Merge branch 'master' into Tp-updateTinaMcNaboe

devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md

@@ -611,7 +611,7 @@ function ExitIfError($strMsg)
 
 ## Check dependencies ##
 try {
-    Import-Module LyncOnlineConnector
+    Import-Module SkypeOnlineConnector
     Import-Module MSOnline
 }
 catch
@@ -1100,7 +1100,7 @@ if ($fSfbIsOnline -or $fExIsOnline)
 if ($fSfbIsOnline)
 {
     try {
-        Import-Module LyncOnlineConnector
+        Import-Module SkypeOnlineConnector
     }
     catch
     {
@@ -1513,7 +1513,7 @@ else
 if ($online)
 {
     try {
-        Import-Module LyncOnlineConnector
+        Import-Module SkypeOnlineConnector
     }
     catch
     {

devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md

@@ -46,7 +46,9 @@ You can enroll your Surface Hubs using bulk, manual, or automatic enrollment.
 
 Surface Hub now supports the ability to automatically enroll in Intune by joining the device to Azure Active Directory. 
 
-For more information, see [Enable Windows 10 automatic enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment).
+First step is to set up Automatic MDM enrollment. See [Enable Windows 10 automatic enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment).
+
+Then, when devices are setup during First-run, pick the option to join to Azure Active Directory, see [Set up admins for this device page](https://docs.microsoft.com/surface-hub/first-run-program-surface-hub#set-up-admins-for-this-device-page)
 
 ## Manage Surface Hub settings with MDM
 

devices/surface-hub/surface-hub-2s-account.md

@@ -35,7 +35,7 @@ Create the account using the Microsoft 365 admin center or by using PowerShell.
 
 ![Leave remaining settings unchanged in the default state](images/sh2-account3.png)
 
-3. Set the password for the device account. Ensure that you **do not** select the option **Make this user change their password when they first sign in.**
+3. Set the password for the device account. To set the password, choose **Users** and then select **Active Users**. Now search for the newly created user to set the password. Ensure that you **do not** select the option **Make this user change their password when they first sign in.**
 
 ![Set the password for the device account](images/sh2-account4.png)
 

devices/surface/microsoft-surface-data-eraser.md

@@ -36,6 +36,7 @@ Compatible Surface devices include:
 * Surface Pro (Model 1796)
 * Surface Laptop
 * Surface Studio
+* Surface Studio 2
 * Surface Book
 * Surface Pro 4
 * Surface 3 LTE

windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md

@@ -22,13 +22,13 @@ Requirements:
 - The enterprise has configured a mobile device management (MDM) service  
 - The enterprise AD must be [registered with Azure Active Directory (Azure AD)](azure-active-directory-integration-with-mdm.md)
 - The device should not already be enrolled in Intune using the classic agents (devices managed using agents will fail enrollment with `error 0x80180026`)
-- The minimum Windows Server version requirement is based on the Hybrid AAD join requirement. See [How to plan your hybrid Azure Active Directory join implementation](https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan) for more information.
+- The minimum Windows Server version requirement is based on the Hybrid AAD join requirement. See [How to plan your hybrid Azure Active Directory join implementation](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan) for more information.
 
 > [!TIP]
 > For additional information, see the following topics:
 > - [How to configure automatic registration of Windows domain-joined devices with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup)
-> - [How to plan your hybrid Azure Active Directory join implementation](https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan)
-> - [Azure Active Directory integration with MDM](https://docs.microsoft.com/en-us/windows/client-management/mdm/azure-active-directory-integration-with-mdm)
+> - [How to plan your hybrid Azure Active Directory join implementation](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan)
+> - [Azure Active Directory integration with MDM](https://docs.microsoft.com/windows/client-management/mdm/azure-active-directory-integration-with-mdm)
 
 The auto-enrollment relies on the presence of an MDM service and the Azure Active Directory registration for the PC. Starting in Windows 10, version 1607, once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically AAD registered.
 
@@ -48,7 +48,7 @@ The following steps demonstrate required settings using the Intune service:
 
     ![Intune license verification](images/auto-enrollment-intune-license-verification.png)
 
-2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Intune. For additional details, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](https://docs.microsoft.com/en-us/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal). 
+2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Intune. For additional details, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](https://docs.microsoft.com/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal). 
 Also verify that the **MAM user scope** is set to **None**. Otherwise, it will have precedence over the MDM scope that will lead to issues. 
 
     ![Auto-enrollment activation verification](images/auto-enrollment-activation-verification.png)
@@ -76,7 +76,7 @@ Also verify that the **MAM user scope** is set to **None**. Otherwise, it will h
 
     ![Mobility setting MDM intune](images/auto-enrollment-microsoft-intune-setting.png)
 
-7. Verify that the *Enable automatic MDM enrollment using default Azure AD credentials* group policy (Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM) is properly deployed to all devices which should be enrolled into Intune. 
+7. Verify that the *Enable Automatic MDM enrollment using default Azure AD credentials* group policy (Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM) is properly deployed to all devices which should be enrolled into Intune. 
 You may contact your domain administrators to verify if the group policy has been deployed successfully.
 
 8. Verify that the device is not enrolled with the old Intune client used on the Intune Silverlight Portal (this is the Intune portal used before the Azure portal).
@@ -106,13 +106,17 @@ Requirements:
 
     ![MDM policies](images/autoenrollment-mdm-policies.png)
 
-4. Double-click **Auto MDM Enrollment with AAD Token**.
+4. Double-click **Enable Automatic MDM enrollment using default Azure AD credentials**.
 
     ![MDM autoenrollment policy](images/autoenrollment-policy.png)
 
 5. Click **Enable**, then click **OK**.
 
-     A task is created and scheduled to run every 5 minutes for the duration of 1 day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD." 
+> [!NOTE]
+> In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have the Windows 10, version 1903 feature update installed. 
+The default behavior for older releases is to revert to **User Credential**.
+
+When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD." 
 
 To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app).
 
@@ -120,6 +124,10 @@ Requirements:
 
 ![Two-factor authentication notification](images/autoenrollment-2-factor-auth.png)
 
+> [!Tip]
+> You can avoid this behavior by using Conditional Access Policies in Azure AD.
+Learn more by reading [What is Conditional Access?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview).
+
 6. To verify successful enrollment to MDM , click **Start > Settings > Accounts > Access work or school**, then select your domain account.
 
 7. Click **Info** to see the MDM enrollment information.
@@ -154,18 +162,20 @@ Requirements:
 - Ensure that PCs belong to same computer group.
 
 > [!IMPORTANT]
-> If you do not see the policy, it may be because you don’t have the ADMX installed for Windows 10, version 1803 or version 1809. To fix the issue, follow these steps:        
+> If you do not see the policy, it may be because you don’t have the ADMX installed for Windows 10, version 1803, version 1809, or version 1903. To fix the issue, follow these steps (Note: the latest MDM.admx is backwards compatible):        
 >   1. Download:  
 >   1803 -->[Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880) or  
 >   1809 --> [Administrative Templates for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576) or
->   1903 --> [Administrative Templates for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495)
+>   1903 --> [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495&WT.mc_id=rss_alldownloads_all)
 >   2. Install the package on the Primary Domain Controller (PDC).
 >   3. Navigate, depending on the version to the folder:
 >   1803 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2**, or  
->   1809 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2** or
+>   1809 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2**, or
 >   1903 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2019 Update (1903) v3**
->   4. Copy policy definitions folder to **C:\Windows\SYSVOL\domain\Policies** .
->   5. Restart the Primary Domain Controller for the policy to be available.
+>   4. Rename the extracted Policy Definitions folder to **PolicyDefinitions**.
+>   5. Copy PolicyDefinitions folder to **C:\Windows\SYSVOL\domain\Policies**. 
+>   (If this folder does not exist, then be aware that you will be switching to a [central policy store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) for your entire domain).
+>   6. Restart the Primary Domain Controller for the policy to be available.
 >   This procedure will work for any future version as well.
 
 1. Create a Group Policy Object (GPO) and enable the Group Policy **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM** > **Enable automatic MDM enrollment using default Azure AD credentials**.

windows/client-management/mdm/oma-dm-protocol-support.md

@@ -349,7 +349,7 @@ The following LocURL shows a per device CSP node configuration: **./device/vendo
 <a href="" id="syncml-response-codes"></a>
 ## SyncML response status codes
 
-When using SyncML in OMA DM, there are standard response status codes that are returned. The following table lists the common SyncML response status codes you are likely to see. For more information about SyncML response status codes, see section 10 of the [SyncML Representation Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526905) specification.
+When using SyncML in OMA DM, there are standard response status codes that are returned. The following table lists the common SyncML response status codes you are likely to see. For more information about SyncML response status codes, see section 10 of the [SyncML Representation Protocol](https://openmobilealliance.org/release/Common/V1_2_2-20090724-A/OMA-TS-SyncML-RepPro-V1_2_2-20090724-A.pdf) specification.
 
 | Status code | Description                                                                                                                                                                                                                       |
 |-------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|

windows/configuration/lock-down-windows-10-to-specific-apps.md

@@ -411,7 +411,7 @@ Group accounts are specified using `<UserGroup>`. Nested groups are not supporte
 <span id="add-xml" />
 
 #### [Preview] Global Profile
-Global profile is added in curernt Windows 10 Prerelease. There are times when IT Admin wants to everyone who logging into a specific devices are assigned access users, even there is no dedicated profile for that user, or there are times that Assigned Access could not identify a profile for the user and a fallback profile is wished to use. Global Profile is designed for these scenarios.
+Global profile is added in current Windows 10 Prerelease. There are times when IT Admin wants to everyone who logging into a specific devices are assigned access users, even there is no dedicated profile for that user, or there are times that Assigned Access could not identify a profile for the user and a fallback profile is wished to use. Global Profile is designed for these scenarios.
 
 Usage is demonstrated below, by using the new xml namespace and specify GlobalProfile from that namespace. When GlobalProfile is configured, a non-admin account logs in, if this user does not have designated profile in Assigned Access, or Assigned Access fails to determine a profile for current user, global profile will be applied for the user.
 
@@ -466,7 +466,9 @@ Note:
         </Profile>
     </Profiles>
     <Configs>
+        <Config>  
             <v3:GlobalProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
+        </Config>
     </Configs>
 </AssignedAccessConfiguration>
 ```

windows/configuration/provisioning-packages/provision-pcs-with-apps.md

@@ -41,6 +41,9 @@ When you add an app in a Windows Configuration Designer wizard, the appropriate
 
 ### MSI installer
 
+> [!NOTE]
+> You can find more information about command-line options for Msiexec.exe [here](https://docs.microsoft.com/windows/win32/msi/command-line-options).
+
 - **Command line arguments**: Optionally, append additional command arguments. The silent flag is appended for you. Example: PROPERTY=VALUE 
 
 - **Continue installations after failure**: Optionally, specify if you want to continue installing additional apps if this app fails to install 

windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md

@@ -33,8 +33,8 @@ Figure 1. The machines used in this topic.
 
 Replicating the content between MDT01 (New York) and MDT02 (Stockholm) can be done in a number of different ways. The most common content replication solutions with Microsoft Deployment Toolkit (MDT) use either the Linked Deployment Shares (LDS) feature or Distributed File System Replication (DFS-R). Some organizations have used a simple robocopy script for replication of the content.
 
-**Note**  
-Robocopy has options that allow for synchronization between folders. It has a simple reporting function; it supports transmission retry; and, by default, it will only copy/remove files from the source that are newer than files on the target.
+> [!NOTE]
+> Robocopy has options that allow for synchronization between folders. It has a simple reporting function; it supports transmission retry; and, by default, it will only copy/remove files from the source that are newer than files on the target.
  
 ### Linked deployment shares in MDT
 
@@ -49,6 +49,7 @@ DFS-R is not only very fast and reliable, but it also offers central monitoring,
 Setting up DFS-R for replication is a quick and straightforward process. You prepare the deployment servers and then create a replication group. To complete the setup, you configure some replication settings.
 
 ### Prepare MDT01 for replication
+
 1.  On MDT01, using Server Manager, click **Add roles and features**.
 2.  On the **Select installation type** page, select **Role-based or feature-based installation**.
 3.  On the **Select destination server** page, select **MDT01.contoso.com** and click **Next**.
@@ -88,23 +89,30 @@ Setting up DFS-R for replication is a quick and straightforward process. You pre
 When you have multiple deployment servers sharing the same content, you need to configure the Bootstrap.ini file with information about which server to connect to based on where the client is located. In MDT, that can be done by using the DefaultGateway property.
 1. On MDT01, using Notepad, navigate to the **E:\\MDTProduction\\Control** folder and modify the Boostrap.ini file to look like this:
 
-   ``` 
+   ```ini
    [Settings]
    Priority=DefaultGateway, Default
+
    [DefaultGateway]
    192.168.1.1=NewYork
    192.168.2.1=Stockholm
+
    [NewYork]
    DeployRoot=\\MDT01\MDTProduction$
+
    [Stockholm]
    DeployRoot=\\MDT02\MDTProduction$
+
    [Default]
    UserDomain=CONTOSO
    UserID=MDT_BA
    SkipBDDWelcome=YES
    ```
-   **Note**  
-   The DeployRoot value needs to go into the Bootstrap.ini file, but you can use the same logic in the CustomSettings.ini file. For example, you can redirect the logs to the local deployment server (SLSHARE), or have the User State Migration Tool (USMT) migration store (UDDIR) local. To learn more about USMT, see [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) and [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md).
+
+   > [!NOTE]
+   > The DeployRoot value needs to go into the Bootstrap.ini file, but you can use the same logic in the CustomSettings.ini file. For example, you can redirect the logs to the local deployment server (SLSHARE), or have the User State Migration Tool (USMT) migration store (UDDIR) local. 
+   > 
+   > To learn more about USMT, see [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) and [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md).
      
 2. Save the Bootstrap.ini file.
 3. Using the Deployment Workbench, right-click the **MDT Production** deployment share and select **Update Deployment Share**.
@@ -121,9 +129,12 @@ When you have multiple deployment servers sharing the same content, you need to
    Figure 5. Replacing the updated boot image in WDS.
 
 6. Browse and select the **E:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim** boot image, and then complete Replace Boot Image Wizard using the default settings.
+
    ## <a href="" id="sec03"></a>Replicate the content
    Once the MDT01 and MDT02 servers are prepared, you are ready to configure the actual replication.
+
    ### Create the replication group
+
 7. On MDT01, using DFS Management, right-click **Replication**, and select **New Replication Group**.
 8. On the **Replication Group Type** page, select **Multipurpose replication group**, and click **Next**.
 9. On the **Name and Domain** page, assign the **MDTProduction** name, and click **Next**.
@@ -146,7 +157,9 @@ When you have multiple deployment servers sharing the same content, you need to
 
 17. On the **Review Settings and Create Replication Group** page, click **Create**.
 18. On the **Confirmation** page, click **Close**.
+
     ### Configure replicated folders
+
 19. On MDT01, using DFS Management, expand **Replication** and then select **MDTProduction**.
 20. In the middle pane, right-click the **MDT01** member and select **Properties**.
 21. On the **MDT01 (MDTProduction) Properties** page, configure the following and then click **OK**:
@@ -167,8 +180,8 @@ When you have multiple deployment servers sharing the same content, you need to
     1.  In the **Staging** tab, set the quota to **20480 MB**.
     2.  In the **Advanced** tab, set the quota to **8192 MB**.
 
-**Note**  
-It will take some time for the replication configuration to be picked up by the replication members (MDT01 and MDT02). The time for the initial sync will depend on the WAN link speed between the sites. After that, delta changes are replicated quickly.
+    > [!NOTE]
+    > It will take some time for the replication configuration to be picked up by the replication members (MDT01 and MDT02). The time for the initial sync will depend on the WAN link speed between the sites. After that, delta changes are replicated quickly.
  
 ### Verify replication
 1.  On MDT02, wait until you start to see content appear in the **E:\\MDTProduction** folder.

windows/deployment/update/windows-analytics-privacy.md

@@ -8,8 +8,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: deploy
-audience: itpro
author: greg-lindsay
-ms.audience: itpro
author: greg-lindsay
+audience: itpro
+author: greg-lindsay
+ms.audience: itpro
+author: greg-lindsay
 ms.localizationpriority: high
 ms.collection: M365-analytics
 ms.topic: article
@@ -43,6 +45,7 @@ See these topics for additional background information about related privacy iss
 - [Windows 10 and the GDPR for IT Decision Makers](https://docs.microsoft.com/windows/privacy/gdpr-it-guidance)
 - [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization)
 - [Windows 7, Windows 8, and Windows 8.1 Appraiser Telemetry Events, and Fields](https://go.microsoft.com/fwlink/?LinkID=822965)
+- [Windows 10, version 1903 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903)
 - [Windows 10, version 1809 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809)
 - [Windows 10, version 1803 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803)
 - [Windows 10, version 1709 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709)

windows/deployment/volume-activation/volume-activation-windows-10.md

@@ -1,5 +1,5 @@
 ---
-title: Volume Activation for Windows 10 (Windows 10)
+title: Volume Activation for Windows 10
 description: This guide is designed to help organizations that are planning to use volume activation to deploy and activate Windows 10, including organizations that have used volume activation for earlier versions of Windows.
 ms.assetid: 6e8cffae-7322-4fd3-882a-cde68187aef2
 ms.reviewer: 
@@ -10,7 +10,8 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: activation
-audience: itpro
author: greg-lindsay
+audience: itpro
+author: greg-lindsay
 ms.localizationpriority: medium
 ms.date: 07/27/2017
 ms.topic: article
@@ -18,36 +19,38 @@ ms.topic: article
 
 # Volume Activation for Windows 10
 
-**Applies to**
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012 R2
--   Windows Server 2012
--   Windows Server 2008 R2
+> Applies to
+>
+>- Windows 10
+>- Windows Server 2012 R2
+>- Windows Server 2012
+>- Windows Server 2016
+>- Windows Server 2019
 
 **Looking for volume licensing information?**
+
 - [Download the Volume Licensing Reference Guide for Windows 10 Desktop Operating System](https://go.microsoft.com/fwlink/p/?LinkId=620104)
 
 **Looking for retail activation?**
--   [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
+
+- [Get Help Activating Microsoft Windows](https://support.microsoft.com/help/12440/windows-10-activate)
 
 This guide is designed to help organizations that are planning to use volume activation to deploy and activate Windows 10, including organizations that have used volume activation for earlier versions of Windows.
-*Volume activation* is the process that Microsoft volume licensing customers use to automate and manage the activation of Windows operating systems, Microsoft Office, and other Microsoft products across large organizations. Volume licensing is available to customers who purchase software under various volume programs (such as Open and Select) and to participants in programs such as the Microsoft Partner Program and MSDN Subscriptions.
+
+*Volume activation* is the process that Microsoft volume licensing customers use to automate and manage the activation of Windows operating systems, Microsoft Office, and other Microsoft products across large organizations. Volume licensing is available to customers who purchase software under various volume programs (such as [Open](https://www.microsoft.com/Licensing/licensing-programs/open-license) and [Select](https://www.microsoft.com/Licensing/licensing-programs/select)) and to participants in programs such as the [Microsoft Partner Program](https://partner.microsoft.com/) and [MSDN Subscriptions](https://visualstudio.microsoft.com/msdn-platforms/).
 
 Volume activation is a configurable solution that helps automate and manage the product activation process on computers running Windows operating systems that have been licensed under a volume licensing program. Volume activation is also used with other software from Microsoft (most notably the Office suites) that are sold under volume licensing agreements and that support volume activation.
 
-This guide provides information and step-by-step guidance to help you choose a volume activation method that suits your environment, and then to configure that solution successfully. This guide describes the volume activation features that are available in Windows 10 and Windows Server 2012 R2 and the tools that are provided in these versions of Windows and Windows Server to manage volume activation.
+This guide provides information and step-by-step guidance to help you choose a volume activation method that suits your environment, and then to configure that solution successfully. This guide describes the volume activation features and the tools to manage volume activation.
 
-Because most organizations will not immediately switch all computers to Windows 10, practical volume activation strategies must also take in to account how to work with the Windows 8, Windows 7, Windows Server 2012, and Windows Server 2008 R2Windows Server 2008 R2 operating systems. This guide 
-discusses how the new volume activation tools can support earlier operating systems, but it does not discuss the tools that are provided with earlier operating system versions.
+Because most organizations will not immediately switch all computers to Windows 10, practical volume activation strategies must also take in to account how to work with the Windows 8.1, Windows 7, Windows Server 2012, and Windows Server 2008 R2 operating systems. This guide discusses how the new volume activation tools can support earlier operating systems, but it does not discuss the tools that are provided with earlier operating system versions.
 
-Volume activation—and the need for activation itself—is not new, and this guide does not review all of its concepts and history. You can find additional background in the appendices of this guide. For more information, see [Volume Activation Overview](https://go.microsoft.com/fwlink/p/?LinkId=618209) in the TechNet Library.
+Volume activation -and the need for activation itself- is not new, and this guide does not review all of its concepts and history. You can find additional background in the appendices of this guide. For more information, see [Volume Activation Overview](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831612(v=ws.11)).
 
 If you would like additional information about planning a volume activation deployment specifically for Windows 7 and Windows Server 2008 R2, please see the [Volume Activation Planning Guide for Windows 7](https://go.microsoft.com/fwlink/p/?LinkId=618210).
 
 To successfully plan and implement a volume activation strategy, you must:
+
 - Learn about and understand product activation.
 - Review and evaluate the available activation types or models.
 - Consider the connectivity of the clients to be activated.
@@ -58,7 +61,8 @@ To successfully plan and implement a volume activation strategy, you must:
 
 Keep in mind that the method of activation does not change an organization’s responsibility to the licensing requirements. You must ensure that all software used in your organization is properly licensed and activated in accordance with the terms of the licensing agreements in place.
 
-**In this guide:**
+## Additional information
+
 - [Plan for volume activation](plan-for-volume-activation-client.md)
 - [Activate using Key Management Service](activate-using-key-management-service-vamt.md)
 - [Activate using Active Directory-based activation](activate-using-active-directory-based-activation-client.md)
@@ -66,4 +70,3 @@ Keep in mind that the method of activation does not change an organization’s r
 - [Monitor activation](monitor-activation-client.md)
 - [Use the Volume Activation Management Tool](use-the-volume-activation-management-tool-client.md)
 - [Appendix: Information sent to Microsoft during activation](appendix-information-sent-to-microsoft-during-activation-client.md)
- 

windows/deployment/windows-autopilot/windows-autopilot-requirements.md

@@ -78,6 +78,10 @@ If the Microsoft Store is not accessible, the AutoPilot process will still conti
 <tr><td><b>Office 365<b><td>As part of the Intune device configuration, installation of Office 365 ProPlus may be required. For more information, see <a href="https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2">Office 365 URLs and IP address ranges</a> (includes all Office services, DNS names, IP addresses; includes Azure AD and other services that may overlap with those listed above).
 <tr><td><b>Certificate revocation lists (CRLs)<b><td>Some of these services will also need to check certificate revocation lists (CRLs) for certificates used in the services.  A full list of these is documented at <a href="https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2#bkmk_crl">Office 365 URLs and IP address ranges</a> and <a href="https://aka.ms/o365chains">Office 365 Certificate Chains</a>.
 <tr><td><b>Hybrid AAD join<b><td>The device can be hybrid AAD joined. The computer should be on corporate network for hybrid AAD join to work. See details at <a href="https://docs.microsoft.com/windows/deployment/windows-autopilot/user-driven-hybrid">Windows Autopilot user-driven mode</a>
+<tr><td><b>Autopilot Self-Deploying mode and Autopilot White Glove<b><td>Firmware TPM devices, which are only provided by Intel, AMD, or Qualcomm, do not include all needed certificates at boot time and must be able to retrieve them from the manufacturer on first use. Devices with discrete TPM chips(including ones from any other manufacturer) come with these certificates preinstalled. Make sure that these URLs are accessible for each firmware TPM provider so that certificates can be successfully requested: 
+  <br>Intel- https://ekop.intel.com/ekcertservice 
+  <br>Qualcomm- https://ekcert.spserv.microsoft.com/EKCertificate/GetEKCertificate/v1
+  <br>AMD- https://ftpm.amd.com/pki/aia
 </table>
 
 ## Licensing requirements

windows/security/identity-protection/hello-for-business/hello-features.md

@@ -25,12 +25,238 @@ ms.date: 05/05/2018
 
 Consider these additional features you can use after your organization deploys Windows Hello for Business.
 
-- [Conditional Access](hello-feature-conditional-access.md)
-- [Dual Enrollment](hello-feature-dual-enrollment.md)
-- [Dynamic lock](hello-feature-dynamic-lock.md)
-- [Multifactor Unlock](feature-multifactor-unlock.md)
-- [PIN Reset](hello-feature-pin-reset.md)
-- [Remote Desktop](hello-feature-remote-desktop.md)
+## Conditional access 
+
+**Requirements:**
+* Azure Active Directory  
+* Hybrid Windows Hello for Business deployment 
+
+
+In a mobile-first, cloud-first world, Azure Active Directory enables single sign-on to devices, applications, and services from anywhere. With the proliferation of devices (including BYOD), work off corporate networks, and 3rd party SaaS applications, IT professionals are faced with two opposing goals:+  
+* Empower the end users to be productive wherever and whenever
+* Protect the corporate assets at any time
+ 
+To improve productivity, Azure Active Directory provides your users with a broad range of options to access your corporate assets. With application access management, Azure Active Directory enables you to ensure that only the right people can access your applications. What if you want to have more control over how the right people are accessing your resources under certain conditions? What if you even have conditions under which you want to block access to certain applications even for the right people? For example, it might be OK for you if the right people are accessing certain applications from a trusted network; however, you might not want them to access these applications from a network you don't trust. You can address these questions using conditional access.
+
+Read [Conditional access in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-azure-portal) to learn more about Conditional Access.  Afterwards, read [Getting started with conditional access in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-azure-portal-get-started) to start deploying Conditional access.
+
+## Dynamic lock
+
+**Requirements:**
+* Windows 10, version 1703
+
+Dynamic lock enables you to configure Windows 10 devices to automatically lock when Bluetooth paired device signal falls below the maximum Received Signal Strength Indicator (RSSI) value.  You configure the dynamic lock policy using Group Policy.  You can locate the policy setting at **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**.  The name of the policy is **Configure dynamic lock factors**.
+
+The Group Policy Editor, when the policy is enabled, creates a default signal rule policy with the following value:
+
+> [!IMPORTANT]
+>Microsoft recommends using the default values for this policy settings.  Measurements are relative based on the varying conditions of each environment.  Therefore, the same values may produce different results. Test policy settings in each environment prior to broadly deploying the setting. 
+
+```
+<rule schemaVersion="1.0"> 
+	<signal type="bluetooth" scenario="Dynamic Lock" classOfDevice="512" rssiMin="-10" rssiMaxDelta="-10"/> 
+</rule>
+```
+
+For this policy setting, the **type** and **scenario** attribute values are static and cannot change.  The **classofDevice** attribute defaults Phones and uses the values from the following table 
+
+|Description|Value|
+|:-------------|:-------:|
+|Miscellaneous|0|
+|Computer|256|
+|Phone|512|
+|LAN/Network Access Point|768|
+|Audio/Video|1024|
+|Peripheral|1280|
+|Imaging|1536|
+|Wearable|1792|
+|Toy|2048|
+|Health|2304|
+|Uncategorized|7936|
+
+The **rssiMin** attribute value signal indicates the strength needed for the device to be considered "in-range".  The default value of **-10** enables a user to move about an average size office or cubicle without triggering Windows to lock the device.  The **rssiMaxDelta** has a default value of **-10**, which instruct Windows 10 to lock the device once the signal strength weakens by more than measurement of 10.  
+
+RSSI measurements are relative and lower as the bluetooth signals between the two paired devices reduces. Therefore a measurement of 0 is stronger than -10, which is stronger than -60, which is an indicator the devices are moving further apart from each other.
+
+## PIN reset
+
+**Applies to:**
+-   Windows 10, version 1709 or later
+
+
+### Hybrid Deployments
+
+**Requirements:**
+- Azure Active Directory
+- Hybrid Windows Hello for Business deployment
+- Azure AD registered, Azure AD joined, and Hybrid Azure AD joined
+- Windows 10, version 1709 or later, **Enterprise Edition**
+ 
+The Microsoft PIN reset services enables you to help users who have forgotten their PIN.  Using Group Policy, Microsoft Intune or a compatible MDM, you can configure Windows 10 devices to securely use the Microsoft PIN reset service that enables users to reset their forgotten PIN through settings or above the lock screen without requiring re-enrollment.
+
+>[!IMPORTANT]
+> The Microsoft PIN Reset service only works with Windows 10, version 1709 or later **Enterprise Edition**.  The feature does not work with the **Pro** edition.
+
+#### Onboarding the Microsoft PIN reset service to your Intune tenant
+
+Before you can remotely reset PINs, you must on-board the Microsoft PIN reset service to your Azure Active Directory tenant, and configure devices you manage. 
+
+#### Connect Azure Active Directory with the PIN reset service
+
+1. Visit [Microsoft PIN Reset Service Integration website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using the tenant administrator account you use to manage your Azure Active Directory tenant.
+2. After you log in, click **Accept** to give consent for the PIN reset service to access your account.<br>
+![PIN reset service application in Azure](images/pinreset/pin-reset-service-home-screen.png)<br>
+3. In the Azure portal, you can verify that the Microsoft PIN reset service is integrated from the **Enterprise applications**, **All applications** blade.<br>
+![PIN reset service permissions page](images/pinreset/pin-reset-service-application.png)
+
+#### Configure Windows devices to use PIN reset using Group Policy
+You configure Windows 10 to use the Microsoft PIN Reset service using the computer configuration portion of a Group Policy object. 
+
+1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer accounts in Active Directory.
+2. Edit the Group Policy object from step 1.
+3. Enable the **Use PIN Recovery** policy setting located under **Computer Configuration->Administrative Templates->Windows Components->Windows Hello for Business**.
+4. Close the Group Policy Management Editor to save the Group Policy object.  Close the GPMC. 
+
+#### Configure Windows devices to use PIN reset using Microsoft Intune
+To configure PIN reset on Windows devices you manage, use an [Intune Windows 10 custom device policy](https://docs.microsoft.com/intune/custom-settings-windows-10) to enable the feature. Configure the policy using the following Windows policy configuration service provider (CSP):
+
+##### Create a PIN Reset Device configuration profile using Microsoft Intune
+
+1. Sign-in to [Azure Portal](https://portal.azure.com) using a tenant administrator account. 
+2. You need your tenant ID to complete the following task.  You can discovery your tenant ID viewing the **Properties** of your Azure Active Directory from the Azure Portal.  You can also use the following command in a command Window on any Azure AD joined or hybrid Azure AD joined computer.</br>
+   ```
+   dsregcmd /status | findstr -snip "tenantid"
+   ```
+3. Navigate to the Microsoft Intune blade. Click **Device configuration**. Click **Profiles**. Click **Create profile**.
+4. Type **Use PIN Recovery** in the **Name** field. Select **Windows 10 and later** from the **Platform** list.  Select **Custom** from the **Profile type** list.
+5. In the **Custom OMA-URI Settings** blade, Click **Add**.
+6. In the **Add Row** blade, type **PIN Reset Settings** in the **Name** field. In the **OMA-URI** field, type **./Device/Vendor/MSFT/PassportForWork/*tenant ID*/Policies/EnablePinRecovery** where <b>*tenant ID*</b> is your Azure Active Directory tenant ID from step 2.
+7. Select **Boolean** from the **Data type** list and select **True** from the **Value** list.
+8. Click **OK** to save the row configuration. Click **OK** to close the <strong>Custom OMA-URI Settings blade.  Click **Create</strong> to save the profile.
+ 
+##### Assign the PIN Reset Device configuration profile using Microsoft Intune
+1. Sign-in to [Azure Portal](https://portal.azure.com) using a tenant administrator account. 
+2. Navigate to the Microsoft Intune blade. Click **Device configuration**. Click **Profiles**. From the list of device configuration profiles, click the profile that contains the PIN reset configuration.
+3. In the device configuration profile, click **Assignments**.
+4. Use the **Include** and/or **Exclude** tabs to target the device configuration profile to select groups.
+
+### On-premises Deployments
+
+**Requirements**
+* Active Directory
+* On-premises Windows Hello for Business deployment
+* Reset from settings - Windows 10, version 1703, Professional
+* Reset above Lock - Windows 10, version 1709, Professional
+
+On-premises deployments provide users with the ability to reset forgotten PINs either through the settings page or from above the user's lock screen.  Users must know or be provided their password for authentication, must perform a second factor of authentication, and then re-provision Windows Hello for Business.
+
+>[!IMPORTANT]
+>Users must have corporate network connectivity to domain controllers and the federation service to reset their PINs.
+
+#### Reset PIN from Settings
+1. Sign-in to Windows 10, version 1703 or later using an alternate credential.
+2. Open **Settings**, click **Accounts**, click **Sign-in options**.
+3. Under **PIN**, click **I forgot my PIN** and follow the instructions.
+
+#### Reset PIN above the Lock Screen
+ 1. On Windows 10, version 1709, click **I forgot my PIN** from the Windows Sign-in
+ 2. Enter your password and press enter.
+ 3. Follow the instructions provided by the provisioning process
+ 4. When finished, unlock your desktop using your newly created PIN.
+
+>[!NOTE]
+> Visit the [Windows Hello for Business Videos](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos.md) page and watch the [Windows Hello for Business forgotten PIN user experience](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience) video.
+
+## Dual Enrollment
+
+**Requirements**
+* Hybrid and On-premises Windows Hello for Business deployments
+* Enterprise Joined or Hybrid Azure joined devices
+* Windows 10, version 1709
+
+> [!NOTE]
+> This feature was previously known as **Privileged Credential** but was renamed to **Dual Enrollment** to prevent any confusion with the **Privileged Access Workstation** feature.
+
+> [!IMPORTANT]
+> Dual enrollment does not replace or provide the same security as Privileged Access Workstations feature.  Microsoft encourages enterprises to use the Privileged Access Workstations for their privileged credential users.  Enterprises can consider Windows Hello for Business dual enrollment in situations where the Privileged Access feature cannot be used.  Read [Privileged Access Workstations](https://docs.microsoft.com/windows-server/identity/securing-privileged-access/privileged-access-workstations) for more information.
+
+Dual enrollment enables administrators to perform elevated, administrative functions by enrolling both their non-privileged and privileged credentials on their device.
+
+By design, Windows 10 does not enumerate all Windows Hello for Business users from within a user's session.  Using the computer Group Policy setting, **Allow enumeration of emulated smart card for all users**, you can configure a device to enumerate all enrolled Windows Hello for Business credentials on selected devices. 
+
+With this setting, administrative users can sign-in to Windows 10, version 1709 using their non-privileged Windows Hello for Business credentials for normal work flow such as email, but can launch Microsoft Management Consoles (MMCs), Remote Desktop Services clients, and other applications by selecting **Run as different user** or **Run as administrator**, selecting the privileged user account, and providing their PIN.  Administrators can also take advantage of this feature with command line applications by using **runas.exe** combined with the **/smartcard** argument.  This enables administrators to perform their day-to-day operations without needing to sign-in and out, or use fast user switching when alternating between privileged and non-privileged workloads.
+
+> [!IMPORTANT]
+> You must configure a Windows 10 computer for Windows Hello for Business dual enrollment before either user (privileged or non-privileged) provisions Windows Hello for Business.  Dual enrollment is a special setting that is configured on the Windows Hello container during creation.
+
+### Configure Windows Hello for Business Dual Enroll
+In this task you will 
+- Configure Active Directory to support Domain Administrator enrollment
+- Configure Dual Enrollment using Group Policy
+
+#### Configure Active Directory to support Domain Administrator enrollment
+The designed Windows for Business configuration has you give the **Key Admins** (or **KeyCredential Admins** when using domain controllers prior to Windows Server 2016) group read and write permissions to the msDS-KeyCredentialsLink attribute.  You provided these permissions at root of the domain and use object inheritance to ensure the permissions apply to all users in the domain regardless of their location within the domain hierarchy.
+
+Active Directory Domain Services uses AdminSDHolder to secure privileged users and groups from unintentional modification by comparing and replacing the security on privileged users and groups to match those defined on the AdminSDHolder object on an hourly cycle. For Windows Hello for Business, your domain administrator account may receive the permissions but will they will disappear from the user object unless you give the AdminSDHolder read and write permissions to the msDS-KeyCredential attribute.
+
+Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
+
+1. Type the following command to add the **allow** read and write property permissions for msDS-KeyCredentialLink attribute for the **Key Admins** (or **KeyCredential Admins**) group on the AdminSDHolder object.</br>
+```dsacls "CN=AdminSDHolder,CN=System,DC=domain,DC=com" /g "[domainName\keyAdminGroup]":RPWP;msDS-KeyCredentialLink```</br>
+where **DC=domain,DC=com** is the LDAP path of your Active Directory domain and **domainName\keyAdminGroup]** is the NetBIOS name of your domain and the name of the group you use to give access to keys based on your deployment.  For example:</br>
+```dsacls "CN=AdminSDHolder,CN=System,DC=corp,DC=mstepdemo,DC=net" /g "mstepdemo\Key Admins":RPWP;msDS-KeyCredentialLink```
+2. To trigger security descriptor propagation, open **ldp.exe**.
+3. Click **Connection** and select **Connect...**  Next to **Server**, type the name of the domain controller that holds the PDC role for the domain. Next to **Port**, type **389** and click **OK**.
+4. Click **Connection** and select **Bind...**  Click **OK** to bind as the currently signed-in user.
+5. Click **Browser** and select **Modify**.  Leave the **DN** text box blank.  Next to **Attribute**, type **RunProtectAdminGroupsTask**. Next to **Values**, type **1**.  Click **Enter** to add this to the **Entry List**.
+6. Click **Run** to start the task.
+7. Close LDP.  
+
+#### Configuring Dual Enrollment using Group Policy
+You configure Windows 10 to support dual enrollment using the computer configuration portion of a Group Policy object.
+
+1. Using the Group Policy Management Console (GPMC), create a new domain-based Group Policy object and link it to an organizational Unit that contains Active Directory computer objects used by privileged users.
+2. Edit the Group Policy object from step 1.
+3. Enable the **Allow enumeration of emulated smart cards for all users** policy setting located under **Computer Configuration->Administrative Templates->Windows Components->Windows Hello for Business**.
+4. Close the Group Policy Management Editor to save the Group Policy object.  Close the GPMC.
+5. Restart computers targeted by this Group Policy object. 
+
+The computer is ready for dual enrollment.  Sign-in as the privileged user first and enroll for Windows Hello for Business. Once completed, sign-out and sign-in as the non-privileged user and enroll for Windows Hello for Business.  You can now use your privileged credential to perform privileged tasks without using your password and without needing to switch users.
+
+## Remote Desktop with Biometrics 
+
+> [!Warning]
+> Some information relates to pre-released product that may change before it is commercially released.  Microsoft makes no warranties, express or implied, with respect to the information provided here. 
+
+**Requirements**
+- Hybrid and On-premises Windows Hello for Business deployments
+- Azure AD joined, Hybrid Azure AD joined, and Enterprise joined devices
+- Certificate trust deployments
+- Biometric enrollments
+- Windows 10, version 1809
+
+Users using earlier versions of Windows 10 could remote desktop to using Windows Hello for Business but were limited to the using their PIN as their authentication gesture.  Windows 10, version 1809 introduces the ability for users to authenticate to a remote desktop session using their Windows Hello for Business biometric gesture.  The feature is on by default, so your users can take advantage of it as soon as they upgrade to Windows 10, version 1809.
+
+> [!IMPORTANT]
+> The remote desktop with biometrics feature only works with certificate trust deployments.  The feature takes advantage of the redirected smart card capabilities of the remote desktop protocol.  Microsoft continues to investigate supporting this feature for key trust deployments.
+
+### How does it work 
+It start with creating cryptographic keys.  Windows generates and stores cryptographic keys using a software component called a key storage provider (KSP).  Software-based keys are created and stored using the Microsoft Software Key Storage Provider.  Smart card keys are created and stored using the Microsoft Smart Card Key Storage Provider.  Keys created and protected by Windows Hello for Business are created and stored using the Microsoft Passport Key Storage Provider.
+
+A certificate on a smart card starts with creating an asymmetric key pair using the Microsoft Smart Card KSP.  Windows requests a certificate based on the key pair from your enterprises issuing certificate authority, which returns a certificate that is stored in the user's Personal certificate store.  The private key remains on the smart card and the public key is stored with the certificate.  Metadata on the certificate (and the key) store the key storage provider used to create the key (remember the certificate contains the public key). 
+
+This same concept applies to Windows Hello for Business. Except, the keys are created using the Microsoft Passport KSP and the user's private key remains protected by the device's security module (TPM) and the user's gesture (PIN/biometric).  The certificate APIs hide this complexity.  When an application uses a certificate, the certificate APIs locate the keys using the saved key storage provider.  The key storage providers directs the certificate APIs on which provider they use to find the private key associated with the certificate.  This is how Windows knows you have a smart card certificate without the smart card inserted (and prompts you to insert the smart card). 
+
+Windows Hello for Business emulates a smart card for application compatibility.  Versions of Windows 10 prior to version 1809, would redirect private key access for Windows Hello for Business certificate to use its emulated smart card using the Microsoft Smart Card KSP, which would enable the user to provide their PIN.  Windows 10, version 1809 no longer redirects private key access for Windows Hello for Business certificates to the Microsoft Smart Card KSP-- it continues using the Microsoft Passport KSP. The Microsoft Passport KSP enabled Windows 10 to prompt the user for their biometric gesture or PIN. 
+
+### Compatibility
+Users appreciate convenience of biometrics and administrators value the security however, you may experience compatibility issues with your applications and Windows Hello for Business certificates.  You can relax knowing a Group Policy setting and a [MDM URI](https://docs.microsoft.com/windows/client-management/mdm/passportforwork-csp) exist to help you revert to the previous behavior for those users who need it.
+
+![WHFB Certificate GP Setting](images/rdpbio/rdpbiopolicysetting.png)
+
+> [!IMPORTANT]
+> The remote desktop with biometric feature does not work with [Dual Enrollment](#dual-enrollment) feature or scenarios where the user provides alternative credentials.  Microsoft continues to investigate supporting the feature.
+
 
 ## Related topics
 

windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md

@@ -44,7 +44,7 @@ If you upgraded your Active Directory schema to the Windows Server 2016 schema a
 A fundamental prerequisite of all cloud and hybrid Windows Hello for Business deployments is device registration.  A user cannot provision Windows Hello for Business unless the device from which they are trying to provision has registered with Azure Active Directory.  For more information about device registration, read [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/devices/overview).
 
 You can use the **dsregcmd.exe** command to determine if your device is registered to Azure Active Directory.
-![dsregcmd outpout](images/aadj/dsregcmd.png)
+![dsregcmd output](images/aadj/dsregcmd.png)
 
 ### CRL Distribution Point (CDP)
 
@@ -122,7 +122,7 @@ You need to host your new certificate revocation list of a web server so Azure A
 5. Select **CDP** under **Default Web Site** in the navigation pane.  Double-click **Configuration Editor**.
 6. In the **Section** list, navigate to **system.webServer/security/requestFiltering**.
    ![IIS Configuration Editor requestFiltering](images/aadj/iis-config-editor-requestFiltering.png)   
-   In the list of named value-pairs in the content pane, configure **allowDoubleEscapting** to **True**.  Click **Apply** in the actions pane.
+   In the list of named value-pairs in the content pane, configure **allowDoubleEscaping** to **True**.  Click **Apply** in the actions pane.
    ![IIS Configuration Editor double escaping](images/aadj/iis-config-editor-allowDoubleEscaping.png)
 7. Close **Internet Information Services (IIS) Manager**. 
 
@@ -264,7 +264,7 @@ Steps you will perform include:
 1. Sign-in a domain controller using administrative credentials.
 2. Open the **Run** dialog box.  Type **certlm.msc** to open the **Certificate Manager** for the local computer.
 3. In the navigation pane, expand **Personal**.  Click **Certificates**.  In the details pane, double-click the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**.
-4. Click the **Certification Path** tab.  In the **Certifcation path** view, select the top most node and click **View Certificate**.
+4. Click the **Certification Path** tab.  In the **Certification path** view, select the top most node and click **View Certificate**.
 ![Certificate Path](images/aadj/certlm-cert-path-tab.png)
 5. In the new **Certificate** dialog box, click the **Details** tab. Click **Copy to File**.
 ![Details tab and copy to file](images/aadj/certlm-root-cert-details-tab.png)

windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md

@@ -205,7 +205,7 @@ When you're using AD FS, you need to enable the following WS-Trust endpoints:
 `/adfs/services/trust/13/certificatemixed`
 
 > [!WARNING]
-> Both **adfs/services/trust/2005/windowstransport** or **adfs/services/trust/13/windowstransport** should be enabled as intranet facing endpoints only and must NOT be exposed as extranet facing endpoints through the Web Application Proxy. To learn more on how to disable WS-Trust WIndows endpoints, see [Disable WS-Trust Windows endpoints on the proxy](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs#disable-ws-trust-windows-endpoints-on-the-proxy-ie-from-extranet). You can see what endpoints are enabled through the AD FS management console under **Service** > **Endpoints**.
+> Both **adfs/services/trust/2005/windowstransport** and **adfs/services/trust/13/windowstransport** should be enabled as intranet facing endpoints only and must NOT be exposed as extranet facing endpoints through the Web Application Proxy. To learn more on how to disable WS-Trust Windows endpoints, see [Disable WS-Trust Windows endpoints on the proxy](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs#disable-ws-trust-windows-endpoints-on-the-proxy-ie-from-extranet). You can see what endpoints are enabled through the AD FS management console under **Service** > **Endpoints**.
 
 > [!NOTE]
 >If you don’t have AD FS as your on-premises federation service, follow the instructions from your vendor to make sure they support WS-Trust 1.3 or 2005 endpoints and that these are published through the Metadata Exchange file (MEX).

windows/security/identity-protection/hello-for-business/hello-planning-guide.md

@@ -79,7 +79,7 @@ The key trust type does not require issuing authentication certificates to end u
 The certificate trust type issues authentication certificates to end users.  Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience.  Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 Active Directory schema](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs#directories)).  Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller.
 
 > [!NOTE]
-> RDP does not support authentication with Windows Hello for business key trust deployments. RDP is only supported with certificate trust deployments at this tim
+> RDP does not support authentication with Windows Hello for Business key trust deployments. RDP is only supported with certificate trust deployments at this time.
 
 #### Device registration
 
@@ -91,6 +91,9 @@ The built-in Windows Hello for Business provisioning experience creates a hardwa
 
 #### Multifactor authentication
 
+> [!IMPORTANT]
+> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who require multi-factor authentication for their users should use cloud-based Azure Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1, 2019 will be able to download the latest version, future updates and generate activation credentials as usual. See [Getting started with the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/active-directory/authentication/howto-mfaserver-deploy) for more details.
+
 The goal of Windows Hello for Business is to move organizations away from passwords by providing them a strong credential that provides easy two-factor authentication.  The built-in provisioning experience accepts the user’s weak credentials (username and password) as the first factor authentication; however, the user must provide a second factor of authentication before Windows provisions a strong credential.  
 
 Cloud only and hybrid deployments provide many choices for multi-factor authentication.  On-premises deployments must use a multi-factor authentication that provides an AD FS multi-factor adapter to be used in conjunction with the on-premises Windows Server 2016 AD FS server role. Organizations can use the on-premises Azure Multi-factor Authentication server, or choose from several third parties (Read [Microsoft and third-party additional authentication methods](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods) for more information).

windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md

@@ -36,9 +36,9 @@ Attack surface reduction rules target behaviors that malware and malicious apps
 * Obfuscated or otherwise suspicious scripts
 * Behaviors that apps don't usually initiate during normal day-to-day work
 
-You can use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks similar to malware. By monitoring audit data and [adding exclusions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity.
+You can use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks similar to malware. By monitoring audit data and [adding exclusions](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity.
 
-Triggered rules display a notification on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays in the Microsoft Defender Security Center and in the Microsoft 365 securty center.
+Triggered rules display a notification on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays in the Microsoft Defender Security Center and in the Microsoft 365 security center.
 
 For information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
 

windows/security/threat-protection/microsoft-defender-atp/configuration-score.md

@@ -53,7 +53,7 @@ The goal is to remediate the issues in the security recommendations list to impr
 See how you can [improve your security configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios#improve-your-security-configuration), for details.
 
 >[!IMPORTANT]
->To boost your vulnerability assessment detection rates, you can download the following set of optional security updates and deploy them in your network:
+>To boost your vulnerability assessment detection rates, download the following mandatory security updates and deploy them in your network:
 >- 19H1 customers | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941)
 >- RS5 customers | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077)
 >- RS4 customers | [KB 4516045](https://support.microsoft.com/help/4516045/windows-10-update-kb4516045)
@@ -62,8 +62,6 @@ See how you can [improve your security configuration](https://docs.microsoft.com
 >To download the security updates:
 >1. Go to [Microsoft Update Catalog](http://www.catalog.update.microsoft.com/home.aspx).
 >2. Key-in the security update KB number that you need to download, then click **Search**.  
->
->Downloading the above-mentioned security updates will be mandatory starting Patch Tuesday, October 8, 2019.
 
 ## Related topics
 - [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) 

windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md

@@ -37,6 +37,7 @@ Microsoft Defender Advanced Threat Protection requires one of the following Micr
 - Windows 10 Enterprise E5
 - Windows 10 Education E5
 - Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5
+- Microsoft 365 E3 (M365 E3) with Identity and Threat Protection package
 
 For more information on the array of features in Windows 10 editions, see [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare).
 

windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md

@@ -141,7 +141,7 @@ You can create a custom dashboard in Power BI Desktop to create visualizations t
 
     ![Settings with download connector button](images/atp-download-connector.png)
 
-4. Create a new directory `Microsoft Power BI Desktop\Custom Connectors` under the user's Documents folder.
+4. Create a new directory `[Documents]\Power BI Desktop\Custom Connectors`.
 
 5. Copy WDATPDataConnector.mez from the zip to the directory you just created.
 
@@ -151,6 +151,9 @@ You can create a custom dashboard in Power BI Desktop to create visualizations t
 
 8. Select **New table and matrix visuals** and **Custom data connectors** and click **OK**.
 
+    > [!NOTE]
+    > If you plan on using Custom Connectors or connectors that you or a third party has developed, you must select *(Not Recommended) Allow any extension to load without warning* under **Power BI Desktop** > **File** > **Options and settings** > **Options** > **Security** > **Data Extensions**".
+    
     >[!NOTE]
     >If you are using Power BI Desktop July 2017 version (or later), you won't need to select **New table and matrix visuals**. You'll only need to select **Custom data connectors**.
 

windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md

@@ -29,21 +29,19 @@ Ensure that your machines:
 >[!NOTE]
 >Threat & Vulnerability Management can also scan machines that run on Windows 7 and Windows Server 2019 operating systems and detects vulnerabilities addressed in patch Tuesday.
 
-- Have the following mandatory updates installed:
-- (1) RS3 customers | [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441)
-- (2) RS4 customers | [KB4493464](https://support.microsoft.com/help/4493464)
+- Have the following mandatory updates installed and deployed in your network to boost your vulnerability assessment detection rates:
+
+> Release | Security update KB number and link
+> :---|:---
+> RS3 customers | [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441) and [KB 4516071](https://support.microsoft.com/help/4516071/windows-10-update-kb4516071)
+> RS4 customers| [KB4493464](https://support.microsoft.com/help/4493464) and [KB 4516045](https://support.microsoft.com/help/4516045/windows-10-update-kb4516045)
+> RS5 customers | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077)
+> 19H1 customers | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941)
+
 - Are onboarded to Microsoft Intune and System Center Configuration Manager (SCCM). If you are use SCCM, update your console to the latest May version 1905
 - Have at least one security recommendation that can be viewed in the machine page
 - Are tagged or marked as co-managed
 
->[!IMPORTANT]
->To boost your vulnerability assessment detection rates, you can download the following set of optional security updates and deploy them in your network:
->- 19H1 customers | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941)
->- RS5 customers | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077)
->- RS4 customers | [KB 4516045](https://support.microsoft.com/help/4516045/windows-10-update-kb4516045)
->- RS3 customers | [KB 4516071](https://support.microsoft.com/help/4516071/windows-10-update-kb4516071)
-><P>Downloading and deploying the above-mentioned security updates will be mandatory starting Patch Tuesday, October 8, 2019.
-
 ## Reduce your threat and vulnerability exposure
 Threat & Vulnerability Management introduces a new exposure score metric, which visually represents how exposed your machines are to imminent threats.
 

windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md

@@ -26,12 +26,11 @@ Threat & Vulnerability Management leverages the same signals in Microsoft Defend
 The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization, their severity, Common Vulnerability Scoring System (CVSS) rating, its prevalence in your organization, corresponding breach, and threat insights.
 
 >[!IMPORTANT]
->To boost your vulnerability assessment detection rates, you can download the following set of optional security updates and deploy them in your network:
+>To boost your vulnerability assessment detection rates, download the following mandatory security updates and deploy them in your network:
 >- 19H1 customers | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941)
 >- RS5 customers | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077)
 >- RS4 customers | [KB 4516045](https://support.microsoft.com/help/4516045/windows-10-update-kb4516045)
 >- RS3 customers | [KB 4516071](https://support.microsoft.com/help/4516071/windows-10-update-kb4516071)
-><P>Downloading the above-mentioned security updates will be mandatory starting Patch Tuesday, October 8, 2019.
 
 ## Navigate through your organization's weaknesses page
 You can see the list of vulnerabilities in four ways: 

windows/security/threat-protection/security-compliance-toolkit-10.md

@@ -31,9 +31,7 @@ The Security Compliance Toolkit consists of:
     -   Windows 10 Version 1809 (October 2018 Update)
     -   Windows 10 Version 1803 (April 2018 Update)
     -   Windows 10 Version 1709 (Fall Creators Update)
-    -   Windows 10 Version 1703 (Creators Update)
     -   Windows 10 Version 1607 (Anniversary Update)
-    -   Windows 10 Version 1511 (November Update)
     -   Windows 10 Version 1507
 
 -   Windows Server security baselines
@@ -42,7 +40,7 @@ The Security Compliance Toolkit consists of:
     -   Windows Server 2012 R2
 
 -   Microsoft Office security baseline
-    -   Office 2016 
+    -   Office365 ProPlus (Sept 2019)
 
 -   Tools
     -   Policy Analyzer tool

windows/security/threat-protection/security-policy-settings/account-policies.md

@@ -25,7 +25,8 @@ ms.date: 04/19/2017
 An overview of account policies in Windows and provides links to policy descriptions.
 
 All account policies settings applied by using Group Policy are applied at the domain level. Default values are present in the built-in default domain controller policy for Password Policy settings, Account Lockout Policy settings, and Kerberos Policy settings. The domain account policy becomes the default local account policy of any device that is a member of the domain. If these policies are set at any level below the domain level in Active Directory Domain Services (AD DS), they affect only local accounts on member servers.
-> **Note:**  Each domain can have only one account policy. The account policy must be defined in the default domain policy or in a new policy that is linked to the root of the domain and given precedence over the default domain policy, which is enforced by the domain controllers in the domain. These domain-wide account policy settings (Password Policy, Account Lockout Policy, and Kerberos Policy) are enforced by the domain controllers in the domain; therefore, domain controllers always retrieve the values of these account policy settings from the default domain policy Group Policy Object (GPO).
+> [!NOTE]
+> Each domain can have only one account policy. The account policy must be defined in the default domain policy or in a new policy that is linked to the root of the domain and given precedence over the default domain policy, which is enforced by the domain controllers in the domain. These domain-wide account policy settings (Password Policy, Account Lockout Policy, and Kerberos Policy) are enforced by the domain controllers in the domain; therefore, domain controllers always retrieve the values of these account policy settings from the default domain policy Group Policy Object (GPO).
  
 The only exception is when another account policy is defined for an organizational unit (OU). The account policy settings for the OU affect the local policy on any computers that are contained in the OU. For example, if an OU policy defines a maximum password age that differs from the domain-level account policy, the OU policy will be applied and enforced only when users log on to the local computer. The default local computer policies apply only to computers that are in a workgroup or in a domain where neither an OU account policy nor a domain policy applies.
 

windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md

@@ -84,6 +84,9 @@ Settings are applied in the following order through a Group Policy Object (GPO),
 
 When a local setting is greyed out, it indicates that a GPO currently controls that setting.
 
+> [!NOTE]
+> More information about configuring the policy can be found [here](https://docs.microsoft.com/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings).
+
 ## Security considerations
 
 This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.

windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md

@@ -107,6 +107,9 @@ The procedures in this article first describe how to set the order, and then how
 
    6. Click **OK**. This will set the order of file shares when that source is referenced in the **Define the order of sources...** group policy setting.
 
+> [!NOTE]
+> For Windows 10, versions 1703 up to and including 1809, the policy path is **Windows Components > Windows Defender Antivirus > Signature Updates**
+> For Windows 10, version 1903, the policy path is **Windows Components > Windows Defender Antivirus > Security Intelligence Updates**
 
 **Use Configuration Manager to manage the update location:**
 

windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md

@@ -149,7 +149,7 @@ In this case, Tamper Protection status changes, and this feature is no longer ap
 
 ### Will there be an alert about Tamper Protection status changing in the Microsoft Defender Advanced Threat Protection portal?
 
-Yes. The alert is shown in [https://microsoft.securitycenter.com](https://microsoft.securitycenter.com) under **Alerts**. 
+Yes. The alert is shown in [https://securitycenter.microsoft.com](https://microsoft.securitycenter.com) under **Alerts**. 
 
 In addition, your security operations team can use hunting queries, such as the following:
 

windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md

@@ -43,6 +43,10 @@ The following matrix illustrates the states that Windows Defender AV will enter
 | Windows Server 2016 |                         Windows Defender AV                         |                       No                        |            Active mode            |
 
 (<a id="fn1">1</a>)  On Windows Server 2016, Windows Defender AV will not enter passive or disabled mode if you have also installed a third-party antivirus product. If you install a third-party antivirus product, you should [uninstall Windows Defender AV on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md) to prevent problems caused by having multiple antivirus products installed on a machine.
+If you are Using Windows Server, version 1803 and Windows 2019, you can enable passive mode by setting this registry key: 
+- Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection 
+- Name: ForceDefenderPassiveMode 
+- Value: 1
 
 See the [Windows Defender Antivirus on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md#install-or-uninstall-windows-defender-av-on-windows-server-2016) topic for key differences and management options for Windows Server installations.
 

windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md

@@ -90,7 +90,8 @@ AppLocker rules can be created on domain controllers.
 
 AppLocker is included with enterprise-level editions of Windows. You can author AppLocker rules for a single computer or for a group of computers. For a single computer, you can author the rules by using the Local Security Policy editor (secpol.msc). For a group of computers, you can author the rules within a Group Policy Object by using the Group Policy Management Console (GPMC).
 
-> **Note:**  The GPMC is available in client computers running Windows only by installing the Remote Server Administration Tools. On computer running Windows Server, you must install the Group Policy Management feature.
+> [!NOTE]
+> The GPMC is available in client computers running Windows only by installing the Remote Server Administration Tools. On computer running Windows Server, you must install the Group Policy Management feature.
  
 ### Using AppLocker on Server Core
 

windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md

@@ -27,7 +27,8 @@ This topic for IT professionals describes the steps to create a standard set of
 
 AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed to run.
 
->**Important:**  You can use the default rules as a template when creating your own rules to allow files within the Windows folders to run. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules. The default rules can be modified in the same way as other AppLocker rule types.
+> [!IMPORTANT]
+> You can use the default rules as a template when creating your own rules to allow files within the Windows folders to run. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules. The default rules can be modified in the same way as other AppLocker rule types.
  
 You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For information how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
 

windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md

@@ -30,7 +30,8 @@ This topic for IT professionals describes concepts and lists procedures to help
 Packaged apps, also known as Universal Windows apps, are based on a model that ensures all the files within an app package share the same identity. With classic Windows apps, each file within the app could have a unique identity.
 With packaged apps, it is possible to control the entire app by using a single AppLocker rule.
 
->**Note:**  AppLocker supports only publisher rules for packaged apps. All packaged apps must be signed by the software publisher because Windows does not support unsigned packaged apps.
+> [!NOTE]
+> AppLocker supports only publisher rules for packaged apps. All packaged apps must be signed by the software publisher because Windows does not support unsigned packaged apps.
  
 Typically, an app consists of multiple components: the installer that is used to install the app, and one or more exes, dlls, or scripts. With classic Windows apps, not all these components always share common attributes such as the software’s publisher name, product name, and product version. Therefore, AppLocker controls each of these components separately through different rule collections, such as exe, dll, script, and Windows Installer rules. In contrast, all the components of a packaged app share the same publisher name, package name, and package version attributes. Therefore, you can control an entire app with a single rule.
 
@@ -53,9 +54,10 @@ For more info about packaged apps, see [Packaged apps and packaged app installer
 
 You can use two methods to create an inventory of packaged apps on a computer: the AppLocker console or the **Get-AppxPackage** Windows PowerShell cmdlet.
 
->**Note:**  Not all packaged apps are listed in AppLocker’s application inventory wizard. Certain app packages are framework packages that are leveraged by other apps. By themselves, these packages cannot do anything, but blocking such packages can inadvertently cause failure for apps that you want to allow. Instead, you can create Allow or Deny rules for the packaged apps that use these framework packages. The AppLocker user interface deliberately filters out all the packages that are registered as framework packages. For info about how to create an inventory list, see [Create list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md).
+> [!NOTE]
+> Not all packaged apps are listed in AppLocker’s application inventory wizard. Certain app packages are framework packages that are leveraged by other apps. By themselves, these packages cannot do anything, but blocking such packages can inadvertently cause failure for apps that you want to allow. Instead, you can create Allow or Deny rules for the packaged apps that use these framework packages. The AppLocker user interface deliberately filters out all the packages that are registered as framework packages. For info about how to create an inventory list, see [Create list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md).
  
-For info about how to use the **Get-AppxPackage** Windows PowerShell cmdlet, see the [AppLocker PowerShell Command Reference](https://technet.microsoft.com/library/hh847210.aspx).
+For info about how to use the **Get-AppxPackage** Windows PowerShell cmdlet, see the [AppLocker PowerShell Command Reference](https://docs.microsoft.com/powershell/module/applocker/).
 
 For info about creating rules for Packaged apps, see [Create a rule for packaged apps](create-a-rule-for-packaged-apps.md).
 
@@ -74,7 +76,7 @@ Just as there are differences in managing each rule collection, you need to mana
 
 1.  Gather information about which Packaged apps are running in your environment. For information about how to do this, see [Create list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md).
 
-2.  Create AppLocker rules for specific packaged apps based on your policy strategies. For more information, see [Create a rule for packaged apps](create-a-rule-for-packaged-apps.md) and [Packaged Apps Default Rules in AppLocker](https://technet.microsoft.com/library/ee460941(WS.10).aspx).
+2.  Create AppLocker rules for specific packaged apps based on your policy strategies. For more information, see [Create a rule for packaged apps](create-a-rule-for-packaged-apps.md) and [Understanding AppLocker default rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules).
 
 3.  Continue to update the AppLocker policies as new package apps are introduced into your environment. To do this, see [Add rules for packaged apps to existing AppLocker rule-set](add-rules-for-packaged-apps-to-existing-applocker-rule-set.md).
 

windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md

@@ -27,7 +27,8 @@ This topic for IT professional describes the set of rules that can be used to en
 
 AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection.
 
->**Important:**  You can use the default rules as a template when creating your own rules. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules so that the system files in the Windows folders will be allowed to run.
+> [!IMPORTANT]
+> You can use the default rules as a template when creating your own rules. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules so that the system files in the Windows folders will be allowed to run.
  
 If you require additional app security, you might need to modify the rules created from the built-in default rule collection. For example, the default rule to allow all users to run .exe files in the Windows folder is based on a path condition that allows all files within the Windows folder to run. 
 The Windows folder contains a Temp subfolder to which the Users group is given the following permissions:

windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md

@@ -80,6 +80,9 @@ When merging, the policy type and ID of the leftmost/first policy specified is u
 
 ### Deploying policies
 
+> [!NOTE]
+> You cannot use the "Deploy Windows Defender Application Control" group policy setting to deploy multiple CI policies. You will have to copy the `*.cip` files, both the baseline and the supplemental ones, to C:\Windows\System32\CodeIntegrity\CiPolicies\Active\.
+
 In order to deploy policies using the new multiple policy format you will need to:
 
 1. Ensure policies are copied to the right location

windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md

@@ -88,7 +88,7 @@ Microsoft recommends that you block the following Microsoft-signed applications
 - msxml6.dll
 - jscript9.dll
 
-Pick the correct version of each .dll for the Windows release you plan to support, and remove the other versions.
+Pick the correct version of each .dll for the Windows release you plan to support, and remove the other versions. Ensure that you also uncomment them in the signing scenarios section.
 
 ```xml
 <?xml version="1.0" encoding="utf-8" ?> 
@@ -888,9 +888,11 @@ Pick the correct version of each .dll for the Windows release you plan to suppor
   <FileRuleRef RuleID="ID_DENY_WMIC"/>
   <FileRuleRef RuleID="ID_DENY_MWFC" /> 
   <FileRuleRef RuleID="ID_DENY_WFC" /> 
+  <!-- Uncomment the relevant line(s) below if you have uncommented them in the rule definitions above.
   <FileRuleRef RuleID="ID_DENY_MSXML3" /> 
   <FileRuleRef RuleID="ID_DENY_MSXML6" /> 
   <FileRuleRef RuleID="ID_DENY_JSCRIPT9" />
+  -->
   <FileRuleRef RuleID="ID_DENY_MSBUILD_DLL" /> 
   <FileRuleRef RuleID="ID_DENY_DOTNET" /> 
   <FileRuleRef RuleID="ID_DENY_MS_BUILD" /> 

windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md

@@ -89,6 +89,9 @@ First, create the WMI filter and configure it to look for a specified version (o
 
 10. Click **Save** to save your completed filter.
 
+> [!NOTE]
+> If you're using multiple queries in the same WMI filter, these queries must all return **TRUE** for the filter requirements to be met and for the GPO to be applied.
+
 ## To link a WMI filter to a GPO
 
 After you have created a filter with the correct query, link the filter to the GPO. Filters can be reused with many GPOs simultaneously; you do not have to create a new one for each GPO if an existing one meets your needs.