Merge branch 'master' into surface-2s-update

2025-05-13 05:47:23 +00:00 · 2019-07-18 06:45:02 -07:00 · 2019-07-18 06:45:02 -07:00 · e740a2fa28
commit e740a2fa28
parent 9b48f99184 beaa59b3c0
20 changed files with 662 additions and 67 deletions
--- a/devices/hololens/hololens-setup.md
+++ b/devices/hololens/hololens-setup.md
@ -1,46 +1,75 @@
 ---
-title: Set up HoloLens (HoloLens)
+title: Set up a new HoloLens
-description: The first time you set up HoloLens, you'll need a Wi-Fi network and either a Microsoft or Azure Active Directory account.
+description: This guide walks through first time set up.  You'll need a Wi-Fi network and either a Microsoft (MSA) or Azure Active Directory (AAD) account.
 ms.prod: hololens
 ms.sitesec: library
-author: dansimp
+author: scooley
-ms.author: dansimp
+ms.author: scooley
-ms.topic: article
+ms.topic: quickstart
 ms.localizationpriority: medium
-ms.date: 07/27/2017
+ms.date: 07/14/2019
 ms.reviewer: 
 manager: dansimp
 ---
-# Set up HoloLens
+# Set up HoloLens for the first time
-Before you get started setting up your HoloLens, make sure you have a Wi-Fi network and a Microsoft account or an Azure Active Directory (Azure AD) account. 
+Follow along to set up a HoloLens for the first time.  At the end of this quickstart, you'll be able to use HoloLens and navigate HoloLens settings on-device.
-## Network connectivity requirements
+This is a high level unboxing guide to become familiar with HoloLens.  
 See [Set up HoloLens in the enterprise](hololens-requirements.md) to configure HoloLens for scale enterprise deployment and ongoing device management.
-The first time you use your HoloLens, you'll be guided through connecting to a Wi-Fi network. You need to connect HoloLens to a Wi-Fi network with Internet connectivity so that the user account can be authenticated.
+## Prerequisites
- It can be an open Wi-Fi or password-protected Wi-Fi network.
+- Internet access.
- The Wi-Fi network cannot require certificates to connect.
+  - Wi-Fi is the easiest way to do first set up on both HoloLens and HoloLens 2.  It can be an open Wi-Fi or password-protected Wi-Fi network; the Wi-Fi network does not need to provide access to enterprise resources or intranet sites.
- The Wi-Fi network does not need to provide access to enterprise resources or intranet sites. 
+  - HoloLens 2 can connect to the internet via ethernet and a USB-C adapter.
 - a user account - Microsoft (MSA) or Azure Active Directory (AAD)
-## HoloLens setup
+## Prepare for first-boot
-The HoloLens setup process combines a quick tutorial on using HoloLens with the steps needed to connect to the network and add an account.
+Become familiar with the HoloLens hardware and prepare to turn your HoloLens on for the first time.
-1. Be sure your HoloLens is [charged](https://support.microsoft.com/help/12627), then [adjust it](https://support.microsoft.com/help/12632) for a comfortable fit.
+1. Be sure your HoloLens is [charged](https://support.microsoft.com/help/12627)
-2. [Turn on HoloLens](https://support.microsoft.com/help/12642). You will be guided through a calibration procedure and how to perform [the gestures](https://support.microsoft.com/help/12644/hololens-use-gestures) that you will use to operate HoloLens.
+1. [Adjust fit](https://support.microsoft.com/help/12632) for a comfortable fit.
-3. Next, you'll be guided through connecting to a Wi-Fi network. 
+1. [Turn on HoloLens](https://support.microsoft.com/help/12642). You will be guided through a calibration procedure and how to perform [the gestures](https://support.microsoft.com/help/12644/hololens-use-gestures) that you will use to operate HoloLens.
-4. After HoloLens connects to the Wi-Fi network, you select between **My work or school owns it** and **I own it**. 
+
 ## Set up your HoloLens
 Set up your HoloLens and your user account.
 1. Connect to the internet (select Wi-Fi).
 1. Sign in to your user account.  You'll choose between **My work or school owns it** and **I own it**.
    - When you choose **My work or school owns it**, you sign in with an Azure AD account. If your organization uses Azure AD Premium and has configured automatic MDM enrollment, HoloLens will be enrolled in MDM. If your organization does not use Azure AD Premium, automatic MDM enrollment isn't available, so you will need to [enroll HoloLens in device management manually](hololens-enroll-mdm.md#enroll-through-settings-app).
-        1. Enter your organizational account. 
+        1. Enter your organizational account.
        2. Accept privacy statement.
        3. Sign in using your Azure AD credentials. This may redirect to your organization's sign-in page.
        4. Continue with device setup.
    - When you choose **I own it**, you sign in with a Microsoft account. After setup is complete, you can [enroll HoloLens in device management manually](hololens-enroll-mdm.md#enroll-through-settings-app).
-        1. Enter your Microsoft account. 
+        1. Enter your Microsoft account.
-        2. Enter your password. If your Microsoft account requires [two-step verification (2FA)](https://blogs.technet.microsoft.com/microsoft_blog/2013/04/17/microsoft-account-gets-more-secure/), complete the verification process. 
+        2. Enter your password. If your Microsoft account requires [two-step verification (2FA)](https://blogs.technet.microsoft.com/microsoft_blog/2013/04/17/microsoft-account-gets-more-secure/), complete the verification process.
-5. The device sets your time zone based on information obtained from the Wi-Fi network. 
+1. The device sets your time zone based on information obtained from the Wi-Fi network.
-6. Next, you learn how to perform the bloom gesture and how to select and place the Start screen. After you place the Start screen, setup is complete and you can begin using HoloLens.
+1. Follow the first-start guides to learn how to interact with holograms, control the HoloLens with your voice, and access the start menu.
 Congratulations!  Setup is complete and you can begin using HoloLens.
 ## Explore HoloLens
 ### Check out on-device settings and desktop
 HoloLens doesn't have an on-device command line.  With that in mind, the settings section in HoloLens plays an important role in diagnosing problems on-device.  Understanding the information available to HoloLens users will pay dividends when troubleshooting or configuring the device.
 Open settings by opening the start menu and clicking on the **Settings** in the top bar.  You can also ask Cortana to open settings.
 Follow [this guide](https://docs.microsoft.com/en-us/windows/mixed-reality/navigating-the-windows-mixed-reality-home) to navigate around the HoloLens home.
 ### Connect bluetooth devices
 Connecting a bluetooth keyboard makes typing on HoloLens as efficient as a Windows PC.
 [Connect a bluetooth keyboard or clicker](https://support.microsoft.com/en-us/help/12636).
 ## Next steps
 Start planning for HoloLens at scale with HoloLens' enterprise management features.
 > [!div class="nextstepaction"]
 > [HoloLens in the enterprise](hololens-requirements.md)
--- a/devices/hololens/images/hololens2-side-render.png
+++ b/devices/hololens/images/hololens2-side-render.png
--- a/devices/hololens/index.md
+++ b/devices/hololens/index.md
@ -1,46 +1,51 @@
 ---
 title: Microsoft HoloLens (HoloLens)
-description: HoloLens provides extra features designed for business in the Commercial Suite.
+description: Landing page for HoloLens commercial and enterprise management.
 ms.prod: hololens
 ms.sitesec: library
-author: jdeckerms
+author: scooley
-ms.author: jdecker
+ms.author: scooley
 ms.topic: article
 ms.localizationpriority: medium
-ms.date: 07/27/2018
+ms.date: 07/14/2019
 ---
 # Microsoft HoloLens
 <table><tbody>
-<tr><td style="border: 0px;width: 75%;valign= top"><p>Microsoft HoloLens is the first fully self-contained holographic computer running Windows 10.</p><p> Microsoft HoloLens is available in the <strong>Development Edition</strong>, which runs Windows Holographic (an edition of Windows 10 designed for HoloLens), and in the <strong>Commercial Suite</strong>, which runs Windows Holographic for Business when you apply the Enterprise license file to the device.</p></td><td align="left" style="border: 0px"><img src="images/hololens.png" alt="Hololens"/></td></tr>
+<tr><td style="border: 0px;width: 75%;valign= top">
 <p>Microsoft HoloLens is the first fully self-contained holographic computer running Windows 10.</p>
 <p>Now, with the introduction of HoloLens 2, every device provides commercial ready management enhanced by the reliability, security, and scalability of cloud and AI services from Microsoft.</p>
 </td><td align="left" style="border: 0px">![Hololens](images/hololens2-side-render.png)</td></tr>
 </tbody></table>
-## In this section
+## Guides in this section
 | Guide | Description |
 | --- | --- |
 | [Get started with HoloLens](hololens-setup.md) | Set up HoloLens for the first time.  |
 | [Set up HoloLens in the enterprise](hololens-requirements.md) | Configure HoloLens for scale enterprise deployment and ongoing device management.  |
 | [Install and manage applications on HoloLens](hololens-install-apps.md) |Install and manage important applications on HoloLens at scale.  |
 | [Recover and troubleshoot HoloLens issues](https://support.microsoft.com/products/hololens) |  Learn how to gather logs from HoloLens, recover a misbehaving device, or reset HoloLens when necessary.  |
 | [Get support](https://support.microsoft.com/products/hololens) |Connect with Microsoft support resources for HoloLens in enterprise.  |
 ## Quick reference by topic
 | Topic | Description |
 | --- | --- |
-| [What's new in Microsoft HoloLens](hololens-whats-new.md) | Discover the new features in the latest update. |
+| [What's new in Microsoft HoloLens](hololens-whats-new.md) | Discover new features in the latest updates. |
 | [HoloLens in the enterprise: requirements](hololens-requirements.md) | Lists requirements for general use, Wi-Fi, and device management |
 | [Set up HoloLens](hololens-setup.md) | How to set up HoloLens for the first time  |
 [Install localized version of HoloLens](hololens-install-localized.md) | Install the Chinese or Japanese version of HoloLens
 | [Unlock Windows Holographic for Business features](hololens-upgrade-enterprise.md)  | How to upgrade your Development Edition HoloLens to Windows Holographic for Business |
 | [Enroll HoloLens in MDM](hololens-enroll-mdm.md) | Manage multiple HoloLens devices simultaneously using solutions like Microsoft Intune |
 | [Manage updates to HoloLens](hololens-updates.md) | Use mobile device management (MDM) policies to configure settings for updates. |
 | [Set up HoloLens in kiosk mode](hololens-kiosk.md) | Enable kiosk mode for HoloLens, which limits the user's ability to launch new apps or change the running app  |
 [Share HoloLens with multiple people](hololens-multiple-users.md) | Multiple users can shared a HoloLens device by using their Azure Active Directory accounts. |
 | [Configure HoloLens using a provisioning package](hololens-provisioning.md) | Provisioning packages make it easy for IT administrators to configure HoloLens devices without imaging |
-| [Install apps on HoloLens](hololens-install-apps.md) | Use Microsoft Store for Business, mobile device management (MDM), or the Windows Device Portal to install apps on HoloLens |
+| [HoloLens MDM support](hololens-enroll-mdm.md) | Manage multiple HoloLens devices simultaneously using Mobile Device Management (MDM) solutions like Microsoft Intune. |
-| [Enable Bitlocker device encryption for HoloLens](hololens-encryption.md) | Learn how to use Bitlocker device encryption to protect files and information stored on the HoloLens |
+| [HoloLens update management](hololens-updates.md) | Use mobile device management (MDM) policies to configure settings for updates. |
-| [Change history for Microsoft HoloLens documentation](change-history-hololens.md) | See new and updated topics in the HoloLens documentation library. |
+| [HoloLens user management](hololens-multiple-users.md) | Multiple users can shared a HoloLens device by using their Azure Active Directory accounts. |
 | [HoloLens application access management](hololens-kiosk.md) | Manage application access for different user groups.  |
 | [Enable Bitlocker device encryption for HoloLens](hololens-encryption.md) | Learn how to use Bitlocker device encryption to protect files and information stored on the HoloLens. |
 | [Install localized version of HoloLens](hololens-install-localized.md) | Configure HoloLens for different locale.  |
 ## Related resources
- [Help for using HoloLens](https://support.microsoft.com/products/hololens)
+* [Documentation for Holographic app development](https://developer.microsoft.com/windows/mixed-reality/development)
-
+* [HoloLens Commercial Suite](https://www.microsoft.com/microsoft-hololens/hololens-commercial)
- [Documentation for Holographic app development](https://developer.microsoft.com/windows/mixed-reality/development)
+* [HoloLens release notes](https://developer.microsoft.com/en-us/windows/mixed-reality/release_notes)
 - [HoloLens Commercial Suite](https://www.microsoft.com/microsoft-hololens/hololens-commercial)
 - [HoloLens release notes](https://developer.microsoft.com/en-us/windows/mixed-reality/release_notes)
--- a/devices/surface-hub/docfx.json
+++ b/devices/surface-hub/docfx.json
@ -14,7 +14,9 @@
    "resource": [
      {
        "files": [
-          "**/images/**"
+          "**/images/**",
          "**/*.pptx",
          "**/*.pdf"
        ],
        "exclude": [
          "**/obj/**"
--- a/windows/client-management/mdm/TOC.md
+++ b/windows/client-management/mdm/TOC.md
@ -55,6 +55,8 @@
 ### [AllJoynManagement CSP](alljoynmanagement-csp.md)
 #### [AllJoynManagement DDF](alljoynmanagement-ddf.md)
 ### [APPLICATION CSP](application-csp.md)
 ### [ApplicationControl CSP](applicationcontrol-csp.md)
 #### [ApplicationControl DDF file](applicationcontrol-csp-ddf.md)
 ### [AppLocker CSP](applocker-csp.md)
 #### [AppLocker DDF file](applocker-ddf-file.md)
 #### [AppLocker XSD](applocker-xsd.md)
--- a/windows/client-management/mdm/applicationcontrol-csp-ddf.md
+++ b/windows/client-management/mdm/applicationcontrol-csp-ddf.md
@ -0,0 +1,274 @@
 ---
 title: ApplicationControl CSP
 description: ApplicationControl CSP
 ms.author: dansimp@microsoft.com
 ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: ManikaDhiman
 ms.date: 07/10/2019
 ---
 # ApplicationControl CSP DDF
 This topic shows the OMA DM device description framework (DDF) for the **ApplicationControl** configuration service provider. DDF files are used only with OMA DM provisioning XML.
 Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
 ### ApplicationControl CSP
 ```xml
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
  "http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
  [<?oma-dm-ddf-ver supported-versions="1.2"?>]>
 <MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
  <VerDTD>1.2</VerDTD>
      <Node>
        <NodeName>ApplicationControl</NodeName>
        <Path>./Vendor/MSFT</Path>
        <DFProperties>
          <AccessType>
            <Get />
          </AccessType>
          <Description>Root Node of the ApplicationControl CSP</Description>
          <DFFormat>
            <node />
          </DFFormat>
          <Occurrence>
            <One />
          </Occurrence>
          <Scope>
            <Permanent />
          </Scope>
          <DFType>
            <DDFName></DDFName>
          </DFType>
        </DFProperties>
        <Node>
          <NodeName>Policies</NodeName>
          <DFProperties>
            <AccessType>
              <Get />
            </AccessType>
            <Description>Beginning of a Subtree that contains all policies.</Description>
            <DFFormat>
              <node />
            </DFFormat>
            <Occurrence>
              <One />
            </Occurrence>
            <Scope>
              <Permanent />
            </Scope>
            <DFTitle>Policies</DFTitle>
            <DFType>
              <DDFName></DDFName>
            </DFType>
          </DFProperties>
          <Node>
            <NodeName></NodeName>
            <DFProperties>
              <AccessType>
                <Get />
              </AccessType>
              <Description>The GUID of the Policy</Description>
              <DFFormat>
                <node />
              </DFFormat>
              <Occurrence>
                <ZeroOrMore />
              </Occurrence>
              <Scope>
                <Dynamic />
              </Scope>
              <DFTitle>Policy GUID</DFTitle>
              <DFType>
                <DDFName></DDFName>
              </DFType>
            </DFProperties>
            <Node>
              <NodeName>Policy</NodeName>
              <DFProperties>
                <AccessType>
                  <Get />
                  <Add />
                  <Delete />
                  <Replace />
                </AccessType>
                <Description>The policy binary encoded as base64</Description>
                <DFFormat>
                  <b64 />
                </DFFormat>
                <Occurrence>
                  <One />
                </Occurrence>
                <Scope>
                  <Dynamic />
                </Scope>
                <DFTitle>Policy</DFTitle>
                <DFType>
                  <DDFName></DDFName>
                </DFType>
              </DFProperties>
            </Node>
            <Node>
              <NodeName>PolicyInfo</NodeName>
              <DFProperties>
                <AccessType>
                  <Get />
                </AccessType>
                <Description>Information Describing the Policy indicated by the GUID</Description>
                <DFFormat>
                  <node />
                </DFFormat>
                <Occurrence>
                  <One />
                </Occurrence>
                <Scope>
                  <Dynamic />
                </Scope>
                <DFTitle>PolicyInfo</DFTitle>
                <DFType>
                  <DDFName></DDFName>
                </DFType>
              </DFProperties>
              <Node>
                <NodeName>Version</NodeName>
                <DFProperties>
                  <AccessType>
                    <Get />
                  </AccessType>
                  <Description>Version of the Policy indicated by the GUID, as a string. When parsing use a uint64 as the containing data type</Description>
                  <DFFormat>
                    <chr />
                  </DFFormat>
                  <Occurrence>
                    <One />
                  </Occurrence>
                  <Scope>
                    <Dynamic />
                  </Scope>
                  <DFTitle>Version</DFTitle>
                  <DFType>
                    <MIME>text/plain</MIME>
                  </DFType>
                </DFProperties>
              </Node>
              <Node>
                <NodeName>IsEffective</NodeName>
                <DFProperties>
                  <AccessType>
                    <Get />
                  </AccessType>
                  <Description>Whether the Policy indicated by the GUID is Effective on the system (loaded by the enforcement engine and in effect)</Description>
                  <DFFormat>
                    <bool />
                  </DFFormat>
                  <Occurrence>
                    <One />
                  </Occurrence>
                  <Scope>
                    <Dynamic />
                  </Scope>
                  <DFTitle>IsEffective</DFTitle>
                  <DFType>
                    <MIME>text/plain</MIME>
                  </DFType>
                </DFProperties>
              </Node>
              <Node>
                <NodeName>IsDeployed</NodeName>
                <DFProperties>
                  <AccessType>
                    <Get />
                  </AccessType>
                  <Description>Whether the Policy indicated by the GUID is deployed on the system (on the physical machine)</Description>
                  <DFFormat>
                    <bool />
                  </DFFormat>
                  <Occurrence>
                    <One />
                  </Occurrence>
                  <Scope>
                    <Dynamic />
                  </Scope>
                  <DFTitle>IsDeployed</DFTitle>
                  <DFType>
                    <MIME>text/plain</MIME>
                  </DFType>
                </DFProperties>
              </Node>
              <Node>
                <NodeName>IsAuthorized</NodeName>
                <DFProperties>
                  <AccessType>
                    <Get />
                  </AccessType>
                  <Description>Whether the Policy indicated by the GUID is authorized to be loaded by the enforcement engine on the system </Description>
                  <DFFormat>
                    <bool />
                  </DFFormat>
                  <Occurrence>
                    <One />
                  </Occurrence>
                  <Scope>
                    <Dynamic />
                  </Scope>
                  <DFTitle>IsAuthorized</DFTitle>
                  <DFType>
                    <MIME>text/plain</MIME>
                  </DFType>
                </DFProperties>
              </Node>
              <Node>
                <NodeName>Status</NodeName>
                <DFProperties>
                  <AccessType>
                    <Get />
                  </AccessType>
                  <Description>The Current Status of the Policy Indicated by the Policy GUID</Description>
                  <DFFormat>
                    <int />
                  </DFFormat>
                  <Occurrence>
                    <One />
                  </Occurrence>
                  <Scope>
                    <Dynamic />
                  </Scope>
                  <DFTitle>Status</DFTitle>
                  <DFType>
                    <MIME>text/plain</MIME>
                  </DFType>
                </DFProperties>
              </Node>
              <Node>
                <NodeName>FriendlyName</NodeName>
                <DFProperties>
                  <AccessType>
                    <Get />
                  </AccessType>
                  <Description>The FriendlyName of the Policy Indicated by the Policy GUID</Description>
                  <DFFormat>
                    <chr />
                  </DFFormat>
                  <Occurrence>
                    <One />
                  </Occurrence>
                  <Scope>
                    <Dynamic />
                  </Scope>
                  <DFTitle>FriendlyName</DFTitle>
                  <DFType>
                    <MIME>text/plain</MIME>
                  </DFType>
                </DFProperties>
              </Node>
            </Node>
          </Node>
        </Node>
      </Node>
 </MgmtTree>
 ```
--- a/windows/client-management/mdm/applicationcontrol-csp.md
+++ b/windows/client-management/mdm/applicationcontrol-csp.md
@ -0,0 +1,236 @@
 ---
 title: ApplicationControl CSP
 description: ApplicationControl CSP
 ms.author: dansimp@microsoft.com
 ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: ManikaDhiman
 ms.date: 05/21/2019
 ---
 # ApplicationControl CSP
 Windows Defender Application Control (WDAC) policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). This CSP provides expanded diagnostic capabilities and support for [multiple policies](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike [AppLocker CSP](applocker-csp.md), ApplicationControl CSP correctly detects the presence of no-reboot option and consequently does not schedule a reboot.
 Existing WDAC policies deployed using AppLocker CSP’s CodeIntegrity node can now be deployed using ApplicationControl CSP URI. Although WDAC policy deployment via AppLocker CSP will continue to be supported, all new feature work will be done in ApplicationControl CSP only.
 ApplicationControl CSP was added in Windows 10, version 1903.
 The following diagram shows ApplicationControl CSP in tree format.
 ![tree diagram for applicationcontrol csp](images/provisioning-csp-applicationcontrol.png)
 <a href="" id="vendor-msft-applicationcontrol"></a>**./Vendor/MSFT/ApplicationControl**  
 Defines the root node for ApplicationControl CSP.
 Scope is permanent. Supported operation is Get.
 <a href="" id="applicationcontrol-policies"></a>**ApplicationControl/Policies**  
 An interior node that contains all the policies, each identified by their globally unique identifier (GUID).
 Scope is permanent. Supported operation is Get.
 <a href="" id="applicationcontrol-policies-policyguid"></a>**ApplicationControl/Policies/_Policy GUID_**  
 ApplicationControl CSP enforces that the “ID” segment of a given policy URI is the same GUID as the policy ID in the policy blob. Each *Policy GUID* node contains a Policy node and a corresponding PolicyInfo node.
 Scope is dynamic. Supported operation is Get.
 <a href="" id="applicationcontrol-policies-policyguid-policy"></a>**ApplicationControl/Policies/_Policy GUID_/Policy**  
 This node is the policy binary itself, which is encoded as base64.
 Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
 Value type is b64. Supported value is any well-formed WDAC policy, i.e. the base64-encoded content output by the ConvertFrom-CIPolicy cmdlet.
 Default value is empty.
 <a href="" id="applicationcontrol-policies-policyguid-policyinfo"></a>**ApplicationControl/Policies/_Policy GUID_/PolicyInfo**  
 An interior node that contains the nodes that describe the policy indicated by the GUID.
 Scope is dynamic. Supported operation is Get.
 <a href="" id="applicationcontrol-policies-policyguid-policyinfo-version"></a>**ApplicationControl/Policies/_Policy GUID_/PolicyInfo/Version**  
 This node provides the version of the policy indicated by the GUID. Stored as a string, but when parsing use a uint64 as the containing data type.
 Scope is dynamic. Supported operation is Get.
 Value type is char.
 <a href="" id="applicationcontrol-policies-policyguid-policyinfo-iseffective"></a>**ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsEffective**  
 This node specifies whether a policy is actually loaded by the enforcement engine and is in effect on a system.
 Scope is dynamic. Supported operation is Get.
 Value type is bool. Supported values are as follows:  
 - True — Indicates that the policy is actually loaded by the enforcement engine and is in effect on a system.
 - False — Indicates that the policy is not loaded by the enforcement engine and is not in effect on a system. This is the default.
 <a href="" id="applicationcontrol-policies-policyguid-policyinfo-isdeployed"></a>**ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsDeployed**  
 This node specifies whether a policy is deployed on the system and is present on the physical machine.
 Scope is dynamic. Supported operation is Get.
 Value type is bool. Supported values are as follows:  
 - True — Indicates that the policy is deployed on the system and is present on the physical machine.
 - False — Indicates that the policy is not deployed on the system and is not present on the physical machine. This is the default.
 <a href="" id="applicationcontrol-policies-policyguid-policyinfo-isauthorized"></a>**ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsAuthorized**  
 This node specifies whether the policy is authorized to be loaded by the enforcement engine on the system. If not authorized, a policy cannot take effect on the system.
 Scope is dynamic. Supported operation is Get.
 Value type is bool. Supported values are as follows:  
 - True — Indicates that the policy is authorized to be loaded by the enforcement engine on the system.
 - False — Indicates that the policy is not authorized to be loaded by the enforcement engine on the system. This is the default.
 The following table provides the result of this policy based on different values of IsAuthorized, IsDeployed, and IsEffective nodes:
 |IsAuthorized | IsDeployed | IsEffective | Resultant |
 |------------ | ---------- | ----------- | --------- |
 |True|True|True|Policy is currently running and in effect.|
 |True|True|False|Policy requires a reboot to take effect.|
 |True|False|True|Policy requires a reboot to unload from CI.|
 |False|True|True|Not Reachable.|
 |True|False|False|*Not Reachable.|
 |False|True|False|*Not Reachable.|
 |False|False|True|Not Reachable.|
 |False|False|False|*Not Reachable.|
 `*` denotes a valid intermediary state; however, if an MDM transaction results in this state configuration, the END_COMMAND_PROCESSING will result in a fail.
 <a href="" id="applicationcontrol-policies-policyguid-policyinfo-status"></a>**ApplicationControl/Policies/_Policy GUID_/PolicyInfo/Status**  
 This node specifies whether the deployment of the policy indicated by the GUID was successful.
 Scope is dynamic. Supported operation is Get.
 Value type is integer. Default value is 0 == OK.
 <a href="" id="applicationcontrol-policies-policyguid-policyinfo-friendlyname"></a>**ApplicationControl/Policies/_Policy GUID_/PolicyInfo/FriendlyName**  
 This node provides the friendly name of the policy indicated by the policy GUID.
 Scope is dynamic. Supported operation is Get.
 Value type is char.
 ## Usage guidance  
 To use ApplicationControl CSP, you must:
 - Know a generated policy’s GUID, which can be found in the policy xml as `<PolicyTypeID>`.
 - Convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned.
 - Create a policy node (a Base64-encoded blob of the binary policy representation) using the [certutil -encode](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)#BKMK_encode) command line tool.
 Here is a sample certutil invocation:
 ```
 certutil -encode WinSiPolicy.p7b WinSiPolicy.cer 
 ```
 An alternative to using certutil would be to use the following PowerShell invocation:
 ```
 [Convert]::ToBase64String($(Get-Content -Encoding Byte -ReadCount 0 -Path <bin file>))
 ```
 If you are using hybrid MDM management with System Center Configuration Manager or using Intune, ensure that you are using Base64 as the Data type when using Custom OMA-URI
 functionality to apply the Code Integrity policy.
 ### Deploy policies
 To deploy a new base policy using the CSP, perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** using the Base64-encoded policy node as {Data}. Refer to the the Format section in the Example 1 below.
 To deploy base policy and supplemental policies:
 - Perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** using the Base64-encoded policy node as {Data} with the GUID and policy data for the base policy.
 - Repeat for each base or supplemental policy (with its own GUID and data).
 The following example shows the deployment of two base policies and a supplemental policy (which already specifies the base policy it supplements and does not need that reflected in the ADD).
 **Example 1: Add first base policy**
 ```xml
 <Add>
    <CmdID>1</CmdID>
    <Item>
        <Target>
            <LocURI>./Vendor/MSFT/ApplicationControl/Policies/{Base1GUID}/Policy</LocURI>
        </Target>
        <Meta>
             <Format xmlns="syncml:metinf">b64</Format>
        </Meta>
        <Data> {Base1Data} </Data>
    </Item>
 </Add>
 ```
 **Example 2: Add second base policy**
 ```xml
 <Add>
    <CmdID>1</CmdID>
    <Item>
        <Target>
            <LocURI>./Vendor/MSFT/ApplicationControl/Policies/{Base2GUID}/Policy</LocURI>
        </Target>
        <Meta>
            <Format xmlns="syncml:metinf">b64</Format>
        </Meta>
        <Data> {Base2Data} </Data>
    </Item>
 </Add>
 ```
 **Example 3: Add supplemental policy**
 ```xml
 <Add>
    <CmdID>1</CmdID>
    <Item>
        <Target>
            <LocURI>./Vendor/MSFT/ApplicationControl/Policies/{Supplemental1GUID}/Policy</LocURI>
        </Target>
        <Meta>
            <Format xmlns="syncml:metinf">b64</Format>
        </Meta>
        <Data> {Supplemental1Data} </Data>
    </Item>
 </Add>
 ```
 ### Get policies
 Perform a GET using a deployed policy’s GUID to interrogate/inspect the policy itself or information about it.
 The following table displays the result of Get operation on different nodes:
 |Nodes | Get Results|
 |------------- | ------|
 |./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy|raw p7b|
 |./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/Version|Policy version|
 |./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsEffective|Is the policy in effect|
 |./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsDeployed|Is the policy on the system|
 |./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsAuthorized|Is the policy authorized on the system|
 |./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/Status|Was the deployment successful|
 |./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/FriendlyName|Friendly name per the policy|
 The following is an example of Get command:  
 ```xml
 <Get>
    <CmdID>1</CmdID>
        <Item>
            <Target>
                <LocURI>./Vendor/MSFT/ApplicationControl/Policies/{PolicyGUID}/Policy</LocURI>
            </Target>
        </Item>
 </Get>
 ```
 ### Delete policies
 To delete an unsigned policy, perform a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy**.
 > [!Note]
 >  Only signed things should be able to update signed policies. Hence, performing a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** is not sufficient to delete a signed policy.
 To delete a signed policy:
 1. Replace it with a signed update allowing unsigned policy.
 2. Deploy another update with unsigned policy.
 3. Perform delete.
 The following is an example of Delete command:
 ```xml
   <Delete>
     <CmdID>1</CmdID>
        <Item>
            <Target>
                  <LocURI>./Vendor/MSFT/ApplicationControl/Policies/{PolicyGUID}/Policy</LocURI>
            </Target>
        </Item>
   </Delete>
 ```
--- a/windows/client-management/mdm/configuration-service-provider-reference.md
+++ b/windows/client-management/mdm/configuration-service-provider-reference.md
@ -172,6 +172,34 @@ Additional lists:
 <!--EndSKU-->
 <!--EndCSP-->
 <!--StartCSP-->
 [ApplicationControl CSP](applicationcontrol-csp.md)
 <!--StartSKU-->
 <table>
 <tr>
 	<th>Home</th>
 	<th>Pro</th>
 	<th>Business</th>
 	<th>Enterprise</th>
 	<th>Education</th>
 	<th>Mobile</th>
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
 </tr>
 </table>
 <!--EndSKU-->
 <!--EndCSP-->
 <!--StartCSP-->
 [AppLocker CSP](applocker-csp.md)
--- a/windows/client-management/mdm/images/provisioning-csp-applicationcontrol.png
+++ b/windows/client-management/mdm/images/provisioning-csp-applicationcontrol.png
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@ -142,6 +142,10 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 <td style="vertical-align:top"><a href="enrollmentstatustracking-csp.md" data-raw-source="[EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md)">EnrollmentStatusTracking CSP</a></td>
 <td style="vertical-align:top"><p>Added new CSP in Windows 10, version 1903.</p>
 </td></tr>
 <tr>
 <td style="vertical-align:top"><a href="applicationcontrol-csp.md" data-raw-source="[ApplicationControl CSP](applicationcontrol-csp.md)">ApplicationControl CSP</a></td>
 <td style="vertical-align:top"><p>Added new CSP in Windows 10, version 1903.</p>
 </td></tr>
 </tbody>
 </table>
@ -1887,6 +1891,7 @@ How do I turn if off? | The service can be stopped from the "Services" console o
 |New or updated topic | Description|
 |--- | ---|
 |[ApplicationControl CSP](applicationcontrol-csp.md)|Added new CSP in Windows 10, version 1903.|
 |[Policy CSP - Privacy](policy-csp-privacy.md)|Added the following new policies:<br>LetAppsActivateWithVoice, LetAppsActivateWithVoiceAboveLock|
 |Create a custom configuration service provider|Deleted the following documents from the CSP reference because extensibility via CSPs is not currently supported:<br>Create a custom configuration service provider<br>Design a custom configuration service provider<br>IConfigServiceProvider2<br>IConfigServiceProvider2::ConfigManagerNotification<br>IConfigServiceProvider2::GetNode<br>ICSPNode<br>ICSPNode::Add<br>ICSPNode::Clear<br>ICSPNode::Copy<br>ICSPNode::DeleteChild<br>ICSPNode::DeleteProperty<br>ICSPNode::Execute<br>ICSPNode::GetChildNodeNames<br>ICSPNode::GetProperty<br>ICSPNode::GetPropertyIdentifiers<br>ICSPNode::GetValue<br>ICSPNode::Move<br>ICSPNode::SetProperty<br>ICSPNode::SetValue<br>ICSPNodeTransactioning<br>ICSPValidate<br>Samples for writing a custom configuration service provider|
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
@ -52,6 +52,9 @@ The trust model determines how you want users to authenticate to the on-premises
 * The certificate-trust model is for enterprise that *do* want to issue end-entity certificates to their users and have the benefits of certificate expiration and renewal, similar to how smart cards work today. 
 * The certificate trust model also supports enterprises which are not ready to deploy Windows Server 2016 Domain Controllers.
 >[!NOTE]
 >RDP does not support authentication with Windows Hello for business key trust deployments. RDP is only supported with certificate trust deployments at this time.
 Following are the various deployment guides included in this topic:
 - [Hybrid Azure AD Joined Key Trust Deployment](hello-hybrid-key-trust.md)
 - [Hybrid Azure AD Joined Certificate Trust Deployment](hello-hybrid-cert-trust.md)
--- a/windows/security/identity-protection/hello-for-business/hello-faq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-faq.md
@ -27,6 +27,9 @@ Windows Hello for Business is the modern, two-factor credential for Windows 10.
 ## What about convenience PIN?
 Microsoft is committed to its vision of a <u>world without passwords.</u> We recognize the *convenience* provided by convenience PIN, but it stills uses a password for authentication.  Microsoft recommends customers using Windows 10 and convenience PINs should move to Windows Hello for Business.  New Windows 10 deployments should deploy Windows Hello for Business and not convenience PINs.  Microsoft will be deprecating convenience PINs in the future and will publish the date early to ensure customers have adequate lead time to deploy Windows Hello for Business. 
 ## Can I use Windows Hello for Business key trust and RDP?
 RDP currently does not support key based authentication and does not support self signed certificates. RDP with Windows Hello for Business is currently only supported with certificate based deployments.
 ## Can I deploy Windows Hello for Business using System Center Configuration Manager?
 Windows Hello for Business deployments using System Center Configuration Manager need to move to the hybrid deployment model that uses Active Directory Federation Services. Deployments using System Center Configuration Manager will no longer be supported after November 2018.
--- a/windows/security/identity-protection/hello-for-business/hello-overview.md
+++ b/windows/security/identity-protection/hello-for-business/hello-overview.md
@ -92,7 +92,9 @@ For details, see [How Windows Hello for Business works](hello-how-it-works.md).
 ## Comparing key-based and certificate-based authentication
-Windows Hello for Business can use either keys (hardware or software) or certificates in hardware or software. Enterprises that have a public key infrastructure (PKI) for issuing and managing certificates can continue to use PKI in combination with Windows Hello. Enterprises that do not use PKI or want to reduce the effort associated with managing certificates can rely on key-based credentials for Windows Hello but still use certificates on their domain controllers as a root of trust.
+Windows Hello for Business can use either keys (hardware or software) or certificates in hardware or software. Enterprises that have a public key infrastructure (PKI) for issuing and managing end user certificates can continue to use PKI in combination with Windows Hello. Enterprises that do not use PKI or want to reduce the effort associated with managing user certificates can rely on key-based credentials for Windows Hello but still use certificates on their domain controllers as a root of trust.
 Windows Hello for Business with a key does not support RDP. RDP does not support authentication with a key or a self signed certificate. RDP with Windows Hello for Business is supported with certificate based deployments.
 ## Learn more
--- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
@ -80,6 +80,9 @@ The key trust type does not require issuing authentication certificates to end u
 The certificate trust type issues authentication certificates to end users.  Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience.  Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 Active Directory schema](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs#directories)).  Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller.
 >[!NOTE]
 >RDP does not support authentication with Windows Hello for business key trust deployments. RDP is only supported with certificate trust deployments at this tim
 #### Device registration
 All devices included in the Windows Hello for Business deployment must go through device registration.  Device registration enables devices to authenticate to identity providers.  For cloud only and hybrid deployment, the identity provider is Azure Active Directory.  For on-premises deployments, the identity provider is the on-premises server running the Windows Server 2016 Active Directory Federation Services (AD FS) role.
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md
@ -14,7 +14,7 @@ ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
-ms.topic: procedural
+ms.topic: article
 ---
 # Optimize ASR rule deployment and detections
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md
@ -14,7 +14,7 @@ ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
-ms.topic: procedural
+ms.topic: article
 ---
 # Get machines onboarded to Microsoft Defender ATP
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md
@ -14,7 +14,7 @@ ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
-ms.topic: procedural
+ms.topic: article
 ---
 # Increase compliance to the Microsoft Defender ATP security baseline
@ -41,6 +41,9 @@ The Windows Intune security baseline provides a comprehensive set of recommended
 Both baselines are maintained so that they complement one another and have identical values for shared settings. Deploying both baselines to the same machine will not result in conflicts. Ideally, machines onboarded to Microsoft Defender ATP are deployed both baselines: the Windows Intune security baseline to initially secure Windows and then the Microsoft Defender ATP security baseline layered on top to optimally configure the Microsoft Defender ATP security controls.
 >[!NOTE]
 >The Windows Defender ATP security baseline [turns on Windows Hello for Business](https://docs.microsoft.com/intune/security-baseline-settings-defender-atp#windows-hello-for-business). This will require a secondary authentication method that is typically unavailable with RDP and other remote interactive sessions used to access virtual machines (VMs). Before applying the security baseline on VMs, consider modifying the baseline to turn off Windows Hello for Business.  
 ## Get permissions to manage security baselines in Intune
 By default, only users who have been assigned the Global Administrator or the Intune Service Administrator role on Azure AD can manage security baseline profiles. If you haven’t been assigned either role, work with a Global Administrator or an Intune Service Administrator to [create a custom role in Intune](https://docs.microsoft.com/intune/create-custom-role#to-create-a-custom-role) with full permissions to security baselines and then assign that role to your Azure AD group.
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md
@ -14,7 +14,7 @@ ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
-ms.topic: procedural
+ms.topic: conceptual
 ---
 # Ensure your machines are configured properly
--- a/windows/security/threat-protection/microsoft-defender-atp/images/timeline-machine.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/timeline-machine.png
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
@ -109,7 +109,7 @@ To see a full page view of an alert including incident graph and process tree, s
 The **Timeline** section provides a chronological view of the events and associated alerts that have been observed on the machine. This can help you correlate any events, files, and IP addresses in relation to the machine.
-Timeline also enables you to selectively drill down into events that occurred within a given time period. You can view the temporal sequence of events that occurred on a machine over a selected time period. To further control your view, you can filter by event groups or customize the columns.
+The timeline also enables you to selectively drill down into events that occurred within a given time period. You can view the temporal sequence of events that occurred on a machine over a selected time period. To further control your view, you can filter by event groups or customize the columns.
 >[!NOTE]
 > For firewall events to be displayed, you'll need to enable the audit policy, see [Audit Filtering Platform connection](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-filtering-platform-connection).
@ -131,15 +131,15 @@ Some of the functionality includes:
 - Export detailed machine timeline events
  - Export the machine timeline for the current date or a specified date range up to seven days.
-Along with event time and users, one of the main categories on the timeline is "Details". They describe what happened in the events. The list of possible details are:
+More details about certain events are provided in the **Additional information** section. These details vary depending on the type of event, for example: 
- Contained by Application Guard
+- Contained by Application Guard - the web browser event was restricted by an isolated container
- Active threat detected - when the detection happened, the threat was executing (i.e. it was running)
+- Active threat detected - the threat detection occurred while the threat was running
- Remediation unsuccessful - remediation was invoked but failed
+- Remediation unsuccessful - an attempt to remediate the detected threat was invoked but failed
- Remediation successful - the threat was stopped and cleaned up
+- Remediation successful - the detected threat was stopped and cleaned
- Warning bypassed by user - SmartScreen warning appeared but the user dismissed it
+- Warning bypassed by user - the SmartScreen warning was dismissed and overridden by a user
- Suspicious script detected
+- Suspicious script detected - a potentially malicious script was found running
- Alert category (e.g. lateral movement)- if the event is correlated to an alert, the tag will show the alert category
+- The alert category - if the event led to the generation of an alert, the alert category  ("Lateral Movement", for example) is provided
 You can also use the [Artifact timeline](investigate-alerts.md#artifact-timeline) feature to see the correlation between alerts and events on a specific machine.