-PIN method design and implementation, other vulnerabilities exist within WPS-PBC involving active attacks against a protocol designed for one time use. 
+**Wi-Fi Protected Setup (WPS) push button connect (PBC) vs PIN entry:** Public weaknesses have been demonstrated in WPS-PIN method design and implementation. WPS-PBC has other vulnerabilities that could allow active attacks against a protocol that's designed for one-time use.
-| Wi-Fi Direct Vulnerability |	Surface Hub Mitigation |
+| Wi-Fi Direct vulnerability | Surface Hub mitigation |
 | --- | --- |
-| WPS-PBC is vulnerable to active attackers. As stated within the WPS specification: "The PBC method has zero bits of entropy and only protects against passive eavesdropping attacks. PBC protects against eavesdropping attacks and takes measures to prevent a device from joining a network that was not selected by the device owner. The absence of authentication, however, means that PBC does not protect against active attack". Attackers can use selective wireless jamming or other potential denial-of-service vulnerabilities in order to trigger an unintended Wi-Fi Direct GO or connection. Additionally, an active attacker, with only physical proximity, can repeatedly teardown any Wi-Fi Direct group and attempt the described attack until it is successful. |Enable WPS-PIN security within Surface Hub’s configuration. As discussed within the Wi-Fi WPS specification: "The PBC method should only be used if no PIN-capable Registrar is available and the WLAN user is willing to accept the risks associated with PBC". |
+| WPS-PBC is vulnerable to active attackers. The WPS specification states: "The PBC method has zero bits of entropy and only protects against passive eavesdropping attacks. PBC protects against eavesdropping attacks and takes measures to prevent a device from joining a network that was not selected by the device owner. The absence of authentication, however, means that PBC does not protect against active attack." Attackers can use selective wireless jamming or other denial-of-service techniques to trigger an unintended Wi-Fi Direct GO or connection. Also, an active attacker who merely has physical proximity can repeatedly tear down any Wi-Fi Direct group and attempt the attack until it succeeds. | Enable WPS-PIN security in Surface Hub configuration. The Wi-Fi WPS specification states: "The PBC method should only be used if no PIN-capable registrar is available and the WLAN user is willing to accept the risks associated with PBC." |
-| WPS-PIN implementations can be brute-forced using a Vulnerability within the WPS standard. Due to the design of split PIN verification, a number of implementation vulnerabilities occurred in the past several years across a wide range of Wi-Fi hardware manufacturers. In 2011 two researchers (Stefan Viehböck and Craig Heffner) released information on this vulnerability and tools such as "Reaver" as a proof of concept. |	The Microsoft implementation of WPS within Surface Hub changes the pin every 30 seconds. In order to crack the pin, an attacker must work through the entire exploit in less than 30 seconds. Given the current state of tools and research in this area, a brute-force pin-cracking attack through WPS is unlikely. |
+| WPS-PIN implementations can be subject to brute-force attacks that target a vulnerability in the WPS standard. The design of split PIN verification led to multiple implementation vulnerabilities over the past several years across a range of Wi-Fi hardware manufacturers. In 2011, researchers Stefan Viehböck and Craig Heffner released information about this vulnerability and tools such as "Reaver" as a proof of concept. |   The Microsoft implementation of WPS in Surface Hub changes the PIN every 30 seconds. To crack the PIN, an attacker must complete the entire exploit in less than 30 seconds. Given the current state of tools and research in this area, a brute-force PIN-cracking attack through WPS is unlikely to succeed. |
-| WPS-PIN can be cracked using an offline attack due to weak initial key (E-S1,E S2) entropy. In 2014, Dominique Bongard discussed a "Pixie Dust" attack where poor initial randomness for the pseudo random number generator (PRNG) within the wireless device lead to the ability to perform an offline brute-force attack. | The Microsoft implementation of WPS within Surface Hub is not susceptible to this offline PIN brute-force attack. The WPS-PIN is randomized for each connection. |
+| WPS-PIN can be cracked by an offline attack because of weak initial key (E-S1,E S2) entropy. In 2014, Dominique Bongard described a "Pixie Dust" attack where poor initial randomness for the pseudo random number generator (PRNG) in the wireless device allowed an offline brute-force attack. | The Microsoft implementation of WPS in Surface Hub is not susceptible to this offline PIN brute-force attack. The WPS-PIN is randomized for each connection. |
-**Unintended exposure of network services**: Network daemons intended for Ethernet or WLAN services may be accidentally exposed due to misconfiguration (such as binding to “all”/0.0.0.0 interfaces), a poorly configured device firewall, or missing firewall rules altogether.
+**Unintended exposure of network services:** Network daemons that are intended for Ethernet or WLAN services may be accidentally exposed because of misconfiguration (such as binding to "all"/0.0.0.0 interfaces). Other possible causes include a poorly configured device firewall or missing firewall rules.
-| Wi-Fi Direct Vulnerability |	Surface Hub Mitigation |
+| Wi-Fi Direct vulnerability | Surface Hub mitigation |
 | --- | --- |
-| Misconfiguration binds a vulnerable or unauthenticated network service to "all" interfaces, which includes the Wi-Fi Direct interface. This potentially exposes services not intended to be accessible to Wi-Fi Direct clients, which may be weakly or automatically authenticated. | Within Surface Hub, the default firewall rules only permit the required TCP and UDP network ports and by default deny all inbound connections. Strong authentication can be configured by enabling the WPS-PIN mode. |
+| Misconfiguration binds a vulnerable or unauthenticated network service to "all" interfaces, which includes the Wi-Fi Direct interface. This can expose services that shouldn't be accessible to Wi-Fi Direct clients, which may be weakly or automatically authenticated. | In Surface Hub, the default firewall rules only permit the required TCP and UDP network ports and by default deny all inbound connections. Configure strong authentication by enabling the WPS-PIN mode.|
-**Bridging Wi-Fi Direct and other wired or wireless networks**: While network bridging between WLAN or Ethernet networks is a violation of the Wi-Fi Direct specification, such a bridge or misconfiguration may effectively lower or remove wireless access controls for the internal corporate network.
+**Bridging Wi-Fi Direct and other wired or wireless networks:** Network bridging between WLAN or Ethernet networks is a violation of the Wi-Fi Direct specification. Such a bridge or misconfiguration may effectively lower or remove wireless access controls for the internal corporate network.
-| Wi-Fi Direct Vulnerability |	Surface Hub Mitigation |
+| Wi-Fi Direct vulnerability | Surface Hub mitigation |
 | --- | --- |
-| Wi-Fi Direct devices could allow unauthenticated or poorly authenticated access to bridged network connections. This may allow Wi-Fi Direct networks to route traffic to internal Ethernet LAN or other infrastructure or enterprise WLAN networks in violation of existing IT security protocols. |	Surface Hub cannot be configured to bridge Wireless interfaces or allow routing between disparate networks. The default firewall rules add defense in depth to any such routing or bridge connections. |
+| Wi-Fi Direct devices could allow unauthenticated or poorly authenticated access to bridged network connections. This might allow Wi-Fi Direct networks to route traffic to internal Ethernet LAN or other infrastructure or to enterprise WLAN networks in violation of existing IT security protocols. | Surface Hub can't be configured to bridge wireless interfaces or allow routing between disparate networks. The default firewall rules add defense in depth to any such routing or bridge connections. |
-**The use of Wi-Fi Direct “legacy” mode**: Exposure to unintended networks or devices when operating in “legacy” mode may present a risk. Device spoofing or unintended connections could occur if WPS-PIN is not enabled.
+**The use of Wi-Fi Direct "legacy" mode:** Exposure to unintended networks or devices may occur when you operate in "legacy" mode. Device spoofing or unintended connections could occur if WPS-PIN is not enabled.
-
+| Wi-Fi Direct vulnerability | Surface Hub mitigation |
 | Wi-Fi Direct Vulnerability |	Surface Hub Mitigation |
 | --- | --- |
-| By supporting both Wi-Fi Direct and 802.11 infrastructure clients, the system is operating in a "legacy" support mode. This may expose the connection setup phase indefinitely, allowing for groups to be joined or devices invited to connect well after their intended setup phase terminates. |	Surface Hub does not support Wi-Fi Direct legacy clients. Only Wi-Fi Direct connections can be made to Surface Hub even when WPS-PIN mode is enabled. |
+| By supporting both Wi-Fi Direct and 802.11 infrastructure clients, the system is operating in a "legacy" support mode. This may expose the connection-setup phase indefinitely, allowing groups to be joined or devices invited to connect well after their intended setup phase terminates. |    Surface Hub doesn't support Wi-Fi Direct legacy clients. Only Wi-Fi Direct connections can be made to Surface Hub even when WPS-PIN mode is enabled. |
-**Wi-Fi Direct GO negotiation during connection setup**: The Group Owner within Wi-Fi Direct is analogous to the “Access Point” in a traditional 802.11 wireless network. The negotiation can be gamed by a malicious device. 
+**Wi-Fi Direct GO negotiation during connection setup:** The group owner in Wi-Fi Direct is analogous to the "access point" in a conventional 802.11 wireless network. The negotiation can be gamed by a malicious device.
-|Wi-Fi Direct Vulnerability |	Surface Hub Mitigation |
+|Wi-Fi Direct vulnerability |   Surface Hub mitigation |
 | --- | --- |
-| If groups are dynamically established or if the Wi-Fi Direct device can be made to join new groups, the Group Owner (GO) negotiation can be won by a malicious device that always specifies the max Group Owner "intent" value of 15. (Unless such device is configured to always be a Group Owner, in which case the connection fails.)	| Surface Hub takes advantage of Wi-Fi Direct "Autonomous mode", which skips the GO negotiation phase of the connection setup. Surface Hub is always the Group Owner. |
+| If groups are dynamically established or the Wi-Fi Direct device can be made to join new groups, the group owner negotiation can be won by a malicious device that always specifies the maximum group owner "intent" value of 15. (But the connection fails if the device is configured to always be a group owner.)  | Surface Hub takes advantage of Wi-Fi Direct "Autonomous mode," which skips the GO negotiation phase of connection setup. And Surface Hub is always the group owner. |
-**Unintended or malicious Wi-Fi deauthentication**: Wi-Fi deauthentication is an age-old attack that can be used by a physically local attacker to expedite information leaks against the connection setup process, trigger new four-way handshakes, target Wi-Fi Direct WPS-PBC for active attack, or create denial-of-service attacks.
+**Unintended or malicious Wi-Fi deauthentication:** Wi-Fi deauthentication is an old attack in which a local attacker can expedite information leaks in the connection-setup process, trigger new four-way handshakes, target Wi-Fi Direct WPS-PBC for active attacks, or create denial-of-service attacks.
-| Wi-Fi Direct Vulnerability |	Surface Hub Mitigation |
+| Wi-Fi Direct vulnerability | Surface Hub mitigation |
 | --- | --- |
-| Deauthentication packets can be sent by an unauthenticated attacker to cause the station to re-authenticate and sniff the resulting handshake. Cryptographic or brute-force attacks can be attempted on the resulting handshake. Mitigations for these attack include:  enforcing length and complexity policies for pre-shared keys; configuring the Access Point (if applicable) to detect malicious levels of deauthentication packets; and using WPS to automatically generate strong keys. In PBC mode the user is interacting with a physical or virtual button to allow arbitrary device association. This process should happen only at setup within a small window, once the button is automatically "pushed", the device will accept any station associating via a canonical PIN value (all zeros). Deauthentication can force a repeated setup process. |	The current Surface Hub design uses WPS in PIN or PBC mode. No PSK configuration is permitted, helping enforce the generation of strong keys. It is recommended to enable WPS-PIN. |
+| Deauthentication packets can be sent by an unauthenticated attacker to cause the station to re-authenticate then to sniff the resulting handshake. Cryptographic or brute-force attacks can be attempted on the resulting handshake. Mitigation for these attack includes enforcing length and complexity policies for pre-shared keys, configuring the access point (if applicable) to detect malicious levels of deauthentication packets, and using WPS to automatically generate strong keys. In PBC mode, the user interacts with a physical or virtual button to allow arbitrary device association. This process should happen only at setup, within a short window. After the button is automatically "pushed," the device will accept any station that associates via a canonical PIN value (all zeros). Deauthentication can force a repeated setup process. |   Surface Hub uses WPS in PIN or PBC mode. No PSK configuration is permitted. This method helps enforce generation of strong keys. It's best to enable WPS-PIN security for Surface Hub. |
-| Beyond denial-of-service attacks, deauthentication packets can also be used to trigger a reconnect which re-opens the window of opportunity for active attacks against WPS-PBC. |	Enable WPS-PIN security within Surface Hub’s configuration. |
+| In addition to denial-of-service attacks, deauthentication packets can be used to trigger a reconnect that re-opens the window of opportunity for active attacks against WPS-PBC. |   Enable WPS-PIN security in the Surface Hub configuration. |
-**Basic wireless information disclosure**: Wireless networks, 802.11 or otherwise, are inherently sources of information disclosure. Although the information is largely connection or device metadata, it remains an accepted risk for any 802.11 administrator. Wi-Fi Direct with device authentication via WPS-PIN effectively reveals the same information as a PSK or Enterprise 802.11 network.
+**Basic wireless information disclosure:** Wireless networks, 802.11 or otherwise, are inherently at risk of information disclosure. Although this information is mostly connection or device metadata, this problem remains a known risk for any 802.11 network administrator. Wi-Fi Direct with device authentication via WPS-PIN effectively reveals the same information as a PSK or Enterprise 802.11 network.
-| Wi-Fi Direct Vulnerability |	Surface Hub Mitigation |
+| Wi-Fi Direct vulnerability | Surface Hub mitigation |
 | --- | --- |
-| During broadcast, connection setup, or even with already encrypted connections, basic information about the devices and packet sizes is wirelessly transmitted. At a basic level, a local attacker within wireless range can determine the names of wireless devices, the MAC addresses of communicating equipment, and possibly other details such as the version of the wireless stack, packet sizes, or the configured Access Point or Group Owner options by examining the relevant 802.11 Information Elements.	| The Wi-Fi Direct network employed by Surface Hub cannot be further protected from metadata leaks, in the same way 802.11 Enterprise or PSK wireless networks also leak such metadata. Physical security and removing potential threats from the wireless proximity can be used to reduce any potential information leaks. |
+| During broadcast, connection setup, or even normal operation of already-encrypted connections, basic information about devices and packet sizes is wirelessly transmitted. At a basic level, a local attacker who's within wireless range can examine the relevant 802.11 information elements to determine the names of wireless devices, the MAC addresses of communicating equipment, and possibly other details, such as the version of the wireless stack, packet sizes, or the configured access point or group owner options.  | The Wi-Fi Direct network that Surface Hub uses can't be further protected from metadata leaks, just like for 802.11 Enterprise or PSK wireless networks. Physical security and removal of potential threats from wireless proximity can help reduce potential information leaks. |
-**Wireless evil twin or spoofing attacks**:  Spoofing the wireless name is a trivial and known exploit for a physically local attacker in order to lure unsuspecting or mistaken users to connect.
+**Wireless evil twin or spoofing attacks:**  Spoofing the wireless name is a simple, well-known exploit a local attacker can use to lure unsuspecting or mistaken users to connect.
-| Wi-Fi Direct Vulnerability |	Surface Hub Mitigation |
+| Wi-Fi Direct vulnerability | Surface Hub mitigation |
 | --- | --- |
-| By spoofing or cloning the wireless name or "SSID" of the target network, an attacker may trick the user into connecting to fake malicious network. By supporting unauthenticated, auto-join Miracast an attacker could capture the intended display materials or attempt to perform network attacks on the connecting device. |	While no specific protections against joining a spoofed Surface Hub are in place, this attack is partially mitigated in two ways. First, any potential attack must be physically within Wi-Fi range. Second, this attack is only possible during the very first connection. Subsequent connections use a persistent Wi-Fi Direct group and Windows will remember and prioritize this prior connection during future Hub use. (Note: Spoofing the MAC address, Wi-Fi channel and SSID simultaneously was not considered for this report and may result in inconsistent Wi-Fi behavior.) Overall this weakness is a fundamental problem for any 802.11 wireless network not using Enterprise WPA2 protocols such as EAP-TLS or EAP-PWD, which are not supported in Wi-Fi Direct. |
+| By spoofing or cloning the wireless name or "SSID" of the target network, an attacker may trick the user into connecting to a fake, malicious network. By supporting unauthenticated, auto-join Miracast, an attacker could capture the intended display materials or launch network attacks on the connecting device. | While there are no specific protections against joining a spoofed Surface Hub, this vulnerability is partially mitigated in two ways. First, any potential attack must be physically within Wi-Fi range. Second, this attack is only possible during the first connection. Subsequent connections use a persistent Wi-Fi Direct group, and Windows will remember and prioritize this prior connection during future Hub use. (Note: Spoofing the MAC address, Wi-Fi channel, and SSID simultaneously was not considered for this report and may result in inconsistent Wi-Fi behavior.) Overall, this weakness is a fundamental problem for any 802.11 wireless network that lacks Enterprise WPA2 protocols such as EAP-TLS or EAP-PWD, which Wi-Fi Direct doesn't support. |
 ## Surface Hub hardening guidelines
-Surface Hub is designed to facilitate collaboration and allow users to start or join meetings quickly and efficiently. As such, the default Wi-Fi Direct settings for Surface Hub are optimized for this scenario.
+Surface Hub is designed to facilitate collaboration and allow users to start or join meetings quickly and efficiently. The default Wi-Fi Direct settings for Surface Hub are optimized for this scenario.
-For users who require additional security around the wireless interface, we recommend Surface Hub users enable the WPS-PIN security setting. This disables WPS-PBC mode and offers client authentication, and provides the strongest level of protection by preventing any unauthorized connections to Surface Hub.
+For additional wireless interface security, Surface Hub users should enable the WPS-PIN security setting. This setting disables WPS-PBC mode and offers client authentication. It provides the strongest level of protection by preventing unauthorized connection to Surface Hub.
-If concerns remain around authentication and authorization of a Surface Hub, we recommend users connect the device to a separate network, either Wi-Fi (such as a "guest" Wi-Fi network) or using separate Ethernet network (preferably an entirely different physical network, but a VLAN can also provide some added security). Of course, this approach may preclude connections to internal network resources or services, and may require additional network configurations to regain access.
+If you still have concerns about authentication and authorization for Surface Hub, we recommend that you connect the device to a separate network. You could use Wi-Fi (such as a "guest" Wi-Fi network) or a separate Ethernet network, preferably an entirely different physical network. But a VLAN can also provide added security. Of course, this approach may preclude connections to internal network resources or services and may require additional network configuration to regain access.
 Also recommended:
- [Install regular system updates.](manage-windows-updates-for-surface-hub.md) 
+- [Install regular system updates](manage-windows-updates-for-surface-hub.md) 
- Update the Miracast settings to disable auto-present mode.
+- Update the Miracast settings to disable auto-present mode
 ## Learn more
@ -118,7 +120,3 @@ Also recommended:
--- a/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md
+++ b/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md
@ -16,28 +16,25 @@ ms.reviewer:
 manager: dansimp
 ---
-# Considerations for Surface and Microsoft Endpoint Configuration Manager
+# Considerations for Surface and System Center Configuration Manager
-Fundamentally, management and deployment of Surface devices with Endpoint Configuration Manager (formerly known as System Center Configuration Manager or SCCM) is the same as the management and deployment of any other PC. Like other PCs, a deployment to Surface devices includes importing drivers, importing a Windows image, preparing a deployment task sequence, and then deploying the task sequence to a collection. After deployment, Surface devices are like any other Windows client – to publish apps, settings, and policies, you use the same process that you would use for any other device.
+Fundamentally, management and deployment of Surface devices with System Center Configuration Manager is the same as the management and deployment of any other PC. Like any other PC, a deployment to Surface devices includes importing drivers, importing a Windows image, preparing a deployment task sequence, and then deploying the task sequence to a collection. After deployment, Surface devices are like any other Windows client; to publish apps, settings, and policies, you use the same process as you would use for any other device.
-You can find more information about how to use Configuration Manager to deploy and manage devices in the [Microsoft Endpoint Configuration Manager documentation](https://docs.microsoft.com/sccm/index).
+You can find more information about how to use Configuration Manager to deploy and manage devices in the [Documentation for System Center Configuration Manager](https://docs.microsoft.com/sccm/index).
-Although the deployment and management of Surface devices is fundamentally the same as any other PC, there are some scenarios that may require additional considerations or steps. This article provides descriptions and guidance for these scenarios; the solutions documented in this article may apply to other devices and manufacturers as well.
+Although the deployment and management of Surface devices is fundamentally the same as any other PC, there are some scenarios that may require additional considerations or steps. This article provides descriptions and guidance for these scenarios. The solutions documented in this article may apply to other devices and manufacturers as well.
->[!NOTE]
+> [!NOTE]
->For management of Surface devices it is recommended that you use the Current Branch of Endpoint Configuration Manager.
+> For management of Surface devices it is recommended that you use the Current Branch of System Center Configuration Manager.
 ## Support for Surface Pro X
 Beginning in version 1802, Endpoint Configuration Manager includes client management support for Surface Pro X. Note however that running the Endpoint Configuration Manager agent on Surface Pro X may accelerate battery consumption. In addition, operating system deployment using Endpoint Configuration Manager is not supported on Surface Pro X. For more information, refer to:
 - [What's new in version 1802 of System Center Configuration Manager](https://docs.microsoft.com/configmgr/core/plan-design/changes/whats-new-in-version-1802)
 - [Deploying, managing, and servicing Surface Pro X](surface-pro-arm-app-management.md)
 ## Updating Surface device drivers and firmware
 For devices receiving updates through Windows Update, drivers for Surface components—and even firmware updates—are applied automatically as part of the Windows Update process. For devices with managed updates, such as those updated through Windows Server Update Services (WSUS) or SCCM, see [Manage Surface driver and firmware updates](https://docs.microsoft.com/surface/manage-surface-driver-and-firmware-updates/).
->[!NOTE]
+For devices that recieve updates through Windows Update, drivers for Surface components (and even firmware updates) are applied automatically as part of the Windows Update process. For devices with managed updates, such as those updated through Windows Server Update Services (WSUS) or System Center Configuration Manager, see [Manage Surface driver and firmware updates](https://docs.microsoft.com/surface/manage-surface-driver-and-firmware-updates/).
->Surface device drivers and firmware are signed with SHA-256, which is not natively supported by Windows Server 2008 R2. A workaround is available for Configuration Manager environments running on Windows Server 2008 R2 – for more information see [Can't import drivers into System Center Configuration Manager (KB3025419)](https://support.microsoft.com/kb/3025419).
+
 > [!NOTE]
 > Surface device drivers and firmware are signed with SHA-256, which is not natively supported by Windows Server 2008 R2. A workaround is available for Configuration Manager environments running on Windows Server 2008 R2. For more information, see [Can't import drivers into System Center Configuration Manager (KB3025419)](https://support.microsoft.com/kb/3025419).
 ## Surface Ethernet adapters and Configuration Manager deployment
@ -45,39 +42,39 @@ The default mechanism that Configuration Manager uses to identify devices during
 To ensure that Surface devices using the same Ethernet adapter are identified as unique devices during deployment, you can instruct Configuration Manager to identify devices using another method. This other method could be the MAC address of the wireless network adapter or the System Universal Unique Identifier (System UUID). You can specify that Configuration Manager use other identification methods with the following options:
-* Add an exclusion for the MAC addresses of Surface Ethernet adapters, which forces Configuration Manager to overlook the MAC address in preference of the System UUID, as documented in [Reusing the same NIC for multiple PXE initiated deployments in System Center Configuration Manager OSD](https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2015/08/27/reusing-the-same-nic-for-multiple-pxe-initiated-deployments-in-system-center-configuration-manger-osd/).
+* Add an exclusion for the MAC addresses of Surface Ethernet adapters, which forces Configuration Manager to overlook the MAC address in preference of the System UUID, as documented in the [Reusing the same NIC for multiple PXE initiated deployments in System Center Configuration Manager OSD](https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2015/08/27/reusing-the-same-nic-for-multiple-pxe-initiated-deployments-in-system-center-configuration-manger-osd/) blog post.
-* Prestage devices by System UUID as documented in [Reusing the same NIC for multiple PXE initiated deployments in System Center Configuration Manager OSD](https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2015/08/27/reusing-the-same-nic-for-multiple-pxe-initiated-deployments-in-system-center-configuration-manger-osd/).
+* Prestage devices by System UUID as documented in the [Reusing the same NIC for multiple PXE initiated deployments in System Center Configuration Manager OSD](https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2015/08/27/reusing-the-same-nic-for-multiple-pxe-initiated-deployments-in-system-center-configuration-manger-osd/) blog post.
-* Use a script to identify a newly deployed Surface device by the MAC address of its wireless adapter, as documented in [How to Use The Same External Ethernet Adapter For Multiple SCCM OSD](https://blogs.technet.microsoft.com/askpfeplat/2014/07/27/how-to-use-the-same-external-ethernet-adapter-for-multiple-sccm-osd/).
+* Use a script to identify a newly deployed Surface device by the MAC address of its wireless adapter, as documented in the [How to Use The Same External Ethernet Adapter For Multiple SCCM OSD](https://blogs.technet.microsoft.com/askpfeplat/2014/07/27/how-to-use-the-same-external-ethernet-adapter-for-multiple-sccm-osd/) blog post.
 Another consideration for the Surface Ethernet adapter during deployments with Configuration Manager is the driver for the Ethernet controller. Beginning in Windows 10, version 1511, the driver for the Surface Ethernet adapter is included by default in Windows. For organizations that want to deploy the latest version of Windows 10 and use the latest version of WinPE, use of the Surface Ethernet adapter requires no additional actions.
-For versions of Windows prior to Windows 10, version 1511 (including Windows 10 RTM and Windows 8.1), you may still need to install the Surface Ethernet adapter driver and include the driver in your WinPE boot media. With its inclusion in Windows 10, the driver is no longer available for download from the Microsoft Download Center. To download the Surface Ethernet adapter driver, refer to [Surface Ethernet Drivers](https://blogs.technet.microsoft.com/askcore/2016/08/18/surface-ethernet-drivers/).
+For versions of Windows prior to Windows 10, version 1511 (including Windows 10 RTM and Windows 8.1), you may still need to install the Surface Ethernet adapter driver and include the driver in your WinPE boot media. With its inclusion in Windows 10, the driver is no longer available for download from the Microsoft Download Center. To download the Surface Ethernet adapter driver, download it from the Microsoft Update Catalog as documented in the [Surface Ethernet Drivers](https://blogs.technet.microsoft.com/askcore/2016/08/18/surface-ethernet-drivers/) blog post from the Ask The Core Team blog.
 ## Deploy Surface app with Configuration Manager
-With the release of Microsoft Store for Business, Surface app is no longer available as a driver and firmware download. Organizations that want to deploy Surface app to managed Surface devices or during deployment with the use of Configuration Manager, must acquire Surface app through Microsoft Store for Business and then deploy Surface app with PowerShell. For more information including PowerShell commands for deploying Surface app, refer to [Deploy Surface app with Microsoft Store for Business](https://technet.microsoft.com/itpro/surface/deploy-surface-app-with-windows-store-for-business).
+With the release of Microsoft Store for Business, Surface app is no longer available as a driver and firmware download. Organizations that want to deploy Surface app to managed Surface devices or during deployment with the use of Configuration Manager, must acquire Surface app through Microsoft Store for Business and then deploy Surface app with PowerShell. You can find the PowerShell commands for deployment of Surface app, instructions to download Surface app, and prerequisite frameworks from Microsoft Store for Business in the [Deploy Surface app with Microsoft Store for Business](https://technet.microsoft.com/itpro/surface/deploy-surface-app-with-windows-store-for-business) article in the TechNet Library.
 ## Use prestaged media with Surface clients
 If your organization uses prestaged media to pre-load deployment resources on to machines prior to deployment with Configuration Manager, the nature of Surface devices as UEFI devices may require you to take additional steps. Specifically, a native UEFI environment requires that you create multiple partitions on the boot disk of the system. If you are following along with the [documentation for prestaged media](https://technet.microsoft.com/library/79465d90-4831-4872-96c2-2062d80f5583?f=255&MSPPError=-2147217396#BKMK_CreatePrestagedMedia), the instructions provide for only single partition boot disks and therefore will fail when applied to Surface devices.
-To apply prestaged media to UEFI devices, such as Surface devices, refer to [How to apply Task Sequence Prestaged Media on multi-partitioned disks for BIOS or UEFI PCs in System Center Configuration Manager](https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2014/04/02/how-to-apply-task-sequence-prestaged-media-on-multi-partitioned-disks-for-bios-or-uefi-pcs-in-system-center-configuration-manager/).
+Instructions for applying prestaged media to UEFI devices, such as Surface devices, can be found in the [How to apply Task Sequence Prestaged Media on multi-partitioned disks for BIOS or UEFI PCs in System Center Configuration Manager](https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2014/04/02/how-to-apply-task-sequence-prestaged-media-on-multi-partitioned-disks-for-bios-or-uefi-pcs-in-system-center-configuration-manager/) blog post.
 ## Licensing conflicts with OEM Activation 3.0
 Surface devices come preinstalled with a licensed copy of Windows. For example, Surface Pro 4 is preinstalled with Windows 10 Professional. The license key for this preinstalled copy of Windows is embedded in the firmware of the device with OEM Activation 3.0 (OA 3.0). When you run Windows installation media on a device with an OA 3.0 key, Windows setup automatically reads the license key and uses it to install and activate Windows. In most situations, this simplifies the reinstallation of Windows, because the user does not have to find or enter a license key.
-When you reimage a device by using Windows Enterprise, this embedded license key does not cause a conflict. This is because the installation media for Windows Enterprise is configured to install only an Enterprise edition of Windows and therefore is incompatible with the license key embedded in the system firmware. If a product key is not specified (such as when you intend to activate with Key Management Services (KMS) or Active Directory Based Activation), a Generic Volume License Key (GVLK) is used until Windows is activated by one of those technologies.
+When you reimage a device by using Windows Enterprise, this embedded license key does not cause a conflict. This is because the installation media for Windows Enterprise is configured to install only an Enterprise edition of Windows and therefore is incompatible with the license key embedded in the system firmware. If a product key is not specified (such as when you intend to activate with Key Management Services [KMS] or Active Directory Based Activation), a Generic Volume License Key (GVLK) is used until Windows is activated by one of those technologies.
-However, issues may arise when organizations intend to use versions of Windows that are compatible with the firmware embedded key. For example, an organization that wants to install Windows 10 Professional on a Surface 3 device that originally shipped with Windows 10 Home edition may encounter difficulty when Windows setup automatically reads the Home edition key during installation and installs as Home edition rather than Professional. To avoid this conflict, you can use the Ei.cfg or Pid.txt file (see [Windows Setup Edition Configuration and Product ID Files](https://technet.microsoft.com/library/hh824952.aspx)) to explicitly instruct Windows setup to prompt for a product key, or you can enter a specific product key in the deployment task sequence. If you do not have a specific key, you can use the default product keys for Windows, which you can find in [Customize and deploy a Windows 10 operating system](https://dpcenter.microsoft.com/en/Windows/Build/cp-Windows-10-build) on the Device Partner Center.
+However, issues may arise when organizations intend to use versions of Windows that are compatible with the firmware embedded key. For example, an organization that wants to install Windows 10 Professional on a Surface 3 device that originally shipped with Windows 10 Home edition may encounter difficulty when Windows setup automatically reads the Home edition key during installation and installs as Home edition rather than Professional. To avoid this conflict, you can use the Ei.cfg or Pid.txt file to explicitly instruct Windows setup to prompt for a product key, or you can enter a specific product key in the deployment task sequence. For more information, see [Windows Setup Edition Configuration and Product ID Files](https://technet.microsoft.com/library/hh824952.aspx). If you do not have a specific key, you can use the default product keys for Windows, which you can find in [Customize and deploy a Windows 10 operating system](https://dpcenter.microsoft.com/en/Windows/Build/cp-Windows-10-build) on the Device Partner Center.
 ## Apply an asset tag during deployment
-Surface Studio, Surface Book, Surface Pro 4, Surface Pro 3, and Surface 3 devices all support the application of an asset tag in UEFI. This asset tag can be used to identify the device from UEFI even if the operating system fails, and it can also be queried from within the operating system. For more information, refer to [Surface Asset Tag Tool](assettag.md).
+Surface Studio, Surface Book, Surface Pro 4, Surface Pro 3, and Surface 3 devices all support the application of an asset tag in UEFI. This asset tag can be used to identify the device from UEFI even if the operating system fails, and it can also be queried from within the operating system. To read more about the Surface Asset Tag function, see the [Asset Tag Tool for Surface Pro 3](https://blogs.technet.microsoft.com/askcore/2014/10/20/asset-tag-tool-for-surface-pro-3/) blog post.
-To apply an asset tag using the [Surface Asset Tag CLI Utility](https://www.microsoft.com/download/details.aspx?id=44076) during a Configuration Manager deployment task sequence, use the script and instructions in [Set Surface Asset Tag During a Configuration Manager Task Sequence](https://blogs.technet.microsoft.com/jchalfant/set-surface-pro-3-asset-tag-during-a-configuration-manager-task-sequence/).
+To apply an asset tag using the [Surface Asset Tag CLI Utility](https://www.microsoft.com/download/details.aspx?id=44076) during a Configuration Manager deployment task sequence, use the script and instructions found in the [Set Surface Asset Tag During a Configuration Manager Task Sequence](https://blogs.technet.microsoft.com/jchalfant/set-surface-pro-3-asset-tag-during-a-configuration-manager-task-sequence/) blog post.
 ## Configure push-button reset
--- a/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md
+++ b/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md
@ -11,7 +11,7 @@ ms.author: dansimp
 ms.topic: article
 ms.localizationpriority: medium
 ms.audience: itpro
-ms.date: 10/21/2019
+ms.date: 01/15/2020
 ms.reviewer: 
 manager: dansimp
 ---
@ -99,10 +99,7 @@ Because customizations are performed by MDT at the time of deployment, the goal
 For your deployed Windows environment to function correctly on your Surface devices, you will need to install the drivers used by Windows to communicate with the components of your device. These drivers are available for download in the Microsoft Download Center for each Surface device. You can find the correct Microsoft Download Center page for your device at [Download the latest firmware and drivers for Surface devices](https://technet.microsoft.com/itpro/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices).
-When you browse to the specific Microsoft Download Center page for your device, you will notice that there are two files available for download. One file is a Windows Installer (.msi) file. This file is used to update drivers on devices that are already running Windows or that have device management solutions. The other file is an archive (.zip) file. This file contains the individual driver files that are used during deployment, or for manual installation with Device Manager. The file that you will need to download is the .zip archive file. You can read more about the difference between the firmware and driver pack file types at [Manage Surface driver and firmware updates](https://technet.microsoft.com/itpro/surface/manage-surface-pro-3-firmware-updates).
+When you browse to the specific Microsoft Download Center page for your device, you will find a Windows Installer (.msi) file. This file is used to update drivers on devices that are already running Windows or that have device management solutions. Firmware updates maintain the instructions used by the device hardware to communicate between components and Windows. The firmware of Surface device components is updated by installation of specific driver files and thus is installed along with the other drivers during deployment. For more information, see [Manage Surface driver and firmware updates](https://technet.microsoft.com/itpro/surface/manage-surface-pro-3-firmware-updates).
 In addition to the driver files that help Windows communicate with the hardware components of the Surface device, the .zip file you download will also contain firmware updates. These firmware updates will update the instructions used by the device hardware to communicate between components and Windows. The firmware of Surface device components is updated by installation of specific driver files and thus is installed along with the other drivers during deployment. The firmware of an out-of-date Surface device is thus updated when the device reboots during and after the Windows deployment process.
 >[!NOTE]
 >Beginning in Windows 10, the drivers for Surface devices are included in the Windows Preinstallation Environment (WinPE). In earlier versions of Windows, specific drivers (like network drivers) had to be imported and configured in MDT for use in WinPE to successfully deploy to Surface devices.
@ -234,7 +231,7 @@ You now have an empty deployment share that is ready for you to add the resource
 The first resources that are required to perform a deployment of Windows are the installation files from Windows 10 installation media. Even if you have an already prepared reference image, you still need to supply the unaltered installation files from your installation media. The source of these files can be a physical disk, or it can be an ISO file like the download from the Volume Licensing Service Center (VLSC).
 >[!NOTE]
->A 64-bit operating system is required for compatibility with Surface Studio, Surface Pro 4, Surface Book, Surface Pro 3, and Surface 3.
+>A 64-bit operating system is required for compatibility with Surface devices except Surface Pro X which cannot be managed with MDT.
 To import Windows 10 installation files, follow these steps:
@ -404,9 +401,9 @@ Perform the reference image deployment and capture using the following steps:
   * **Locale and Time** – Leave the default options for language and time settings selected. The locale and time settings will be specified during deployment of the image to other devices. Click **Next**.
   * **Capture Image** – Click the **Capture an Image of this Reference Computer** option, as shown in Figure 16. In the **Location** field, keep the default location of the Captures folder. You can keep or change the name of the image file in the **File Name** field. When you are finished, click **Next**.
-   ![Capture an image of the reference machine](images/surface-deploymdt-fig16.png "Capture an image of the reference machine")
+    ![Capture an image of the reference machine](images/surface-deploymdt-fig16.png "Capture an image of the reference machine")
-   *Figure 16. Use the Capture Image page to capture an image of the reference machine after deployment*
+    *Figure 16. Use the Capture Image page to capture an image of the reference machine after deployment*
   * **Ready** – You can review your selections by expanding **Details** on the **Ready** page. Click **Begin** when you are ready to perform the deployment and capture of your reference image.
--- a/devices/surface/enable-surface-keyboard-for-windows-pe-deployment.md
+++ b/devices/surface/enable-surface-keyboard-for-windows-pe-deployment.md
@ -1,5 +1,5 @@
 ---
-title: How to enable the Surface Laptop keyboard during MDT deployment (Surface)
+title: How to enable the Surface Laptop keyboard during MDT deployment 
 description: When you use MDT to deploy Windows 10 to Surface laptops, you need to import keyboard drivers to use in the Windows PE environment.
 keywords: windows 10 surface, automate, customize, mdt
 ms.prod: w10
@ -9,7 +9,7 @@ ms.sitesec: library
 author: Teresa-Motiv
 ms.author: v-tea
 ms.topic: article
-ms.date: 10/31/2019
+ms.date: 01/17/2020
 ms.reviewer: scottmca
 ms.localizationpriority: medium
 ms.audience: itpro
@ -22,14 +22,14 @@ appliesto:
 # How to enable the Surface Laptop keyboard during MDT deployment
 This article addresses a deployment approach that uses Microsoft Deployment Toolkit (MDT). You can also apply this information to other deployment methodologies. On most types of Surface devices, the keyboard should work during Lite Touch Installation (LTI). However, Surface Laptop requires some additional drivers to enable the keyboard. For Surface Laptop (1st Gen) and Surface Laptop 2 devices, you must prepare the folder structure and selection profiles that allow you to specify keyboard drivers for use during the Windows Preinstallation Environment (Windows PE) phase of LTI. For more information about this folder structure, see [Deploy a Windows 10 image using MDT: Step 5: Prepare the drivers repository](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt?redirectedfrom=MSDN#step-5-prepare-the-drivers-repository).
 > [!NOTE]
-> This article addresses a deployment approach that uses Microsoft Deployment Toolkit (MDT). You can also apply this information to other deployment methodologies.
+> It is currently not supported to add Surface Laptop 2 and Surface Laptop 3 keyboard drivers in the same Windows PE boot instance due to a driver conflict; use separate instances instead.
 > [!IMPORTANT]
 > If you are deploying a Windows 10 image to a Surface Laptop that has Windows 10 in S mode preinstalled, see KB [4032347, Problems when deploying Windows to Surface devices with preinstalled Windows 10 in S mode](https://support.microsoft.com/help/4032347/surface-preinstall-windows10-s-mode-issues).
 On most types of Surface devices, the keyboard should work during Lite Touch Installation (LTI). However, Surface Laptop requires some additional drivers to enable the keyboard. For Surface Laptop (1st Gen) and Surface Laptop 2 devices, you must prepare the folder structure and selection profiles that allow you to specify keyboard drivers for use during the Windows Preinstallation Environment (Windows PE) phase of LTI. For more information about this folder structure, see [Deploy a Windows 10 image using MDT: Step 5: Prepare the drivers repository](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt?redirectedfrom=MSDN#step-5-prepare-the-drivers-repository).
 To add the keyboard drivers to the selection profile, follow these steps:
 1. Download the latest Surface Laptop MSI file from the appropriate locations:
--- a/devices/surface/microsoft-surface-brightness-control.md
+++ b/devices/surface/microsoft-surface-brightness-control.md
@ -21,11 +21,10 @@ When deploying Surface devices in point of sale or other “always-on”
 kiosk scenarios, you can optimize power management using the new Surface
 Brightness Control app.
-Available for download with [Surface Tools for
+Available for download with [Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703).
-IT](https://www.microsoft.com/download/details.aspx?id=46703), Surface Brightness Control is
+Surface Brightness Control is designed to help reduce thermal load and lower the overall carbon footprint for deployed Surface devices.
-designed to help reduce thermal load and lower the overall carbon
+If you plan to get only this tool from the download page, select the file **Surface_Brightness_Control_v1.16.137.0.msi** in the available list.
-footprint for deployed Surface devices. The tool automatically dims the screen when not in use and
+The tool automatically dims the screen when not in use and includes the following configuration options:
 includes the following configuration options:
 - Period of inactivity before dimming the display.
@ -47,6 +46,11 @@ documentation](https://docs.microsoft.com/windows/desktop/sysinfo/registry).
 1.  Run regedit from a command prompt to open the Windows Registry
    Editor.
      - Computer\HKEY\_LOCAL\_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Surface\Surface
        Brightness Control\	
    If you're running an older version of Surface Brightness control, run the following command instead:
      - Computer\HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Surface\Surface
        Brightness Control\
--- a/devices/surface/surface-dock-firmware-update.md
+++ b/devices/surface/surface-dock-firmware-update.md
@ -50,9 +50,6 @@ You can use Windows Installer commands (Msiexec.exe) to deploy Surface Dock Firm
 > [!NOTE]
 > A log file is not created by default. In order to create a log file, you will need to append "/l*v [path]"
 > [!NOTE]
 > A log file is not created by default. In order to create a log file, you will need to append "/l*v [path]"
 For more information, refer to [Command line options](https://docs.microsoft.com/windows/win32/msi/command-line-options) documentation.
 > [!IMPORTANT]
--- a/devices/surface/surface-pro-arm-app-management.md
+++ b/devices/surface/surface-pro-arm-app-management.md
@ -62,18 +62,19 @@ Some third-party antivirus software cannot be installed on a Windows 10 PC runni
 ## Servicing Surface Pro X
-Outside of personal devices that rely on Windows Update, servicing devices in most corporate environments requires downloading and managing the deployment of .MSI files to update target devices. Refer to the following documentation, which will be updated later to include guidance for servicing Surface Pro X:
+Surface Pro X supports Windows 10, version 1903 and later. As an ARM-based device, it has specific requirements for maintaining the latest drivers and firmware. 
- [Deploy the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md).  
+Surface Pro X was designed to use Windows Update to simplify the process of keeping drivers and firmware up to date for both home users and small business users. Use the default settings to receive Automatic updates.  To verify:
-> [!NOTE]
+1. Go to **Start** > **Settings > Update & Security > Windows Update** > **Advanced Options.**
-> Surface Pro X supports Windows 10, version 1903 and later.
+2. Under **Choose how updates are installed,** select **Automatic (recommended)**.
-### Windows Server Update Services
+### Recommendations for commercial customers
 Windows Server Update Services (WSUS) does not support the ability to deliver drivers and firmware to Surface Pro X.
 For more information, refer to the [Microsoft Endpoint Configuration Manager documentation](https://docs.microsoft.com/configmgr/sum/get-started/configure-classifications-and-products).
 - Use Windows Update or Windows Update for Business for maintaining the latest drivers and firmware. For more information, see [Deploy Updates using Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb).
 - If your procedures require using a Windows Installer .msi file, contact [Surface for Business support](https://support.microsoft.com/help/4037645). 
 - For more information about deploying and managing updates on Surface devices, see [Deploy the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md).
 - Note that Windows Server Update Services (WSUS) does not support the ability to deliver drivers and firmware to Surface Pro X.
 ## Running apps on Surface Pro X
--- a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md
+++ b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md
@ -1,6 +1,6 @@
 ---
 title: Use Microsoft Endpoint Configuration Manager to manage devices with SEMM (Surface)
-description: Learn how to manage SEMM with Endpoint Configuration Manager.
+description: Learn how to manage Microsoft Surface Enterprise Management Mode (SEMM) with Endpoint Configuration Manager.
 keywords: enroll, update, scripts, settings
 ms.prod: w10
 ms.mktglfcycl: manage
@ -18,16 +18,16 @@ ms.audience: itpro
 # Use Microsoft Endpoint Configuration Manager to manage devices with SEMM
-The Surface Enterprise Management Mode (SEMM) feature of Surface UEFI devices allows administrators to both manage and secure the configuration of Surface UEFI settings. For most organizations, this process is accomplished by creating Windows Installer (.msi) packages with the Microsoft Surface UEFI Configurator tool. These packages are then run or deployed to the client Surface devices to enroll the devices in SEMM and to update the Surface UEFI settings configuration.
+The Microsoft Surface Enterprise Management Mode (SEMM) feature of Surface UEFI devices lets administrators manage and help secure the configuration of Surface UEFI settings. For most organizations, this process is accomplished by creating Windows Installer (.msi) packages with the Microsoft Surface UEFI Configurator tool. These packages are then run or deployed to the client Surface devices to enroll the devices in SEMM and to update the Surface UEFI settings configuration.
-For organizations with Endpoint Configuration Manager, (formerly known as System Center Configuration Manager or SCCM) there is an alternative to using the Microsoft Surface UEFI Configurator .msi process to deploy and administer SEMM. Microsoft Surface UEFI Manager is a lightweight installer that makes required assemblies for SEMM management available on a device. By installing these assemblies with Microsoft Surface UEFI Manager on a managed client, SEMM can be administered by Configuration Manager with PowerShell scripts, deployed as applications. With this process, SEMM management is performed within Configuration Manager, which eliminates the need for the external Microsoft Surface UEFI Configurator tool.
+For organizations with Endpoint Configuration Manager (formerly known as System Center Configuration Manager or SCCM), there is an alternative to using the Microsoft Surface UEFI Configurator .msi process to deploy and administer SEMM. Microsoft Surface UEFI Manager is a lightweight installer that makes required assemblies for SEMM management available on a device. By installing these assemblies with Microsoft Surface UEFI Manager on a managed client, SEMM can be administered by Configuration Manager with PowerShell scripts, deployed as applications. With this process, SEMM management is performed within Configuration Manager, which eliminates the need for the external Microsoft Surface UEFI Configurator tool.
->[!Note]
+> [!Note]
->Although the process described in this article may work with earlier versions of Endpoint Configuration Manager or with other third-party management solutions, management of SEMM with Microsoft Surface UEFI Manager and PowerShell is supported only with the Current Branch of Endpoint Configuration Manager.
+> Although the process described in this article may work with earlier versions of Endpoint Configuration Manager or with other third-party management solutions, management of SEMM with Microsoft Surface UEFI Manager and PowerShell is supported only with the Current Branch of Endpoint Configuration Manager.
 #### Prerequisites
-Before you begin the process outlined in this article, it is expected that you are familiar with the following technologies and tools:
+Before you begin the process outlined in this article, familiarize yourself with the following technologies and tools:
 * [Surface UEFI](https://technet.microsoft.com/itpro/surface/manage-surface-uefi-settings)
 * [Surface Enterprise Management Mode (SEMM)](https://technet.microsoft.com/itpro/surface/surface-enterprise-management-mode)
@ -52,60 +52,60 @@ After Microsoft Surface UEFI Manager is installed on the client Surface device,
 Deployment of Microsoft Surface UEFI Manager is a typical application deployment. The Microsoft Surface UEFI Manager installer file is a standard Windows Installer file that you can install with the [standard quiet option](https://msdn.microsoft.com/library/windows/desktop/aa367988).
-The command to install Microsoft Surface UEFI Manager is:
+The command to install Microsoft Surface UEFI Manager is as follows.
 `msiexec /i "SurfaceUEFIManagerSetup.msi" /q`
-The command to uninstall Microsoft Surface UEFI Manager is:
+The command to uninstall Microsoft Surface UEFI Manager is as follows.
 `msiexec /x {541DA890-1AEB-446D-B3FD-D5B3BB18F9AF} /q`
 To create a new application and deploy it to a collection that contains your Surface devices, perform the following steps:
-1. Open Configuration Manager Console from the Start screen or Start menu.
+1. Open Configuration Manager Console from the **Start** screen or **Start** menu.
-2. Click **Software Library** in the bottom left corner of the window.
+2. Select **Software Library** in the bottom left corner of the window.
-3. Expand the Application Management node of the Software Library, and then click **Applications**.
+3. Expand the **Application Management** node of the Software Library, and then select **Applications**.
-4. Click the **Create Application** button under the **Home** tab at the top of the window. This starts the Create Application Wizard.
+4. Select the **Create Application** button under the **Home** tab at the top of the window. This starts the Create Application Wizard.
 5. The Create Application Wizard presents a series of steps:
-   * **General** – The **Automatically detect information about this application from installation files** option is selected by default. In the **Type** field, **Windows Installer (*.msi file)** is also selected by default. Click **Browse** to navigate to and select **SurfaceUEFIManagerSetup.msi**, and then click **Next**.
+   * **General** – The **Automatically detect information about this application from installation files** option is selected by default. In the **Type** field, **Windows Installer (.msi file)** is also selected by default. Select **Browse** to navigate to and select **SurfaceUEFIManagerSetup.msi**, and then select **Next**.
-      >[!Note]
+      > [!Note]
-      >The location of SurfaceUEFIManagerSetup.msi must be on a network share and located in a folder that contains no other files. A local file location cannot be used.
+      > The location of SurfaceUEFIManagerSetup.msi must be on a network share and located in a folder that contains no other files. A local file location cannot be used.
-   * **Import Information** – The Create Application Wizard will parse the .msi file and read the **Application Name** and **Product Code**. SurfaceUEFIManagerSetup.msi should be listed as the only file under the line **Content Files**, as shown in Figure 1. Click **Next** to proceed.
+   * **Import Information** – The Create Application Wizard will parse the .msi file and read the **Application Name** and **Product Code**. SurfaceUEFIManagerSetup.msi should be listed as the only file under the line **Content Files**, as shown in Figure 1. Select **Next** to proceed.
   ![Information from Surface UEFI Manager setup is automatically parsed](images/config-mgr-semm-fig1.png "Information from Surface UEFI Manager setup is automatically parsed")
   *Figure 1. Information from Microsoft Surface UEFI Manager setup is automatically parsed*
-   * **General Information** – You can modify the name of the application and information about the publisher and version, or add comments on this page. The installation command for Microsoft Surface UEFI Manager is displayed in the Installation Program field. The default installation behavior of Install for system will allow Microsoft Surface UEFI Manager to install the required assemblies for SEMM even if a user is not logged on to the Surface device. Click Next to proceed.
+   * **General Information** – You can modify the name of the application and information about the publisher and version, or add comments on this page. The installation command for Microsoft Surface UEFI Manager is displayed in the Installation Program field. The default installation behavior of Install for system will allow Microsoft Surface UEFI Manager to install the required assemblies for SEMM even if a user is not logged on to the Surface device. Select **Next** to proceed.
-   * **Summary** – The information that was parsed in the **Import Information** step and your selections from the **General Information** step is displayed on this page. Click **Next** to confirm your selections and create the application.
+   * **Summary** – The information that was parsed in the **Import Information** step and your selections from the **General Information** step is displayed on this page. Select **Next** to confirm your selections and create the application.
   * **Progress** – Displays a progress bar and status as the application is imported and added to the Software Library.
-   * **Completion** – Confirmation of the successful application creation is displayed when the application creation process is complete. Click **Close** to finish the Create Application Wizard.
+   * **Completion** – Confirmation of the successful application creation is displayed when the application creation process is complete. Select **Close** to finish the Create Application Wizard.
-After the application is created in Configuration Manager, you can distribute it to your distribution points and deploy it to the collections including your Surface devices. This application will not install or enable SEMM on the Surface device – it only provides the assemblies required for SEMM to be enabled via PowerShell script.
+After the application is created in Configuration Manager, you can distribute it to your distribution points and deploy it to the collections including your Surface devices. This application will not install or enable SEMM on the Surface device. It only provides the assemblies required for SEMM to be enabled using the PowerShell script.
 If you do not want to install the Microsoft Surface UEFI Manager assemblies on devices that will not be managed with SEMM, you can configure Microsoft Surface UEFI Manager as a dependency of the SEMM Configuration Manager scripts. This scenario is covered in the [Deploy SEMM Configuration Manager Scripts](#deploy-semm-configuration-manager-scripts) section later in this article.
 ## Create or modify the SEMM Configuration Manager scripts
-After the required assemblies have been installed on the devices, the process of enrolling the devices in SEMM and configuring Surface UEFI is done with PowerShell scripts and deployed as a script application with Configuration Manager. These scripts can be modified to fit the needs of your organization and environment. For example, you can create multiple configurations for managed Surface devices in different departments or roles. You can download samples of the scripts for SEMM and Configuration Manager at the link in the [Prerequisites](#prerequisites) section at the beginning of this article.
+After the required assemblies have been installed on the devices, the process of enrolling the devices in SEMM and configuring Surface UEFI is done with PowerShell scripts and deployed as a script application with Configuration Manager. These scripts can be modified to fit the needs of your organization and environment. For example, you can create multiple configurations for managed Surface devices in different departments or roles. You can download samples of the scripts for SEMM and Configuration Manager from the link in the [Prerequisites](#prerequisites) section at the beginning of this article.
-There are two primary scripts you will need to perform a SEMM deployment with Configuration Manager:
+There are two primary scripts you will need in order to perform a SEMM deployment with Configuration Manager:
-* **ConfigureSEMM.ps1** – Use this script to create configuration packages for your Surface devices with your desired Surface UEFI settings, to apply the specified settings to a Surface device, to enroll the device in SEMM, and to set a registry key used to identify the enrollment of the device in SEMM.
+* **ConfigureSEMM.ps1** – Use this script to create configuration packages for your Surface devices with your desired Surface UEFI settings to apply the specified settings to a Surface device, to enroll the device in SEMM, and to set a registry key used to identify the enrollment of the device in SEMM.
 * **ResetSEMM.ps1** – Use this script to reset SEMM on a Surface device, which unenrolls it from SEMM and removes the control over Surface UEFI settings.
 The sample scripts include examples of how to set Surface UEFI settings and how to control permissions to those settings. These settings can be modified to secure Surface UEFI and set Surface UEFI settings according to the needs of your environment. The following sections of this article explain the ConfigureSEMM.ps1 script and explore the modifications you need to make to the script to fit your requirements.
->[!NOTE]
+> [!NOTE]
->The SEMM Configuration Manager scripts and the exported SEMM certificate file (.pfx) should be placed in the same folder with no other files before they are added to Configuration Manager.
+> The SEMM Configuration Manager scripts and the exported SEMM certificate file (.pfx) should be placed in the same folder with no other files before they are added to Configuration Manager.
 ### Specify certificate and package names
-The first region of the script that you need to modify is the portion that specifies and loads the SEMM certificate, and also indicates SurfaceUEFIManager version, the names for the SEMM configuration package and SEMM reset package. The certificate name and SurfaceUEFIManager version are specified on lines 56 through 73 in the ConfigureSEMM.ps1 script:
+The first region of the script that you need to modify is the portion that specifies and loads the SEMM certificate, and also indicates SurfaceUEFIManager version, and the names for the SEMM configuration package and SEMM reset package. The certificate name and SurfaceUEFIManager version are specified on lines 56 through 73 in the ConfigureSEMM.ps1 script.
  ```
  56	$WorkingDirPath = split-path -parent $MyInvocation.MyCommand.Definition
@ -128,14 +128,14 @@ The first region of the script that you need to modify is the portion that speci
  73	$password = "1234" 
  ```
-Replace the **FabrikamSEMMSample.pfx** value for the **$certName** variable with the name of your SEMM Certificate file on line 58. The script will create a working directory (named Config) in the folder where your scripts are located, and will then copy the certificate file to this working directory.
+Replace the **FabrikamSEMMSample.pfx** value for the **$certName** variable with the name of your SEMM Certificate file on line 58. The script will create a working directory (named Config) in the folder where your scripts are located, and then copies the certificate file to this working directory.
 Owner package and reset package will also be created in the Config directory and hold the configuration for Surface UEFI settings and permissions generated by the script.
-On line 73, replace the value of the **$password** variable, from 1234, to the password for your certificate file. If a password is not required, delete the **1234** text.
+On line 73, replace the value of the **$password** variable, from **1234** to the password for your certificate file. If a password is not required, delete the **1234** text.
->[!Note]
+> [!Note]
->The last two characters of the certificate thumbprint are required to enroll a device in SEMM. This script will display these digits to the user, which allows the user or technician to record these digits before the system reboots to enroll the device in SEMM. The script uses the following code, found on lines 150-155, to accomplish this:
+> The last two characters of the certificate thumbprint are required to enroll a device in SEMM. This script will display these digits to the user, which allows the user or technician to record these digits before the system reboots to enroll the device in SEMM. The script uses the following code, found on lines 150-155, to accomplish this.
 ```
 150	# Device owners will need the last two characters of the thumbprint to accept SEMM ownership.
@ -148,20 +148,20 @@ On line 73, replace the value of the **$password** variable, from 1234, to the p
 Administrators with access to the certificate file (.pfx) can read the thumbprint at any time by opening the .pfx file in CertMgr. To view the thumbprint with CertMgr, follow this process:
-1. Right-click the .pfx file, and then click **Open**.
+1. Right-click the .pfx file, and then select **Open**.
 2. Expand the folder in the navigation pane.
-3. Click **Certificates**.
+3. Select **Certificates**.
-4. Right-click your certificate in the main pane, and then click **Open**.
+4. Right-click your certificate in the main pane, and then select **Open**.
-5. Click the **Details** tab.
+5. Select the **Details** tab.
 6. **All** or **Properties Only** must be selected in the **Show** drop-down menu.
 7. Select the field **Thumbprint**.
->[!NOTE]
+> [!NOTE]
->The SEMM certificate name and password must also be entered in this section of the ResetSEMM.ps1 script to enable Configuration Manager to remove SEMM from the device with the uninstall action.
+> The SEMM certificate name and password must also be entered in this section of the ResetSEMM.ps1 script to enable Configuration Manager to remove SEMM from the device with the uninstall action.
 ### Configure permissions
-The first region of the script where you will specify the configuration for Surface UEFI is the **Configure Permissions** region. This region begins at line 210 in the sample script with the comment **# Configure Permissions** and continues to line 247. The following code fragment first sets permissions to all Surface UEFI settings so that they may be modified by SEMM only, then adds explicit permissions to allow the local user to modify the Surface UEFI password, TPM, and front and rear cameras:
+The first region of the script where you will specify the configuration for Surface UEFI is the **Configure Permissions** region. This region begins at line 210 in the sample script with the comment **# Configure Permissions** and continues to line 247. The following code fragment first sets permissions to all Surface UEFI settings so that they may be modified by SEMM only, then adds explicit permissions to allow the local user to modify the Surface UEFI password, TPM, and front and rear cameras.
 ```
 210	# Configure Permissions
@ -213,7 +213,7 @@ You can find information about the available settings names and IDs for Surface
 ### Configure settings
-The second region of the script where you will specify the configuration for Surface UEFI is the **Configure Settings** region of the ConfigureSEMM.ps1 script, which configures whether each setting is enabled or disabled. The sample script includes instructions to set all settings to their default values. The script then provides explicit instructions to disable IPv6 for PXE Boot and to leave the Surface UEFI Administrator password unchanged. You can find this region beginning with the **# Configure Settings** comment at line 291 through line 335 in the sample script. The region appears as follows:
+The second region of the script where you will specify the configuration for Surface UEFI is the **Configure Settings** region of the ConfigureSEMM.ps1 script, which configures whether each setting is enabled or disabled. The sample script includes instructions to set all settings to their default values. The script then provides explicit instructions to disable IPv6 for PXE Boot and to leave the Surface UEFI Administrator password unchanged. You can find this region beginning with the **# Configure Settings** comment at line 291 through line 335 in the sample script. The region appears as follows.
 ```
 291	# Configure Settings
@ -271,11 +271,11 @@ You can find information about the available settings names and IDs for Surface
 ### Settings registry key
-To identify enrolled systems for Configuration Manager, the ConfigureSEMM.ps1 script writes registry keys that can be used to identify enrolled systems as having been installed with the SEMM configuration script. These keys can be found at the following location:
+To identify enrolled systems for Configuration Manager, the ConfigureSEMM.ps1 script writes registry keys that can be used to identify enrolled systems as having been installed with the SEMM configuration script. These keys can be found at the following location.
 `HKLM\SOFTWARE\Microsoft\Surface\SEMM`
-The following code fragment, found on lines 380-477, is used to write these registry keys:
+The following code fragment, found on lines 380-477, is used to write these registry keys.
 ```
 380	# For Endpoint Configuration Manager or other management solutions that wish to know what version is applied, tattoo the LSV and current DateTime (in UTC) to the registry:
@ -443,11 +443,11 @@ After your scripts are prepared to configure and enable SEMM on the client devic
 * ResetSEMM.ps1
 * Your SEMM certificate (for example SEMMCertificate.pfx)
-The SEMM Configuration Manager scripts will be added to Configuration Manager as a script application. The command to install SEMM with ConfigureSEMM.ps1 is:
+The SEMM Configuration Manager scripts will be added to Configuration Manager as a script application. The command to install SEMM with ConfigureSEMM.ps1 is as follows.
 `Powershell.exe -file ".\ConfigureSEMM.ps1"`
-The command to uninstall SEMM with ResetSEMM.ps1 is:
+The command to uninstall SEMM with ResetSEMM.ps1 is as follows.
 `Powershell.exe -file ".\ResetSEMM.ps1"`
@ -457,82 +457,82 @@ To add the SEMM Configuration Manager scripts to Configuration Manager as an app
 2. Proceed through The Create Application Wizard as follows:
-   - **General** – Select **Manually specify the application information**, and then click **Next**.
+   - **General** – Select **Manually specify the application information**, and then select **Next**.
-   - **General Information** – Enter a name for the application (for example SEMM) and any other information you want such as publisher, version, or comments on this page. Click **Next** to proceed.
+   - **General Information** – Enter a name for the application (for example SEMM) and any other information you want such as publisher, version, or comments on this page. Select **Next** to proceed.
-   - **Application Catalog** – The fields on this page can be left with their default values. Click **Next**.
+   - **Application Catalog** – The fields on this page can be left with their default values. Select **Next**.
-   - **Deployment Types** – Click **Add** to start the Create Deployment Type Wizard.
+   - **Deployment Types** – Select **Add** to start the Create Deployment Type Wizard.
   - Proceed through the steps of the Create Deployment Type Wizard, as follows:
-     * **General** – Click **Script Installer** from the **Type** drop-down menu. The **Manually specify the deployment type information** option will automatically be selected. Click **Next** to proceed.
+     * **General** – Select **Script Installer** from the **Type** drop-down menu. The **Manually specify the deployment type information** option will automatically be selected. Select **Next** to proceed.
-     * **General Information** – Enter a name for the deployment type (for example SEMM Configuration Scripts), and then click **Next** to continue.
+     * **General Information** – Enter a name for the deployment type (for example SEMM Configuration Scripts), and then select **Next** to continue.
-     * **Content** – Click **Browse** next to the **Content Location** field, and then click the folder where your SEMM Configuration Manager scripts are located. In the **Installation Program** field, type the [installation command](#deploy-semm-configuration-manager-scripts) found earlier in this article. In the **Uninstall Program** field, enter the [uninstallation command](#deploy-semm-configuration-manager-scripts) found earlier in this article (shown in Figure 2). Click **Next** to move to the next page.
+     * **Content** – Select **Browse** next to the **Content Location** field, and then select the folder where your SEMM Configuration Manager scripts are located. In the **Installation Program** field, type the [installation command](#deploy-semm-configuration-manager-scripts) found earlier in this article. In the **Uninstall Program** field, enter the [uninstallation command](#deploy-semm-configuration-manager-scripts) found earlier in this article (shown in Figure 2). Select **Next** to move to the next page.
     ![Set the SEMM Configuration Manager scripts as the install and uninstall commands](images/config-mgr-semm-fig2.png "Set the SEMM Configuration Manager scripts as the install and uninstall commands")
     *Figure 2. Set the SEMM Configuration Manager scripts as the install and uninstall commands*
-     * **Detection Method** – Click **Add Clause** to add the SEMM Configuration Manager script registry key detection rule. The **Detection Rule** window is displayed, as shown in Figure 3. Use the following settings:
+     * **Detection Method** – Select **Add Clause** to add the SEMM Configuration Manager script registry key detection rule. The **Detection Rule** window is displayed, as shown in Figure 3. Use the following settings:
-       - Click **Registry** from the **Setting Type** drop-down menu.
+       - Select **Registry** from the **Setting Type** drop-down menu.
-       - Click **HKEY_LOCAL_MACHINE** from the **Hive** drop-down menu.
+       - Select **HKEY_LOCAL_MACHINE** from the **Hive** drop-down menu.
       - Enter **SOFTWARE\Microsoft\Surface\SEMM** in the **Key** field.
       - Enter **Enabled_Version1000** in the **Value** field.
-       - Click **String** from the **Data Type** drop-down menu.
+       - Select **String** from the **Data Type** drop-down menu.
-       - Click the **This registry setting must satisfy the following rule to indicate the presence of this application** button.
+       - Select the **This registry setting must satisfy the following rule to indicate the presence of this application** button.
       - Enter **1** in the **Value** field.
-       - Click **OK** to close the **Detection Rule** window.
+       - Select **OK** to close the **Detection Rule** window.
     ![Use a registry key to identify devices enrolled in SEMM](images/config-mgr-semm-fig3.png "Use a registry key to identify devices enrolled in SEMM")
     *Figure 3. Use a registry key to identify devices enrolled in SEMM*
-     * Click **Next** to proceed to the next page.
+     * Select **Next** to proceed to the next page.
-     * **User Experience** – Click **Install for system** from the **Installation Behavior** drop-down menu. If you want your users to record and enter the certificate thumbprint themselves, leave the logon requirement set to **Only when a user is logged on**. If you want your administrators to enter the thumbprint for users and the users do not need to see the thumbprint, click **Whether or not a user is logged on** from the **Logon Requirement** drop-down menu.
+     * **User Experience** – Select **Install for system** from the **Installation Behavior** drop-down menu. If you want your users to record and enter the certificate thumbprint themselves, leave the logon requirement set to **Only when a user is logged on**. If you want your administrators to enter the thumbprint for users and the users do not need to see the thumbprint, select **Whether or not a user is logged on** from the **Logon Requirement** drop-down menu.
-     * **Requirements** – The ConfigureSEMM.ps1 script automatically verifies that the device is a Surface device before attempting to enable SEMM. However, if you intend to deploy this script application to a collection with devices other than those to be managed with SEMM, you could add requirements here to ensure this application would run only on Surface devices or devices you intend to manage with SEMM. Click **Next** to continue.
+     * **Requirements** – The ConfigureSEMM.ps1 script automatically verifies that the device is a Surface device before attempting to enable SEMM. However, if you intend to deploy this script application to a collection with devices other than those to be managed with SEMM, you could add requirements here to ensure this application would run only on Surface devices or devices you intend to manage with SEMM. Select **Next** to continue.
-     * **Dependencies** – Click **Add** to open the **Add Dependency** window.
+     * **Dependencies** – Select **Add** to open the **Add Dependency** window.
-       * Click **Add** to open the **Specify Required Application** window.
+       * Select **Add** to open the **Specify Required Application** window.
          - Enter a name for the SEMM dependencies in the **Dependency Group Name** field (for example, *SEMM Assemblies*).
-          - Click **Microsoft Surface UEFI Manager** from the list of **Available Applications** and the MSI deployment type, and then click **OK** to close the **Specify Required Application** window.
+          - Select **Microsoft Surface UEFI Manager** from the list of **Available Applications** and the MSI deployment type, and then select **OK** to close the **Specify Required Application** window.
-         *   Keep the **Auto Install** check box selected if you want Microsoft Surface UEFI Manager installed automatically on devices when you attempt to enable SEMM with the Configuration Manager scripts. Click **OK** to close the **Add Dependency** window.
+         *   Keep the **Auto Install** check box selected if you want Microsoft Surface UEFI Manager installed automatically on devices when you attempt to enable SEMM with the Configuration Manager scripts. Select **OK** to close the **Add Dependency** window.
-     * Click **Next** to proceed.
+     * Select **Next** to proceed.
-     * **Summary** – The information you have entered throughout the Create Deployment Type wizard is displayed on this page. Click **Next** to confirm your selections.
+     * **Summary** – The information you have entered throughout the Create Deployment Type wizard is displayed on this page. Select **Next** to confirm your selections.
     * **Progress** – A progress bar and status as the deployment type is added for the SEMM script application is displayed on this page.
-     * **Completion** – Confirmation of the deployment type creation is displayed when the process is complete. Click **Close** to finish the Create Deployment Type Wizard.
+     * **Completion** – Confirmation of the deployment type creation is displayed when the process is complete. Select **Close** to finish the Create Deployment Type Wizard.
-   - **Summary** – The information that you entered throughout the Create Application Wizard is displayed. Click **Next** to create the application.
+   - **Summary** – The information that you entered throughout the Create Application Wizard is displayed. Select **Next** to create the application.
   - **Progress** – A progress bar and status as the application is added to the Software Library is displayed on this page.
-   - **Completion** – Confirmation of the successful application creation is displayed when the application creation process is complete. Click **Close** to finish the Create Application Wizard.
+   - **Completion** – Confirmation of the successful application creation is displayed when the application creation process is complete. Select **Close** to finish the Create Application Wizard.
 After the script application is available in the Software Library of Configuration Manager, you can distribute and deploy SEMM using the scripts you prepared to devices or collections. If you have configured the Microsoft Surface UEFI Manager assemblies as a dependency that will be automatically installed, you can deploy SEMM in a single step. If you have not configured the assemblies as a dependency, they must be installed on the devices you intend to manage before you enable SEMM.
 When you deploy SEMM using this script application and with a configuration that is visible to the end user, the PowerShell script will start and the thumbprint for the certificate will be displayed by the PowerShell window. You can have your users record this thumbprint and enter it when prompted by Surface UEFI after the device reboots.
-Alternatively, you can configure the application installation to reboot automatically and to install invisibly to the user – in this scenario, a technician will be required to enter the thumbprint on each device as it reboots. Any technician with access to the certificate file can read the thumbprint by viewing the certificate with CertMgr. Instructions for viewing the thumbprint with CertMgr are in the [Create or modify the SEMM Configuration Manager scripts](#create-or-modify-the-semm-configuration-manager-scripts) section of this article.
+Alternatively, you can configure the application installation to reboot automatically and to install invisibly to the user. In this scenario, a technician will be required to enter the thumbprint on each device as it reboots. Any technician with access to the certificate file can read the thumbprint by viewing the certificate with CertMgr. Instructions for viewing the thumbprint with CertMgr are in the [Create or modify the SEMM Configuration Manager scripts](#create-or-modify-the-semm-configuration-manager-scripts) section of this article.
 Removal of SEMM from a device deployed with Configuration Manager using these scripts is as easy as uninstalling the application with Configuration Manager. This action starts the ResetSEMM.ps1 script and properly unenrolls the device with the same certificate file that was used during the deployment of SEMM.
 > [!NOTE]
 > Microsoft Surface recommends that you create reset packages only when you need to unenroll a device. These reset packages are typically valid for only one device, identified by its serial number. You can, however, create a universal reset package that would work for any device enrolled in SEMM with this certificate.
 > 
-> We strongly recommend that you protect your universal reset package as carefully as the certificate you used to enroll devices in SEMM. Please remember that – just like the certificate itself – this universal reset package can be used to unenroll any of your organization’s Surface devices from SEMM.
+> We strongly recommend that you protect your universal reset package as carefully as the certificate you used to enroll devices in SEMM. Please remember that, just like the certificate itself, this universal reset package can be used to unenroll any of your organization’s Surface devices from SEMM.
 > 
-> When you install a reset package, the Lowest Supported Value (LSV) is reset to a value of 1. You can reenroll a device by using an existing configuration package – the device will prompt for the certificate thumbprint before ownership is taken.
+> When you install a reset package, the Lowest Supported Value (LSV) is reset to a value of 1. You can reenroll a device by using an existing configuration package. The device will prompt for the certificate thumbprint before ownership is taken.
 > 
 > For this reason, the reenrollment of a device in SEMM would require a new package to be created and installed on that device. Because this action is a new enrollment and not a change in configuration on a device already enrolled in SEMM, the device will prompt for the certificate thumbprint before ownership is taken.
--- a/devices/surface/wake-on-lan-for-surface-devices.md
+++ b/devices/surface/wake-on-lan-for-surface-devices.md
@ -10,7 +10,7 @@ ms.localizationpriority: medium
 author: dansimp
 ms.author: dansimp
 ms.topic: article
-ms.date: 10/10/2019
+ms.date: 12/30/2019
 ms.reviewer: scottmca
 manager: dansimp
 ms.audience: itpro
@ -44,6 +44,8 @@ The following devices are supported for WOL:
 * Surface Go
 * Surface Go with LTE Advanced
 * Surface Studio 2 (see Surface Studio 2 instructions below)
 * Surface Pro 7
 * Surface Laptop 3
 ## WOL driver
@ -66,15 +68,15 @@ To enable WOL on Surface Studio 2, you must use the following procedure
 1. Create the following registry keys:
- ```
+   ```console
-; Set CONNECTIVITYINSTANDBY to 1:
+   ; Set CONNECTIVITYINSTANDBY to 1:
-[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\F15576E8-98B7-4186-B944-EAFA664402D9]
+   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\F15576E8-98B7-4186-B944-EAFA664402D9]
-"Attributes"=dword:00000001
+   "Attributes"=dword:00000001
-; Set EnforceDisconnectedStandby to 0 and AllowSystemRequiredPowerRequests to 1:
+   ; Set EnforceDisconnectedStandby to 0 and AllowSystemRequiredPowerRequests to 1:
-[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power]
+   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power]
-"EnforceDisconnectedStandby"=dword:00000000
+   "EnforceDisconnectedStandby"=dword:00000000
-"AllowSystemRequiredPowerRequests"=dword:00000001
+   "AllowSystemRequiredPowerRequests"=dword:00000001
-```
+   ```
 2. Run the following command
--- a/devices/surface/windows-autopilot-and-surface-devices.md
+++ b/devices/surface/windows-autopilot-and-surface-devices.md
@ -1,5 +1,5 @@
 ---
-title: Windows Autopilot and Surface Devices
+title: Windows Autopilot and Surface devices
 ms.reviewer: 
 manager: dansimp
 description: Find out about Windows Autopilot deployment options for Surface devices.
@ -18,22 +18,27 @@ ms.date: 11/26/2019
 # Windows Autopilot and Surface devices
-Windows Autopilot is a cloud-based deployment technology available in Windows 10. Using Windows Autopilot, you can remotely deploy and configure devices in a zero-touch process right out of the box. Windows Autopilot registered devices are identified over the internet at first boot using a unique device signature, known as a hardware hash, and automatically enrolled and configured using modern management solutions such as Azure Active Directory (AAD) and Mobile Device Management (MDM). 
+Windows Autopilot is a cloud-based deployment technology in Windows 10. You can use Windows Autopilot to remotely deploy and configure devices in a zero-touch process right out of the box.
-With Surface devices, you can choose to register your devices at the time of purchase when purchasing from a Surface partner enabled for Windows Autopilot. New devices can be shipped directly to your end-users and will be automatically enrolled and configured when the units are unboxed and turned on for the first time. This process  eliminates need to reimage your devices as part of your deployment process, reducing the work required of your deployment staff and opening up new, agile methods for device management and distribution.
+Windows Autopilot-registered devices are identified over the Internet at first startup through a unique device signature that's called a *hardware hash*. They're automatically enrolled and configured by using modern management solutions such as Azure Active Directory (Azure AD) and mobile device management.
 You can register Surface devices at the time of purchase from a Surface partner that's enabled for Windows Autopilot. These partners can ship new devices directly to your users. The devices will be automatically enrolled and configured when they are first turned on. This process eliminates reimaging during deployment, which lets you implement new, agile methods of device management and distribution.
 ## Modern management
-Autopilot is the recommended deployment option for Surface devices including Surface Pro 7, Surface Laptop 3, and Surface Pro X, which is specifically designed to be deployed with Autopilot.
+Autopilot is the recommended deployment option for Surface devices, including Surface Pro 7, Surface Laptop 3, and Surface Pro X, which is specifically designed for deployment through Autopilot.
- For the best experience, enroll your Surface devices with the assistance of a Microsoft Cloud Solution Provider. Doing so enables you to manage UEFI firmware settings on Surface devices directly from Intune, eliminating the need to physically touch devices for certificate management. For more information, see [Intune management of Surface UEFI settings](surface-manage-dfci-guide.md).
+ It's best to enroll your Surface devices with the help of a Microsoft Cloud Solution Provider. This step allows you to manage UEFI firmware settings on Surface directly from Intune. It eliminates the need to physically touch devices for certificate management. See [Intune management of Surface UEFI settings](surface-manage-dfci-guide.md) for details.
 ## Windows version considerations
-Support for broad deployments of Surface devices using Windows Autopilot, including enrollment performed by Surface partners at the time of purchase, requires devices manufactured with or otherwise installed with Windows 10 Version 1709 (Fall Creators Update) or later. These versions support a 4000-byte (4k) hash value to uniquely identify devices for Windows Autopilot that is necessary for deployments at scale.  All new Surface devices including Surface Pro 7, Surface Pro X, and Surface Laptop 3 ship with Windows 10 Version 1903 or above.
+Broad deployment of Surface devices through Windows Autopilot, including enrollment by Surface partners at the time of purchase, requires Windows 10 Version 1709 (Fall Creators Update) or later.
 These Windows versions support a 4,000-byte (4k) hash value that uniquely identifies devices for Windows Autopilot, which is necessary for deployments at scale. All new Surface devices, including Surface Pro 7, Surface Pro X, and Surface Laptop 3, ship with Windows 10 Version 1903 or later.
 ## Surface partners enabled for Windows Autopilot
 Enrolling Surface devices in Windows Autopilot at the time of purchase is a capability provided by select Surface partners that are enabled with the capability to identify individual Surface devices during the purchase process and perform enrollment on an organization’s behalf. Devices enrolled by a Surface partner at time of purchase can be shipped directly to users and configured entirely through the zero-touch process of Windows Autopilot, Azure Active Directory, and Mobile Device Management.
-When you purchase Surface devices from a Surface partner enabled for Windows Autopilot, your new devices can be enrolled in your Windows Autopilot deployment for you by the partner. Surface partners enabled for Windows Autopilot include: 
+Select Surface partners can enroll Surface devices in Windows Autopilot for you at the time of purchase. They can also ship enrolled devices directly to your users. The devices can be configured entirely through a zero-touch process by using Windows Autopilot, Azure AD, and mobile device management.
 Surface partners that are enabled for Windows Autopilot include:
 - [ALSO](https://www.also.com/ec/cms5/de_1010/1010_anbieter/microsoft/windows-autopilot/index.jsp) 
 - [Atea](https://www.atea.com/)
@ -48,6 +53,6 @@ When you purchase Surface devices from a Surface partner enabled for Windows Aut
 - [Techdata](https://www.techdata.com/)
 ## Learn more
-For more information about Windows Autopilot, refer to:
+For more information about Windows Autopilot, see:
 - [Overview of Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-10-autopilot)
 - [Windows Autopilot requirements](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot-requirements)
--- a/mdop/agpm/troubleshooting-agpm40-upgrades.md
+++ b/mdop/agpm/troubleshooting-agpm40-upgrades.md
@ -39,3 +39,18 @@ This section lists common issues that you may encounter when you upgrade your Ad
    -   Install the required hotfix.
    -   Connect to AGPM using an AGPM client to test that your difference reports are now functioning.
 ## Install Hotfix Package 1 for Microsoft Advanced Group Policy Management 4.0 SP3
 **Issue fixed in this hotfix**: AGPM can't generate difference reports when it controls or manages new Group Policy Objects (GPOs).
 **How to get this update**: Install the latest version of Microsoft Desktop Optimization Pack ([March 2017 Servicing Release](https://www.microsoft.com/download/details.aspx?id=54967)). See [KB 4014009](https://support.microsoft.com/help/4014009/) for more information.
 More specifically, you can choose to download only the first file, `AGPM4.0SP1_Server_X64_KB4014009.exe`, from the list presented after pressing the download button.
 The download link to the Microsoft Desktop Optimization Pack (March 2017 Servicing Release) can be found [here](https://www.microsoft.com/download/details.aspx?id=54967).
 ## Reference link
 https://support.microsoft.com/help/3127165/hotfix-package-1-for-microsoft-advanced-group-policy-management-4-0-sp
--- a/mdop/mbam-v2/TOC.md
+++ b/mdop/mbam-v2/TOC.md
@ -36,8 +36,8 @@
 ## [Operations for MBAM 2.0](operations-for-mbam-20-mbam-2.md)
 ### [Using MBAM with Configuration Manager](using-mbam-with-configuration-manager.md)
 #### [Getting Started - Using MBAM with Configuration Manager](getting-started---using-mbam-with-configuration-manager.md)
-#### [Planning to Deploy MBAM with Configuration Manager [2 [MBAM_2](planning-to-deploy-mbam-with-configuration-manager-2.md)
+#### [Planning to Deploy MBAM with Configuration Manager](planning-to-deploy-mbam-with-configuration-manager-2.md)
-#### [Deploying MBAM with Configuration Manager [MBAM2 [MBAM_2](deploying-mbam-with-configuration-manager-mbam2.md)
+#### [Deploying MBAM with Configuration Manager](deploying-mbam-with-configuration-manager-mbam2.md)
 ##### [How to Create or Edit the mof Files](how-to-create-or-edit-the-mof-files.md)
 ###### [Edit the Configuration.mof File](edit-the-configurationmof-file.md)
 ###### [Create or Edit the Sms_def.mof File](create-or-edit-the-sms-defmof-file.md)
--- a/mdop/mbam-v25/deploy-mbam.md
+++ b/mdop/mbam-v25/deploy-mbam.md
@ -1,13 +1,14 @@
 ---
 title: Deploying MBAM 2.5 in a stand-alone configuration
 description: Introducing how to deploy MBAM 2.5 in a stand-alone configuration.
-author: delhan
+author: Deland-Han
 ms.reviewer: dcscontentpm
 manager: dansimp
 ms.author: delhan
 ms.sitesec: library
 ms.prod: w10
 ms.date: 09/16/2019
 manager: dcscontentpm
 --- 
 # Deploying MBAM 2.5 in a standalone configuration
--- a/mdop/mbam-v25/troubleshooting-mbam-installation.md
+++ b/mdop/mbam-v25/troubleshooting-mbam-installation.md
@ -1,13 +1,14 @@
 ---
 title: Troubleshooting MBAM 2.5 installation problems
 description: Introducing how to troubleshoot MBAM 2.5 installation problems.
-author: delhan
+author: Deland-Han
 ms.reviewer: dcscontentpm
 manager: dansimp
 ms.author: delhan
 ms.sitesec: library
 ms.prod: w10
 ms.date: 09/16/2019
 manager: dcscontentpm
 --- 
 # Troubleshooting MBAM 2.5 installation problems
@ -386,7 +387,7 @@ Basic checks:
 * If the communication between client and server is secure, make sure that you are using a valid SSL certificate.
-* Verify network connectivity between the web server and the database server to which the data is sent for insertion. You can check database connectivity from the web server to the database server by using ODBC Data Source Administrator. Detailed SQL Server connection troubleshooting information is available in [How to Troubleshoot Connecting to the SQL Server Database Engine](http://social.technet.microsoft.com/wiki/contents/articles/2102.how-to-troubleshoot-connecting-to-the-sql-server-database-engine.aspx).
+* Verify network connectivity between the web server and the database server to which the data is sent for insertion. You can check database connectivity from the web server to the database server by using ODBC Data Source Administrator. Detailed SQL Server connection troubleshooting information is available in [How to Troubleshoot Connecting to the SQL Server Database Engine](https://social.technet.microsoft.com/wiki/contents/articles/2102.how-to-troubleshoot-connecting-to-the-sql-server-database-engine.aspx).
 #### Troubleshooting the connectivity issue
@ -528,11 +529,11 @@ The web service may not connect to the database server because of a permissions
 * These groups do not have the required permissions on the database.
-You will notice permissions-related errors in the Application logs on the MBAM administration and monitoring server if any of the previous conditions are true. In that case, you should manually add the NT Authority\Network Service account and MBAM administration server’s computer account and grant them a server-wide public role on the SQL database server that is using SQL Server Management Studio (http://msdn.microsoft.com/en-us/library/aa337562.aspx).
+You will notice permissions-related errors in the Application logs on the MBAM administration and monitoring server if any of the previous conditions are true. In that case, you should manually add the NT Authority\Network Service account and MBAM administration server’s computer account and grant them a server-wide public role on the SQL database server that is using SQL Server Management Studio (https://msdn.microsoft.com/library/aa337562.aspx).
 #### Review the web service logs
-If no events are logged in the Application logs on the MBAM administration server, it’s time to review the web service logs (.svclog) of the MBAM web service that is hosted on the MBAM administration and monitoring server. You will have to use the Service Trace Viewer Tool (SvcTraceViewer.exe) http://msdn.microsoft.com/en-us/library/ms732023.aspx to view the log file.
+If no events are logged in the Application logs on the MBAM administration server, it’s time to review the web service logs (.svclog) of the MBAM web service that is hosted on the MBAM administration and monitoring server. You will have to use the Service Trace Viewer Tool (SvcTraceViewer.exe) https://msdn.microsoft.com/library/ms732023.aspx to view the log file.
 You should primarily investigate the service trace logs of RecoveryandHardwareService and ComplianceStatusService. By default, web service logs are located in the C:\inetpub\Microsoft BitLocker Management Solution\Logs folder. There, each service writes its .svclog file under its own folder.
--- a/mdop/mbam-v25/upgrade-mbam2.5-sp1.md
+++ b/mdop/mbam-v25/upgrade-mbam2.5-sp1.md
@ -12,7 +12,7 @@ ms.localizationpriority: Normal
 # Upgrade from MBAM 2.5 to MBAM 2.5 SP1 Servicing Release Update
-This article provides step-by-step instructions to upgrade Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 to MBAM 2.5 Service Pack 1 (SP1) together with the Microsoft Desktop Optimization Pack (MDOP) July 2018 servicing update in a standalone configuration.
+This article provides step-by-step instructions to upgrade Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 to MBAM 2.5 Service Pack 1 (SP1) together with the [Microsoft Desktop Optimization Pack (MDOP) May 2019 servicing update](https://support.microsoft.com/help/4505175/may-2019-servicing-release-for-microsoft-desktop-optimization-pack) in a standalone configuration.
 In this guide, we will use a two-server configuration. One server will be a database server that's running Microsoft SQL Server 2016. This server will host the MBAM databases and reports. The other server will be a Windows Server 2012 R2 web server. This server will host "Administration and Monitoring" and "Self-Service Portal."
--- a/windows/application-management/change-history-for-application-management.md
+++ b/windows/application-management/change-history-for-application-management.md
@ -1,6 +1,6 @@
 ---
 title: Change history for Application management in Windows 10 (Windows 10)
-description: This topic lists changes to documentation for configuring Windows 10.
+description: View changes to documentation for application management in Windows 10.
 keywords: 
 ms.prod: w10
 ms.mktglfcycl: manage
--- a/windows/client-management/TOC.md
+++ b/windows/client-management/TOC.md
@ -4,6 +4,7 @@
 ## [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md)
 ## [Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md)
 ## [New policies for Windows 10](new-policies-for-windows-10.md)
 ## [Windows 10 default media removal policy](change-default-removal-policy-external-storage-media.md)
 ## [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md)
 ## [Manage the Settings app with Group Policy](manage-settings-app-with-group-policy.md)
 ## [What version of Windows am I running](windows-version-search.md)
@ -30,5 +31,6 @@
 #### [Advanced troubleshooting for Windows-based computer freeze](troubleshoot-windows-freeze.md)
 #### [Advanced troubleshooting for stop error or blue screen error](troubleshoot-stop-errors.md)
 #### [Advanced troubleshooting for stop error 7B or Inaccessible_Boot_Device](troubleshoot-inaccessible-boot-device.md)
 #### [Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first"](troubleshoot-event-id-41-restart.md)
 ## [Mobile device management for solution providers](mdm/index.md)
 ## [Change history for Client management](change-history-for-client-management.md)
--- a/windows/client-management/advanced-troubleshooting-boot-problems.md
+++ b/windows/client-management/advanced-troubleshooting-boot-problems.md
@ -220,7 +220,6 @@ If Windows cannot load the system registry hive into memory, you must restore th
 If the problem persists, you may want to restore the system state backup to an alternative location, and then retrieve the registry hives to be replaced.
 ## Kernel Phase
 If the system gets stuck during the kernel phase, you experience multiple symptoms or receive multiple error messages. These include, but are not limited to, the following:
@ -229,7 +228,8 @@ If the system gets stuck during the kernel phase, you experience multiple sympto
 -   Specific error code is displayed.
    For example, "0x00000C2" , "0x0000007B" , "inaccessible boot device" and so on.  
-    [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](https://docs.microsoft.com/windows/client-management/troubleshoot-inaccessible-boot-device)
+    - [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](https://docs.microsoft.com/windows/client-management/troubleshoot-inaccessible-boot-device)
    - [Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first"](troubleshoot-event-id-41-restart.md)
 -   The screen is stuck at the "spinning wheel" (rolling dots) "system busy" icon.
--- a/windows/client-management/change-default-removal-policy-external-storage-media.md
+++ b/windows/client-management/change-default-removal-policy-external-storage-media.md
@ -0,0 +1,50 @@
 ---
 title: Windows 10 default media removal policy
 description: In Windows 10, version 1809, the default removal policy for external storage media changed from "Better performance" to "Quick removal."
 ms.prod: w10
 author: Teresa-Motiv
 ms.author: v-tea
 ms.date: 12/13/2019
 ms.prod: w10
 ms.topic: article
 ms.custom: 
 - CI 111493
 - CSSTroubleshooting
 audience: ITPro
 ms.localizationpriority: medium
 manager: kaushika
 ---
 # Change in default removal policy for external storage media in Windows 10, version 1809
 Windows defines two main policies, **Quick removal** and **Better performance**, that control how the system interacts with external storage devices such as USB thumb drives or Thunderbolt-enabled external drives. Beginning in Windows 10 version 1809, the default policy is **Quick removal**.
 In earlier versions of Windows, the default policy was **Better performance**.
 You can change the policy setting for each external device, and the policy that you set remains in effect if you disconnect the device and then connect it again to the same computer port.
 ## More information
 You can use the storage device policy setting to change the manner in which Windows manages storage devices to better meet your needs. The policy settings have the following effects:
 * **Quick removal**: This policy manages storage operations in a manner that keeps the device ready to remove at any time. You can remove the device without using the Safely Remove Hardware process. However, to do this, Windows cannot cache disk write operations. This may degrade system performance.
 * **Better performance**: This policy manages storage operations in a manner that improves system performance. When this policy is in effect, Windows can cache write operations to the external device. However, you must use the Safely Remove Hardware process to remove the external drive. The Safely Remove Hardware process protects the integrity of data on the device by making sure that all cached operations finish.
   > [!IMPORTANT]  
   > If you use the **Better performance** policy, you must use the Safely Remove Hardware process to remove the device. If you remove or disconnect the device without following the safe removal instructions, you risk losing data.
   > [!NOTE]  
   > If you select **Better performance**, we recommend that you also select **Enable write caching on the device**.
 To change the policy for an external storage device:
 1. Connect the device to the computer.
 2. Right-click **Start**, then select **File Explorer**.
 3. In File Explorer, identify the letter or label that is associated with the device (for example, **USB Drive (D:)**).
 4. Right-click **Start**, then select **Disk Management**.
 5. In the lower section of the Disk Management window, right-click the label of the device, and then select **Properties**.
   ![In Disk Management, right-click the device and click Properties.](./images/change-def-rem-policy-1.png)
 6. Select **Policies**, and then select the policy you want to use.
   ![Policy options for disk management](./images/change-def-rem-policy-2.png)
--- a/windows/client-management/change-history-for-client-management.md
+++ b/windows/client-management/change-history-for-client-management.md
@ -1,6 +1,6 @@
 ---
 title: Change history for Client management (Windows 10)
-description: This topic lists changes to documentation for configuring Windows 10.
+description: View changes to documentation for client management in Windows 10.
 keywords: 
 ms.prod: w10
 ms.mktglfcycl: manage
@ -9,7 +9,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: dansimp
 ms.author: dansimp
-ms.date: 12/06/2018
+ms.date: 12/27/2019
 ms.reviewer: 
 manager: dansimp
 ms.topic: article
@ -19,6 +19,13 @@ ms.topic: article
 This topic lists new and updated topics in the [Client management](index.md) documentation for Windows 10 and Windows 10 Mobile.
 ## December 2019
 New or changed topic | Description
 --- | ---
 [Change in default removal policy for external storage media in Windows 10, version 1809](change-default-removal-policy-external-storage-media.md) | New
 [Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first"](troubleshoot-event-id-41-restart.md) | New
 ## December 2018
 New or changed topic | Description
--- a/windows/client-management/images/change-def-rem-policy-1.png
+++ b/windows/client-management/images/change-def-rem-policy-1.png
--- a/windows/client-management/images/change-def-rem-policy-2.png
+++ b/windows/client-management/images/change-def-rem-policy-2.png
--- a/windows/client-management/index.md
+++ b/windows/client-management/index.md
@ -23,6 +23,7 @@ Learn about the administrative tools, tasks and best practices for managing Wind
 |[Connect to remote Azure Active Directory-joined PCs](connect-to-remote-aadj-pc.md)| Instructions for connecting to a remote PC joined to Azure Active Directory (Azure AD)|
 |[Join Windows 10 Mobile to Azure AD](join-windows-10-mobile-to-azure-active-directory.md)| Describes the considerations and options for using Windows 10 Mobile with Azure AD in your organization.|
 |[New policies for Windows 10](new-policies-for-windows-10.md)| Listing of new group policy settings available in Windows 10|
 |[Windows 10 default media removal policy](change-default-removal-policy-external-storage-media.md) |In Windows 10, version 1809, the default removal policy for external storage media changed from "Better performance" to "Quick removal." |
 |[Group policies for enterprise and education editions](group-policies-for-enterprise-and-education-editions.md)| Listing of all group policy settings that apply specifically to Windows 10 Enterprise and Education editions|
 | [Manage the Settings app with Group Policy](manage-settings-app-with-group-policy.md) | Starting in Windows 10, version 1703, you can now manage the pages that are shown in the Settings app by using Group Policy. |
 |[Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)| Instructions for resetting a Windows 10 Mobile device using either *factory* or *'wipe and persist'* reset options|
--- a/windows/client-management/introduction-page-file.md
+++ b/windows/client-management/introduction-page-file.md
@ -8,7 +8,7 @@ author: Deland-Han
 ms.localizationpriority: medium
 ms.author: delhan
 ms.reviewer: greglin
-manager: willchen
+manager: dcscontentpm
 ---
 # Introduction to page files
--- a/windows/client-management/mdm/accountmanagement-csp.md
+++ b/windows/client-management/mdm/accountmanagement-csp.md
@ -1,6 +1,6 @@
 ---
 title: AccountManagement CSP
-description: Used to configure settings in the Account Manager service
+description: Learn about the AccountManagement CSP, which is used to configure settings in the Account Manager service.
 ms.author: dansimp
 ms.topic: article
 ms.prod: w10
--- a/windows/client-management/mdm/accountmanagement-ddf.md
+++ b/windows/client-management/mdm/accountmanagement-ddf.md
@ -1,6 +1,6 @@
 ---
 title: AccountManagement DDF file
-description: Used to configure settings in the Account Manager service
+description: View the OMA DM device description framework (DDF) for the AccountManagement configuration service provider. This file is used to configure settings.
 ms.author: dansimp
 ms.topic: article
 ms.prod: w10
--- a/windows/client-management/mdm/accounts-csp.md
+++ b/windows/client-management/mdm/accounts-csp.md
@ -1,6 +1,6 @@
 ---
 title: Accounts CSP
-description: The Accounts configuration service provider (CSP) is used by the enterprise (1) to rename a device, (2) to create a new local Windows account and joint it to a local user group.
+description: The Accounts configuration service provider (CSP) is used by the enterprise to rename devices, as well as create local Windows accounts & joint them to a group.
 ms.author: dansimp
 ms.topic: article
 ms.prod: w10
--- a/windows/client-management/mdm/accounts-ddf-file.md
+++ b/windows/client-management/mdm/accounts-ddf-file.md
@ -1,6 +1,6 @@
 ---
 title: Accounts DDF file
-description: XML file containing the device description framework
+description: XML file containing the device description framework for the Accounts configuration service provider.
 ms.author: dansimp
 ms.topic: article
 ms.prod: w10
--- a/windows/client-management/mdm/applicationcontrol-csp-ddf.md
+++ b/windows/client-management/mdm/applicationcontrol-csp-ddf.md
@ -1,6 +1,6 @@
 ---
 title: ApplicationControl CSP DDF
-description: This topic shows the OMA DM device description framework (DDF) for the **ApplicationControl** configuration service provider. DDF files are used only with OMA DM provisioning XML.
+description: View the OMA DM device description framework (DDF) for the ApplicationControl configuration service provider. DDF files are used only with OMA DM provisioning XML.
 ms.author: dansimp
 ms.topic: article
 ms.prod: w10
--- a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md
+++ b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md
@ -36,8 +36,7 @@ On the desktop and mobile devices, you can use an enrollment certificate or enro
 > -   Bulk-join is not supported in Azure Active Directory Join.
 > -   Bulk enrollment does not work in Intune standalone environment.
 > -   Bulk enrollment works in System Center Configuration Manager (SCCM) + Intune hybrid environment where the ppkg is generated from the SCCM console.
-
+> -   To change bulk enrollment settings, login to **AAD**, then **Devices**, and then click **Device Settings**. Change the number under **Maximum number of devices per user**.
 ## What you need
@ -169,4 +168,3 @@ Here are links to step-by-step provisioning topics in Technet.
--- a/windows/client-management/mdm/certificatestore-ddf-file.md
+++ b/windows/client-management/mdm/certificatestore-ddf-file.md
@ -1,6 +1,6 @@
 ---
 title: CertificateStore DDF file
-description: This topic shows the OMA DM device description framework (DDF) for the CertificateStore configuration service provider. DDF files are used only with OMA DM provisioning XML.
+description: Learn about OMA DM device description framework (DDF) for the CertificateStore configuration service provider. DDF files are used with OMA DM provisioning XML.
 ms.assetid: D9A12D4E-3122-45C3-AD12-CC4FFAEC08B8
 ms.reviewer: 
 manager: dansimp
--- a/windows/client-management/mdm/cleanpc-csp.md
+++ b/windows/client-management/mdm/cleanpc-csp.md
@ -1,6 +1,6 @@
 ---
 title: CleanPC CSP
-description: The CleanPC configuration service provider (CSP) allows removal of user-installed and pre-installed applications, with the option to persist user data. This CSP was added in Windows 10, version 1703.
+description: The CleanPC configuration service provider (CSP) allows you to remove user-installed and pre-installed applications, with the option to persist user data.
 ms.author: dansimp
 ms.topic: article
 ms.prod: w10
--- a/windows/client-management/mdm/device-update-management.md
+++ b/windows/client-management/mdm/device-update-management.md
@ -1,6 +1,6 @@
 ---
 title: Mobile device management MDM for device updates
-description: In the current device landscape of PC, tablets, phones, and IoT devices, the Mobile Device Management (MDM) solutions are becoming prevalent as a lightweight device management technology.
+description: Windows 10 provides several APIs to help mobile device management (MDM) solutions manage updates. Learn how to use these APIs to implement update management.
 ms.assetid: C27BAEE7-2890-4FB7-9549-A6EACC790777
 ms.reviewer: 
 manager: dansimp
@ -90,7 +90,7 @@ The response of the GetUpdateData call returns an array of ServerSyncUpdateData
    -   **Language** – The language code identifier (LCID). For example, en or es.
    -   **Title** – Title of the update. For example, “Windows SharePoint Services 3.0 Service Pack 3 x64 Edition (KB2526305)”
    -   **Description** – Description of the update. For example, “Windows SharePoint Services 3.0 Service Pack 3 (KB2526305) provides the latest updates to Windows SharePoint Services 3.0. After you install this item, you may have to restart your computer. After you have installed this item, it cannot be removed.”
-   **KBArticleID** – The KB article number for this update that has details regarding the particular update. For example, <http://support.microsoft.com/kb/2902892>.
+-   **KBArticleID** – The KB article number for this update that has details regarding the particular update. For example, <https://support.microsoft.com/kb/2902892>.
 ## <a href="" id="recommendedflow"></a>Recommended Flow for Using the Server-Server Sync Protocol
@ -635,7 +635,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
 > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
 > [!Important]
-> Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enteprise and IoT Enterprise.
+> Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enterprise and IoT Enterprise.
 <p style="margin-left: 20px">Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet.
--- a/windows/client-management/mdm/devicemanageability-csp.md
+++ b/windows/client-management/mdm/devicemanageability-csp.md
@ -1,6 +1,6 @@
 ---
 title: DeviceManageability CSP
-description: The DeviceManageability configuration service provider (CSP) is used retrieve the general information about MDM configuration capabilities on the device. This CSP was added in Windows 10, version 1607.
+description: The DeviceManageability configuration service provider (CSP) is used retrieve general information about MDM configuration capabilities on the device. 
 ms.assetid: FE563221-D5B5-4EFD-9B60-44FE4066B0D2
 ms.reviewer: 
 manager: dansimp
--- a/windows/client-management/mdm/devicestatus-csp.md
+++ b/windows/client-management/mdm/devicestatus-csp.md
@ -1,6 +1,6 @@
 ---
 title: DeviceStatus CSP
-description: The DeviceStatus configuration service provider is used by the enterprise to keep track of device inventory and query the state of compliance of these devices with their enterprise policies.
+description: The DeviceStatus configuration service provider keeps track of device inventory and queries the compliance state of devices within the enterprise.
 ms.assetid: 039B2010-9290-4A6E-B77B-B2469B482360
 ms.reviewer: 
 manager: dansimp
--- a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
+++ b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
@ -1,6 +1,6 @@
 ---
 title: Diagnose MDM failures in Windows 10
-description: To help diagnose enrollment or device management issues in Windows 10 devices managed by an MDM server, you can examine the MDM logs collected from the desktop or mobile device. The following sections describe the procedures for collecting MDM logs.
+description: Learn how to collect MDM logs. Examining these logs can help diagnose enrollment or device management issues in Windows 10 devices managed by an MDM server.
 ms.assetid: 12D8263B-D839-4B19-9346-31E0CDD0CBF9
 ms.reviewer: 
 manager: dansimp
@ -118,7 +118,7 @@ Since there is no Event Viewer in Windows 10 Mobile, you can use the [Field Medi
 **To collect logs manually**
-1.  Download and install the [Field Medic]( http://go.microsoft.com/fwlink/p/?LinkId=718232) app from the store.
+1.  Download and install the [Field Medic]( https://go.microsoft.com/fwlink/p/?LinkId=718232) app from the store.
 2.  Open the Field Medic app and then click on **Advanced**.
    ![field medic screenshot](images/diagnose-mdm-failures2.png)
--- a/windows/client-management/mdm/dmclient-csp.md
+++ b/windows/client-management/mdm/dmclient-csp.md
@ -1,6 +1,6 @@
 ---
 title: DMClient CSP
-description: The DMClient configuration service provider is used to specify additional enterprise-specific mobile device management configuration settings for identifying the device in the enterprise domain, security mitigation for certificate renewal, and server-triggered enterprise unenrollment.
+description: Understand how the DMClient configuration service provider works. It is used to specify enterprise-specific mobile device management configuration settings.
 ms.assetid: a5cf35d9-ced0-4087-a247-225f102f2544
 ms.reviewer: 
 manager: dansimp
--- a/windows/client-management/mdm/eap-configuration.md
+++ b/windows/client-management/mdm/eap-configuration.md
@ -1,6 +1,6 @@
 ---
 title: EAP configuration
-description: The topic provides a step-by-step guide for creating an Extensible Authentication Protocol (EAP) configuration XML for the VPN profile and information about EAP certificate filtering in Windows 10.
+description: Learn how to create an Extensible Authentication Protocol (EAP) configuration XML for a VPN profile, plus info about EAP certificate filtering in Windows 10.
 ms.assetid: DD3F2292-4B4C-4430-A57F-922FED2A8FAE
 ms.reviewer: 
 manager: dansimp
--- a/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md
+++ b/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md
@ -1,6 +1,6 @@
 ---
 title: EnrollmentStatusTracking DDF
-description: This topic shows the OMA DM device description framework (DDF) for the EnrollmentStatusTracking configuration service provider. DDF files are used only with OMA DM provisioning XML.
+description: View the OMA DM device description framework (DDF) for the EnrollmentStatusTracking configuration service provider. DDF files are used only with OMA DM provisioning XML.
 ms.author: dansimp
 ms.topic: article
 ms.prod: w10
--- a/windows/client-management/mdm/enrollmentstatustracking-csp.md
+++ b/windows/client-management/mdm/enrollmentstatustracking-csp.md
@ -1,6 +1,6 @@
 ---
 title: EnrollmentStatusTracking CSP
-description: During Autopilot deployment, you can configure the Enrollment Status Page (ESP) to block the device use until the required apps are installed.
+description: Learn how to perform a hybrid certificate trust deployment of Windows Hello for Business, for systems with no previous installations.
 ms.author: dansimp
 ms.topic: article
 ms.prod: w10
--- a/windows/client-management/mdm/enterprisedataprotection-csp.md
+++ b/windows/client-management/mdm/enterprisedataprotection-csp.md
@ -1,6 +1,6 @@
 ---
 title: EnterpriseDataProtection CSP
-description: The EnterpriseDataProtection configuration service provider (CSP) is used to configure Windows Information Protection (WIP) (formerly known as Enterprise Data Protection) specific settings.
+description: The EnterpriseDataProtection configuration service provider (CSP) configures Windows Information Protection (formerly, Enterprise Data Protection) settings.
 ms.assetid: E2D4467F-A154-4C00-9208-7798EF3E25B3
 ms.reviewer: 
 manager: dansimp
@ -249,7 +249,7 @@ typedef enum _PUBLIC_KEY_SOURCE_TAG {
 <p style="margin-left: 20px">Added in Windows 10, version 1703. This policy controls whether to revoke the WIP keys when a device upgrades from MAM to MDM. If set to 0 (Don&#39;t revoke keys), the keys will not be revoked and the user will continue to have access to protected files after upgrade. This is recommended if the MDM service is configured with the same WIP EnterpriseID as the MAM service.
 - 0 - Don't revoke keys
- 1 (dafault) - Revoke keys
+- 1 (default) - Revoke keys
 <p style="margin-left: 20px">Supported operations are Add, Get, Replace and Delete. Value type is integer.
--- a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md
+++ b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md
@ -1,6 +1,6 @@
 ---
 title: EnterpriseDesktopAppManagement CSP
-description: The EnterpriseDesktopAppManagement configuration service provider is used to handle enterprise desktop application management tasks, such as querying installed enterprise applications, installing applications, or removing applications.
+description: The EnterpriseDesktopAppManagement CSP handles enterprise desktop application management tasks, such as installing or removing applications.
 ms.assetid: 2BFF7491-BB01-41BA-9A22-AB209EE59FC5
 ms.reviewer: 
 manager: dansimp
--- a/windows/client-management/mdm/implement-server-side-mobile-application-management.md
+++ b/windows/client-management/mdm/implement-server-side-mobile-application-management.md
@ -1,6 +1,6 @@
 ---
 title: Provide server-side support for mobile app management on Windows
-description: The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP).
+description: The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices.
 ms.author: dansimp
 ms.topic: article
 ms.prod: w10
--- a/windows/client-management/mdm/index.md
+++ b/windows/client-management/mdm/index.md
@ -1,6 +1,6 @@
 ---
 title: Mobile device management
-description: Windows 10 provides an enterprise management solution to help IT pros manage company security policies and business applications, while avoiding compromise of the users’ privacy on their personal devices.
+description: Windows 10 provides an enterprise-level solution to mobile management, to help IT pros comply with security policies while avoiding compromise of user's privacy
 MS-HAID:
 - 'p\_phDeviceMgmt.provisioning\_and\_device\_management'
 - 'p\_phDeviceMgmt.mobile\_device\_management\_windows\_mdm'
--- a/windows/client-management/mdm/multisim-ddf.md
+++ b/windows/client-management/mdm/multisim-ddf.md
@ -1,6 +1,6 @@
 ---
 title: MultiSIM DDF file
-description: XML file containing the device description framework
+description: XML file containing the device description framework for the MultiSIM configuration service provider.
 ms.author: dansimp
 ms.topic: article
 ms.prod: w10
--- a/windows/client-management/mdm/networkqospolicy-ddf.md
+++ b/windows/client-management/mdm/networkqospolicy-ddf.md
@ -1,6 +1,6 @@
 ---
 title: NetworkQoSPolicy DDF
-description: This topic shows the OMA DM device description framework (DDF) for the NetworkQoSPolicy configuration service provider. DDF files are used only with OMA DM provisioning XML.
+description: View the OMA DM device description framework (DDF) for the NetworkQoSPolicy configuration service provider. DDF files are used only with OMA DM provisioning XML
 ms.assetid:
 ms.reviewer: 
 manager: dansimp
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@ -1,6 +1,6 @@
 ---
 title: What's new in MDM enrollment and management
-description: This topic provides information about what's new and breaking changes in Windows 10 mobile device management (MDM) enrollment and management experience across all Windows 10 devices.
+description: Discover what's new and breaking changes in Windows 10 mobile device management (MDM) enrollment and management experience across all Windows 10 devices.
 MS-HAID:
 - 'p\_phdevicemgmt.mdm\_enrollment\_and\_management\_overview'
 - 'p\_phDeviceMgmt.new\_in\_windows\_mdm\_enrollment\_management'
@ -58,6 +58,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
  - [What is dmwappushsvc?](#what-is-dmwappushsvc)
 - **Change history in MDM documentation**
    - [January 2020](#january-2020)
    - [November 2019](#november-2019)
    - [October 2019](#october-2019)
    - [September 2019](#september-2019)
@ -1935,6 +1936,12 @@ How do I turn if off? | The service can be stopped from the "Services" console o
 ## Change history in MDM documentation
 ### January 2020
 |New or updated topic | Description|
 |--- | ---|
 |[Policy CSP - Defender](policy-csp-defender.md)|Added descriptions for supported actions for Defender/ThreatSeverityDefaultAction.|
 ### November 2019
 |New or updated topic | Description|
--- a/windows/client-management/mdm/passportforwork-csp.md
+++ b/windows/client-management/mdm/passportforwork-csp.md
@ -206,7 +206,7 @@ This node is deprecated. Use **Biometrics/UseBiometrics** node instead.
 <a href="" id="biometrics--only-for---device-vendor-msft-"></a>**Biometrics** (only for ./Device/Vendor/MSFT)  
 Node for defining biometric settings. This node was added in Windows 10, version 1511.
-*Not supported on Windows Holographic and Windows Holographic for Business prior to Windows 10 version 1903 (May 2019 Update).*
+*Not supported on Windows Holographic and Windows Holographic for Business.*
 <a href="" id="biometrics-usebiometrics--only-for---device-vendor-msft-"></a>**Biometrics/UseBiometrics** (only for ./Device/Vendor/MSFT)  
 Boolean value used to enable or disable the use of biometric gestures, such as face and fingerprint, as an alternative to the PIN gesture for Windows Hello for Business. Users must still configure a PIN if they configure biometric gestures to use in case of failures. This node was added in Windows 10, version 1511.
@ -217,7 +217,7 @@ Default value is true, enabling the biometric gestures for use with Windows Hell
 Supported operations are Add, Get, Delete, and Replace.
-*Not supported on Windows Holographic and Windows Holographic for Business.*
+*Not supported on Windows Holographic and Windows Holographic for Business prior to Windows 10 version 1903 (May 2019 Update).*
 <a href="" id="biometrics-facialfeaturesuseenhancedantispoofing--only-for---device-vendor-msft-"></a>**Biometrics/FacialFeaturesUseEnhancedAntiSpoofing** (only for ./Device/Vendor/MSFT)  
 Boolean value used to enable or disable enhanced anti-spoofing for facial feature recognition on Windows Hello face authentication. This node was added in Windows 10, version 1511.
--- a/windows/client-management/mdm/passportforwork-ddf.md
+++ b/windows/client-management/mdm/passportforwork-ddf.md
@ -1,6 +1,6 @@
 ---
 title: PassportForWork DDF
-description: This topic shows the OMA DM device description framework (DDF) for the PassportForWork configuration service provider. DDF files are used only with OMA DM provisioning XML.
+description: View the OMA DM device description framework (DDF) for the PassportForWork configuration service provider. DDF files are used only with OMA DM provisioning XML.
 ms.assetid: A2182898-1577-4675-BAE5-2A3A9C2AAC9B
 ms.reviewer: 
 manager: dansimp
--- a/windows/client-management/mdm/policy-csp-appruntime.md
+++ b/windows/client-management/mdm/policy-csp-appruntime.md
@ -99,14 +99,5 @@ ADMX Info:
 <!--/Policy-->
 <hr/>
 Footnotes:
 -   1 - Added in Windows 10, version 1607.
 -   2 - Added in Windows 10, version 1703.
 -   3 - Added in Windows 10, version 1709.
 -   4 - Added in Windows 10, version 1803.
 -   5 - Added in Windows 10, version 1809.
 -   6 - Added in Windows 10, version 1903.
 <!--/Policies-->
--- a/windows/client-management/mdm/policy-csp-browser.md
+++ b/windows/client-management/mdm/policy-csp-browser.md
@ -14,10 +14,14 @@ ms.localizationpriority: medium
 # Policy CSP - Browser
-
+> [!NOTE]
 > You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).
 <hr/>
 > [!NOTE]
 > You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).
 <!--Policies-->
 ## Browser policies  
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@ -7,7 +7,7 @@ ms.prod: w10
 ms.technology: windows
 author: manikadhiman
 ms.localizationpriority: medium
-ms.date: 09/27/2019
+ms.date: 01/08/2020
 ms.reviewer: 
 manager: dansimp
 ---
@ -3068,7 +3068,7 @@ The following list shows the supported values:
 Allows an administrator to specify any valid threat severity levels and the corresponding default action ID to take.
-This value is a list of threat severity level IDs and corresponding actions, separated by a<strong>|</strong> using the format "*threat level*=*action*|*threat level*=*action*". For example "1=6|2=2|4=10|5=3
+This value is a list of threat severity level IDs and corresponding actions, separated by a <strong>|</strong> using the format "*threat level*=*action*|*threat level*=*action*". For example, "1=6|2=2|4=10|5=3".
 The following list shows the supported values for threat severity levels:
@ -3079,12 +3079,12 @@ The following list shows the supported values for threat severity levels:
 The following list shows the supported values for possible actions:
-   1 – Clean
+-   1 – Clean. Service tries to recover files and try to disinfect.
-   2 – Quarantine
+-   2 – Quarantine. Moves files to quarantine.
-   3 – Remove
+-   3 – Remove. Removes files from system.
-   6 – Allow
+-   6 – Allow. Allows file/does none of the above actions.
-   8 – User defined
+-   8 – User defined. Requires user to make a decision on which action to take.
-   10 – Block
+-   10 – Block. Blocks file execution.
 <!--/Description-->
 <!--ADMXMapped-->
--- a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
+++ b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
@ -1,6 +1,6 @@
 ---
 title: Policy CSP - DeviceHealthMonitoring
-description: Policy CSP - TimeLanguageSettings
+description: Learn which DeviceHealthMonitoring policies are supported for your edition of Windows.
 ms.author: dansimp
 ms.topic: article
 ms.prod: w10
--- a/windows/client-management/mdm/policy-csp-timelanguagesettings.md
+++ b/windows/client-management/mdm/policy-csp-timelanguagesettings.md
@ -1,6 +1,6 @@
 ---
 title: Policy CSP - TimeLanguageSettings
-description: Policy CSP - TimeLanguageSettings
+description: Learn which TimeLanguageSettings policies are supported for your edition of Windows.
 ms.author: dansimp
 ms.topic: article
 ms.prod: w10
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@ -4248,7 +4248,7 @@ ADMX Info:
 <!--/Scope-->
 <!--Description-->
 > [!IMPORTANT]
-> Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enteprise and IoT Mobile.
+> Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enterprise and IoT Mobile.
 Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet.
--- a/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md
+++ b/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md
@ -1,6 +1,6 @@
 ---
 title: Register your free Azure Active Directory subscription
-description: If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services, you have a free subscription to Azure AD.
+description: Paid subscribers to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services, have a free subscription to Azure AD.
 ms.assetid: 97DCD303-BB11-4AFF-84FE-B7F14CDF64F7
 ms.reviewer: 
 manager: dansimp
@ -29,21 +29,11 @@ If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Ent
    ![register azuread](images/azure-ad-add-tenant11.png)
-3.  On the **Admin center** page, hover your mouse over the Admin tools icon on the left and then click **Azure AD**. This will take you to the Azure Active Directory sign-up page and brings up your existing Office 365 organization account information.
+3.  On the **Admin center** page, under Admin Centers on the left, click **Azure Active Directory**. This will take you to the Azure Active Directory portal.
-    ![register azuread](images/azure-ad-add-tenant12.png)
+    ![Azure-AD-updated](https://user-images.githubusercontent.com/41186174/71594506-e4845300-2b40-11ea-9a08-c21c824e12a4.png)
 4.  On the **Sign up** page, make sure to enter a valid phone number and then click **Sign up**.
    ![register azuread](images/azure-ad-add-tenant13.png)
 5.  It may take a few minutes to process the request.
    ![register azuread](images/azure-ad-add-tenant14.png)
 6.  You will see a welcome page when the process completes.
    ![register azuread](images/azure-ad-add-tenant15.png)
--- a/windows/client-management/mdm/reporting-ddf-file.md
+++ b/windows/client-management/mdm/reporting-ddf-file.md
@ -1,6 +1,6 @@
 ---
 title: Reporting DDF file
-description: This topic shows the OMA DM device description framework (DDF) for the Reporting configuration service provider. This CSP was added in Windows 10, version 1511. Support for desktop security auditing was added for the desktop in Windows 10, version 1607.
+description: View the OMA DM device description framework (DDF) for the Reporting configuration service provider.
 ms.assetid: 7A5B79DB-9571-4F7C-ABED-D79CD08C1E35
 ms.reviewer: 
 manager: dansimp
--- a/windows/client-management/mdm/secureassessment-ddf-file.md
+++ b/windows/client-management/mdm/secureassessment-ddf-file.md
@ -1,6 +1,6 @@
 ---
 title: SecureAssessment DDF file
-description: This topic shows the OMA DM device description framework (DDF) for the SecureAssessment configuration service provider. DDF files are used only with OMA DM provisioning XML.
+description: View the OMA DM device description framework (DDF) for the SecureAssessment configuration service provider. DDF files are used only with OMA DM provisioning XML
 ms.assetid: 68D17F2A-FAEA-4608-8727-DBEC1D7BE48A
 ms.reviewer: 
 manager: dansimp
--- a/windows/client-management/mdm/tenantlockdown-ddf.md
+++ b/windows/client-management/mdm/tenantlockdown-ddf.md
@ -1,6 +1,6 @@
 ---
 title: TenantLockdown DDF file
-description: XML file containing the device description framework
+description: XML file containing the device description framework for the TenantLockdown configuration service provider.
 ms.author: dansimp
 ms.topic: article
 ms.prod: w10
--- a/windows/client-management/mdm/unifiedwritefilter-csp.md
+++ b/windows/client-management/mdm/unifiedwritefilter-csp.md
@ -1,6 +1,6 @@
 ---
 title: UnifiedWriteFilter CSP
-description: The UnifiedWriteFilter (UWF) configuration service provider enables the IT administrator to remotely manage the UWF to help protect physical storage media including any writable storage type.
+description: The UnifiedWriteFilter (UWF) configuration service provider allows you to remotely manage the UWF. Understand how it helps protect physical storage media.
 ms.assetid: F4716AC6-0AA5-4A67-AECE-E0F200BA95EB
 ms.reviewer: 
 manager: dansimp
--- a/windows/client-management/mdm/win32compatibilityappraiser-ddf.md
+++ b/windows/client-management/mdm/win32compatibilityappraiser-ddf.md
@ -1,6 +1,6 @@
 ---
 title: Win32CompatibilityAppraiser DDF file
-description: XML file containing the device description framework
+description: XML file containing the device description framework for the Win32CompatibilityAppraiser configuration service provider.
 ms.author: dansimp
 ms.topic: article
 ms.prod: w10
--- a/windows/client-management/mdm/windows-mdm-enterprise-settings.md
+++ b/windows/client-management/mdm/windows-mdm-enterprise-settings.md
@ -1,6 +1,6 @@
 ---
 title: Enterprise settings, policies, and app management
-description: The actual management interaction between the device and server is done via the DM client. The DM client communicates with the enterprise management server via DM v1.2 SyncML syntax.
+description: The DM client manages the interaction between a device and a server. Learn more about the client-server management workflow.
 MS-HAID:
 - 'p\_phdevicemgmt.enterprise\_settings\_\_policies\_\_and\_app\_management'
 - 'p\_phDeviceMgmt.windows\_mdm\_enterprise\_settings'
--- a/windows/client-management/mdm/windowssecurityauditing-ddf-file.md
+++ b/windows/client-management/mdm/windowssecurityauditing-ddf-file.md
@ -1,6 +1,6 @@
 ---
 title: WindowsSecurityAuditing DDF file
-description: This topic shows the OMA DM device description framework (DDF) for the WindowsSecurityAuditing configuration service provider. This CSP was added in Windows 10, version 1511.
+description: View the OMA DM device description framework (DDF) for the WindowsSecurityAuditing configuration service provider.
 ms.assetid: B1F9A5FA-185B-48C6-A7F4-0F0F23B971F0
 ms.reviewer: 
 manager: dansimp
--- a/Show More
+++ b/Show More