Merge branch 'master' of https://cpubwin.visualstudio.com/_git/it-client

.openpublishing.redirection.json

@@ -6,6 +6,11 @@
 "redirect_document_id": true
 },
 {
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np",
+"redirect_document_id": true
+},
+{
 "source_path": "windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md",
 "redirect_url": "/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure",
 "redirect_document_id": true

browsers/edge/includes/configure-start-pages-include.md

@@ -42,7 +42,7 @@ ms:topic: include
 
 ### Related policies
 
-- [Disable Lockdown of Start Pages](#disable-lockdown-of-start-pages-include): [!INCLUDE [disable-lockdown-of-start-pages-shortdesc](../shortdesc/disable-lockdown-of-start-pages-shortdesc.md)]
+- [Disable Lockdown of Start Pages](#disable-lockdown-of-start-pages): [!INCLUDE [disable-lockdown-of-start-pages-shortdesc](../shortdesc/disable-lockdown-of-start-pages-shortdesc.md)]
 
 - [Configure Open Microsoft Edge With](../available-policies.md#configure-open-microsoft-edge-with): [!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../shortdesc/configure-open-microsoft-edge-with-shortdesc.md)]
 

browsers/edge/microsoft-edge-kiosk-mode-deploy.md

@@ -236,7 +236,7 @@ In the following table, we show you the features available in both Microsoft Edg
 |---------------|:----------------:|:---------------:|
 | Print support   | ![Supported](images/148767.png)   | ![Not supported](images/148766.png)   |
 | Multi-tab support   | ![Supported](images/148767.png)   | ![Not supported](images/148766.png)   |
-| Allow/Block URL support   | ![Supported](images/148767.png) <p>*\*For Microsoft Edge kiosk mode use* [Windows Defender Firewall](#_*Windows_Defender_Firewall)*. Microsoft kiosk browser has custom policy support.* | ![Supported](images/148767.png)  |
+| Allow/Block URL support   | ![Supported](images/148767.png) <p>*\*For Microsoft Edge kiosk mode use* Windows Defender Firewall*. Microsoft kiosk browser has custom policy support.* | ![Supported](images/148767.png)  |
 | Configure Home Button   | ![Supported](images/148767.png)   | ![Supported](images/148767.png)    |
 | Set Start page(s) URL   | ![Supported](images/148767.png)    | ![Supported](images/148767.png) <p>*Same as Home button URL*   |
 | Set New Tab page URL  | ![Supported](images/148767.png)   | ![Not supported](images/148766.png)   |

browsers/enterprise-mode/add-employees-enterprise-mode-portal.md

@@ -3,7 +3,7 @@ ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Details about how to add employees to the Enterprise Mode Site List Portal.
-author: eross-msft
+author: jdeckerms
 ms.prod: ie11
 title: Add employees to the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
 ms.sitesec: library

browsers/enterprise-mode/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md

@@ -3,7 +3,7 @@ ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the Bulk add from file area of the Enterprise Mode Site List Manager.
-author: eross-msft
+author: jdeckerms
 ms.prod: ie11
 ms.assetid: 20aF07c4-051a-451f-9c46-5a052d9Ae27c
 title: Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1) (Internet Explorer 11 for IT Pros)

browsers/enterprise-mode/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md

@@ -3,7 +3,7 @@ ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Add multiple sites to your Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2).
-author: eross-msft
+author: jdeckerms
 ms.prod: ie11
 ms.assetid: da659ff5-70d5-4852-995e-4df67c4871dd
 title: Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2) (Internet Explorer 11 for IT Pros)

browsers/enterprise-mode/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md

@@ -3,7 +3,7 @@ ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that's designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
-author: eross-msft
+author: jdeckerms
 ms.prod: ie11
 ms.assetid: 042e44e8-568d-4717-8fd3-69dd198bbf26
 title: Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1) (Internet Explorer 11 for IT Pros)

browsers/enterprise-mode/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md

@@ -3,7 +3,7 @@ ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that''s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
-author: eross-msft
+author: jdeckerms
 ms.prod: ie11
 ms.assetid: 513e8f3b-fedf-4d57-8d81-1ea4fdf1ac0b
 title: Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2) (Internet Explorer 11 for IT Pros)

browsers/enterprise-mode/administrative-templates-and-ie11.md

@@ -3,7 +3,7 @@ ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: security
 description: Administrative templates and Internet Explorer 11
-author: eross-msft
+author: jdeckerms
 ms.prod: ie11
 ms.assetid: 2b390786-f786-41cc-bddc-c55c8a4c5af3
 title: Administrative templates and Internet Explorer 11 (Internet Explorer 11 for IT Pros)

browsers/enterprise-mode/approve-change-request-enterprise-mode-portal.md

@@ -3,7 +3,7 @@ ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Details about how Approvers can approve open change requests in the Enterprise Mode Site List Portal.
-author: eross-msft
+author: jdeckerms
 ms.prod: ie11
 title: Approve a change request using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
 ms.sitesec: library

browsers/enterprise-mode/check-for-new-enterprise-mode-site-list-xml-file.md

@@ -6,8 +6,8 @@ ms.prod: ie11
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 ms.sitesec: library
-author: eross-msft
+author: jdeckerms
-ms.author: lizross
+ms.author: dougkim
 ms.date: 08/14/2017
 ms.localizationpriority: low
 ---

browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md

@@ -2,7 +2,7 @@
 ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7.
-author: eross-msft
+author: jdeckerms
 ms.prod: ie11
 ms.assetid: a145e80f-eb62-4116-82c4-3cc35fd064b6
 title: Collect data using Enterprise Site Discovery

browsers/enterprise-mode/configure-settings-enterprise-mode-portal.md

@@ -3,7 +3,7 @@ ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Details about how the Administrator can use the Settings page to set up Groups and roles, the Enterprise Mode Site List Portal environment, and the freeze dates for production changes.
-author: eross-msft
+author: jdeckerms
 ms.prod: ie11
 title: Use the Settings page to finish setting up the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
 ms.sitesec: library

browsers/enterprise-mode/create-change-request-enterprise-mode-portal.md

@@ -3,7 +3,7 @@ ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Details about how to create a change request within the Enterprise Mode Site List Portal.
-author: eross-msft
+author: jdeckerms
 ms.prod: ie11
 title: Create a change request using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
 ms.sitesec: library

browsers/enterprise-mode/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md

@@ -3,7 +3,7 @@ ms.localizationpriority: low
 description: Delete a single site from your global Enterprise Mode site list.
 ms.pagetype: appcompat
 ms.mktglfcycl: deploy
-author: eross-msft
+author: jdeckerms
 ms.prod: ie11
 ms.assetid: 41413459-b57f-48da-aedb-4cbec1e2981a
 title: Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros)

browsers/enterprise-mode/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md

@@ -3,7 +3,7 @@ ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: You can use Internet Explorer 11 and the Enterprise Mode Site List Manager to change whether page rendering should use Enterprise Mode or the default Internet Explorer browser configuration. You can also add, remove, or delete associated comments.
-author: eross-msft
+author: jdeckerms
 ms.prod: ie11
 ms.assetid: 76aa9a85-6190-4c3a-bc25-0f914de228ea
 title: Edit the Enterprise Mode site list using the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros)

browsers/enterprise-mode/enterprise-mode-overview-for-ie11.md

@@ -3,7 +3,7 @@ ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Use the topics in this section to learn how to set up and use Enterprise Mode, Enterprise Mode Site List Manager, and the Enterprise Mode Site List Portal for your company.
-author: eross-msft
+author: jdeckerms
 ms.prod: ie11
 ms.assetid: d52ba8ba-b3c7-4314-ba14-0610e1d8456e
 title: Enterprise Mode for Internet Explorer 11 (Internet Explorer 11 for IT Pros)

browsers/enterprise-mode/enterprise-mode-schema-version-1-guidance.md

@@ -3,7 +3,7 @@ ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Use the Enterprise Mode Site List Manager to create and update your Enterprise Mode site list for devices running Windows 7 or Windows 8.1 Update.
-author: eross-msft
+author: jdeckerms
 ms.prod: ie11
 ms.assetid: 17c61547-82e3-48f2-908d-137a71938823
 title: Enterprise Mode schema v.1 guidance (Internet Explorer 11 for IT Pros)

browsers/enterprise-mode/enterprise-mode-schema-version-2-guidance.md

@@ -3,7 +3,7 @@ ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Use the Enterprise Mode Site List Manager to create and update your Enterprise Mode site list for devices running Windows 10.
-author: eross-msft
+author: jdeckerms
 ms.prod: ie11
 ms.assetid: 909ca359-5654-4df9-b9fb-921232fc05f5
 title: Enterprise Mode schema v.2 guidance (Internet Explorer 11 for IT Pros)

browsers/enterprise-mode/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md

@@ -3,7 +3,7 @@ ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: After you create your Enterprise Mode site list in the Enterprise Mode Site List Manager, you can export the contents to an Enterprise Mode (.EMIE) file.
-author: eross-msft
+author: jdeckerms
 ms.prod: ie11
 ms.assetid: 9ee7c13d-6fca-4446-bc22-d23a0213a95d
 title: Export your Enterprise Mode site list from the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros)

browsers/enterprise-mode/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md

@@ -3,7 +3,7 @@ ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Instructions about how to clear all of the sites from your global Enterprise Mode site list.
-author: eross-msft
+author: jdeckerms
 ms.prod: ie11
 ms.assetid: 90f38a6c-e0e2-4c93-9a9e-c425eca99e97
 title: Remove all sites from your Enterprise Mode site list using the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros)

browsers/enterprise-mode/remove-sites-from-a-local-compatibililty-view-list.md

@@ -3,7 +3,7 @@ ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Instructions about how to remove sites from a local compatibility view list.
-author: eross-msft
+author: jdeckerms
 ms.prod: ie11
 ms.assetid: f6ecaa75-ebcb-4f8d-8721-4cd6e73c0ac9
 title: Remove sites from a local compatibility view list (Internet Explorer 11 for IT Pros)

browsers/enterprise-mode/remove-sites-from-a-local-enterprise-mode-site-list.md

@@ -3,7 +3,7 @@ ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Instructions about how to remove sites from a local Enterprise Mode site list.
-author: eross-msft
+author: jdeckerms
 ms.prod: ie11
 ms.assetid: c7d6dd0b-e264-42bb-8c9d-ac2f837018d2
 title: Remove sites from a local Enterprise Mode site list (Internet Explorer 11 for IT Pros)

browsers/enterprise-mode/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md

@@ -3,7 +3,7 @@ ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: You can save your current Enterprise Mode compatibility site list as an XML file, for distribution and use by your managed systems.
-author: eross-msft
+author: jdeckerms
 ms.prod: ie11
 ms.assetid: 254a986b-494f-4316-92c1-b089ee8b3e0a
 title: Save your site list to XML in the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros)

browsers/enterprise-mode/schedule-production-change-enterprise-mode-portal.md

@@ -3,7 +3,7 @@ ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Details about how Administrators can schedule approved change requests for production in the Enterprise Mode Site List Portal.
-author: eross-msft
+author: jdeckerms
 ms.prod: ie11
 title: Schedule approved change requests for production using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
 ms.sitesec: library

browsers/enterprise-mode/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md

@@ -3,7 +3,7 @@ ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Search to see if a specific site already appears in your global Enterprise Mode site list.
-author: eross-msft
+author: jdeckerms
 ms.prod: ie11
 ms.assetid: e399aeaf-6c3b-4cad-93c9-813df6ad47f9
 title: Search your Enterprise Mode site list in the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros)

browsers/enterprise-mode/set-up-enterprise-mode-logging-and-data-collection.md

@@ -3,7 +3,7 @@ ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Set up and turn on Enterprise Mode logging and data collection in your organization.
-author: eross-msft
+author: jdeckerms
 ms.prod: ie11
 ms.assetid: 2e98a280-f677-422f-ba2e-f670362afcde
 title: Set up Enterprise Mode logging and data collection (Internet Explorer 11 for IT Pros)

browsers/enterprise-mode/set-up-enterprise-mode-portal.md

@@ -3,7 +3,7 @@ ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Details about how to set up the Enterprise Mode Site List Portal for your organization.
-author: eross-msft
+author: jdeckerms
 ms.prod: ie11
 title: Set up the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
 ms.sitesec: library

browsers/enterprise-mode/turn-off-enterprise-mode.md

@@ -3,7 +3,7 @@ ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: How to turn Enteprrise Mode off temporarily while testing websites and how to turn it off completely if you no longer want to to use it.
-author: eross-msft
+author: jdeckerms
 ms.prod: ie11
 ms.assetid: 5027c163-71e0-49b8-9dc0-f0a7310c7ae3
 title: Turn off Enterprise Mode (Internet Explorer 11 for IT Pros)

browsers/enterprise-mode/turn-on-local-control-and-logging-for-enterprise-mode.md

@@ -3,7 +3,7 @@ ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Turn on local user control and logging for Enterprise Mode.
-author: eross-msft
+author: jdeckerms
 ms.prod: ie11
 ms.assetid: 6622ecce-24b1-497e-894a-e1fd5a8a66d1
 title: Turn on local control and logging for Enterprise Mode (Internet Explorer 11 for IT Pros)

browsers/enterprise-mode/use-the-enterprise-mode-site-list-manager.md

@@ -3,7 +3,7 @@ ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Use the topics in this section to learn about how to use the Enterprise Mode Site List Manager.
-author: eross-msft
+author: jdeckerms
 ms.prod: ie11
 ms.assetid: f4dbed4c-08ff-40b1-ab3f-60d3b6e8ec9b
 title: Use the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros)

browsers/enterprise-mode/using-enterprise-mode.md

@@ -3,7 +3,7 @@ ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: security
 description: Use this section to learn about how to turn on and use IE7 Enterprise Mode or IE8 Enterprise Mode.
-author: eross-msft
+author: jdeckerms
 ms.prod: ie11
 ms.assetid: 238ead3d-8920-429a-ac23-02f089c4384a
 title: Using IE7 Enterprise Mode or IE8 Enterprise Mode (Internet Explorer 11 for IT Pros)

browsers/enterprise-mode/verify-changes-preprod-enterprise-mode-portal.md

@@ -3,7 +3,7 @@ ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Details about how to make sure your change request info is accurate within the pre-production environment of the Enterprise Mode Site List Portal.
-author: eross-msft
+author: jdeckerms
 ms.prod: ie11
 title: Verify your changes using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
 ms.sitesec: library

browsers/enterprise-mode/verify-changes-production-enterprise-mode-portal.md

@@ -3,7 +3,7 @@ ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Details about how the Requester makes sure that the change request update is accurate within the production environment using the Enterprise Mode Site List Portal.
-author: eross-msft
+author: jdeckerms
 ms.prod: ie11
 title: Verify the change request update in the production environment using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
 ms.sitesec: library

browsers/enterprise-mode/view-apps-enterprise-mode-site-list.md

@@ -3,7 +3,7 @@ ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Details about how to view the active Enterprise Mode Site List from the Enterprise Mode Site List Portal.
-author: eross-msft
+author: jdeckerms
 ms.prod: ie11
 title: View the apps included in the active Enterprise Mode Site List from the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
 ms.sitesec: library

browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md

@@ -67,7 +67,7 @@ If you use Automatic Updates in your company, but want to stop your users from a
 -   **Download and use the Internet Explorer 11 Blocker Toolkit.**  Includes a Group Policy template and a script that permanently blocks Internet Explorer 11 from being offered by Windows Update or Microsoft Update as a high-priority update. You can download this kit from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=40722).
 
     >[!NOTE]
-    >The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](#faq).
+    >The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](https://docs.microsoft.com/internet-explorer/ie11-faq/faq-for-it-pros-ie11).
 
 -   **Use an update management solution to control update deployment.** If you already use an update management solution, like [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [System Center 2012 Configuration Manager](https://go.microsoft.com/fwlink/?LinkID=276664), you should use that instead of the Internet Explorer Blocker Toolkit.
 

devices/surface/surface-system-sku-reference.md

@@ -14,7 +14,7 @@ ms.date: 03/20/2019
 
 # System SKU reference
 
-This document provides a reference of System Model and System SKU names that you can use to quickly determine the machine state of a specific device using PowerShell, WMI, 
+This document provides a reference of System Model and System SKU names that you can use to quickly determine the machine state of a specific device using PowerShell or WMI.
 
 System Model and System SKU are variables stored in System Management BIOS (SMBIOS) tables in the UEFI layer of Surface devices.  The System SKU name is required to differentiate between devices with the same System Model name, such as Surface Pro and Surface Pro with LTE Advanced. 
 

education/trial-in-a-box/itadmin-tib-get-started.md

@@ -137,7 +137,7 @@ If you've previously used Set up School PCs to provision student devices, you ca
     The provisioning package on your USB drive will be named SetUpSchoolPCs_*ABCDE* (Expires *MM-DD-YYYY*).ppkg, where *ABCDE* is the device name you added (if any), and *MM-DD-YYYY* is the month, day, and year when the package will expire.
     
     > [!NOTE]
-    > If you selected **Office 365 for Windows 10 S (Education Preview)**, this step will take about 30-45 minutes. You can jump ahead to task 3, [Express configure Intune for Education to manage devices, users, and policies](#task3), and then finish the rest of task 2 afterwards.
+    > If you selected **Office 365 for Windows 10 S (Education Preview)**, this step will take about 30-45 minutes. You can jump ahead to task 3, [Express configure Intune for Education to manage devices, users, and policies](#it-task3), and then finish the rest of task 2 afterwards.
 
 12. Follow the instructions in the **Get the student PCs ready** page to start setting up **Device B**. 
 13. Follow the instructions in the **Install the package** page to apply the provisioning package to **Device B**. For more guidance, you can follow the steps in [Apply the provisioning package](#apply-the-provisioning-package).

education/windows/use-set-up-school-pcs-app.md

@@ -122,7 +122,7 @@ To change an existing package's name, right-click the package folder on your dev
 
 1. Select how you want to sign in.  
     a. (Recommended) To enable student PCs to automatically be connect to Office 365, Azure AD, and management services like Intune for Education, click **Sign-in**. Then go to step 3.  
-    b. To complete setup without signing in, click **Continue without account**. Student PCs won't be connected to your school's cloud services and managing them will be more difficult later. Continue to [Wireless network](use-set-up-school-pcs-app.md#Wireless-network).  
+    b. To complete setup without signing in, click **Continue without account**. Student PCs won't be connected to your school's cloud services and managing them will be more difficult later. Continue to [Wireless network](#wireless-network).  
 2. In the new window, select the account you want to use throughout setup.  
 
     ![Sign-in screen showing the option to "Use this account" or use a different "Work or school account."](images/1810_choose_account_suspc.png)  

mdop/uev-v2/microsoft-user-experience-virtualization--ue-v--20-release-notesuevv2.md

@@ -60,7 +60,7 @@ UE-V will roam the Outlook 2010 signature files between devices. However, the de
 
 ### UE-V does not support roaming settings between 32-bit and 64-bit versions of Microsoft Office
 
-We recommend that you install the 64-bit version of Microsoft Office for modern computers. To determine which version you you need, [click here](https://support.office.com/article/choose-between-the-64-bit-or-32-bit-version-of-office-2dee7807-8f95-4d0c-b5fe-6c6f49b8d261?ui=en-US&rs=en-US&ad=US#32or64Bit=Newer_Versions).
+We recommend that you install the 64-bit version of Microsoft Office for modern computers. To determine which version you need, [click here](https://support.office.com/article/choose-between-the-64-bit-or-32-bit-version-of-office-2dee7807-8f95-4d0c-b5fe-6c6f49b8d261?ui=en-US&rs=en-US&ad=US#32or64Bit=Newer_Versions). UE-V supports roaming settings between identical architecture versions of Office. For example, 32-bit Office settings will roam between all 32-bit Office instances. UE-V does not support roaming settings between 32-bit and 64-bit versions of Office.
 
 **WORKAROUND:** None
 

smb/cloud-mode-business-setup.md

@@ -167,7 +167,7 @@ Microsoft Intune provides mobile device management, app management, and PC manag
 
   ![Microsoft Intune management portal](images/intune_portal_home.png)
 
-Intune should now be added to your tenant. We'll come back to Intune later when we [Configure Microsoft Store for Business for app distribution](#17-configure-windows-store-for-business-for-app-distribution).
+Intune should now be added to your tenant. We'll come back to Intune later when we [Configure Microsoft Store for Business for app distribution](#17-configure-microsoft-store-for-business-for-app-distribution).
 
 ### 1.4 Add Azure AD to your domain
 Microsoft Azure is an open and flexible cloud platform that enables you to quickly build, deploy, and manage apps across a global network of Microsoft-managed datacenters. In this walkthrough, we won't be using the full power of Azure and we'll primarily use it to create groups that we then use for provisioning through Intune. 

windows/application-management/app-v/appv-about-appv.md

@@ -1,7 +1,7 @@
 ---
 title: What's new in App-V for Windows 10, version 1703 and earlier (Windows 10)
 description: Information about what's new in App-V for Windows 10, version 1703 and earlier. 
-author: eross-msft
+author: jdeckerms
 ms.pagetype: mdop, appcompat, virtualization
 ms.mktglfcycl: deploy
 ms.sitesec: library

windows/application-management/app-v/appv-auto-batch-sequencing.md

@@ -1,7 +1,7 @@
 ---
 title: Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10)
 description: How to automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer).
-author: eross-msft
+author: jdeckerms
 ms.pagetype: mdop, appcompat, virtualization
 ms.mktglfcycl: deploy
 ms.sitesec: library

windows/application-management/app-v/appv-auto-batch-updating.md

@@ -1,7 +1,7 @@
 ---
 title: Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10)
 description: How to automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer).
-author: eross-msft
+author: jdeckerms
 ms.pagetype: mdop, appcompat, virtualization
 ms.mktglfcycl: deploy
 ms.sitesec: library

windows/application-management/app-v/appv-auto-clean-unpublished-packages.md

@@ -1,7 +1,7 @@
 ---
 title: Automatically clean up unpublished packages on the App-V client (Windows 10)
 description: How to automatically clean up any unpublished packages on your App-V client devices.
-author: eross-msft
+author: jdeckerms
 ms.pagetype: mdop, appcompat, virtualization
 ms.mktglfcycl: deploy
 ms.sitesec: library

windows/application-management/app-v/appv-auto-provision-a-vm.md

@@ -1,7 +1,7 @@
 ---
 title: Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10)
 description: How to automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer) PowerShell cmdlet or the user interface.
-author: eross-msft
+author: jdeckerms
 ms.pagetype: mdop, appcompat, virtualization
 ms.mktglfcycl: deploy
 ms.sitesec: library

windows/application-management/app-v/appv-available-mdm-settings.md

@@ -1,7 +1,7 @@
 ---
 title: Available Mobile Device Management (MDM) settings for App-V (Windows 10)
 description: A list of the available MDM settings for App-V on Windows 10.
-author: eross-msft
+author: jdeckerms
 ms.pagetype: mdop, appcompat, virtualization
 ms.mktglfcycl: deploy
 ms.sitesec: library

windows/application-management/app-v/appv-create-and-use-a-project-template.md

@@ -1,7 +1,7 @@
 ---
 title: Create and apply an App-V project template to a sequenced App-V package (Windows 10)
 description: Steps for how to create and apply an App-V project template (.appvt) to a sequenced App-V package.
-author: eross-msft
+author: jdeckerms
 ms.pagetype: mdop, appcompat, virtualization
 ms.mktglfcycl: deploy
 ms.sitesec: library

windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md

@@ -34,7 +34,7 @@ Before you deploy Office with App-V, review the following requirements.
 
 |Task|Requirement|
 |---|---|
-|Packaging|All Office applications you wish to deploy to users must be in a single package.<br>In App-V and later, you must use the Office Deployment Tool to create packages. The Sequencer doesn't support package creation.<br>If you're deploying Microsoft Visio 2013 and Microsoft Project 2013 along with Office, you must include them in the same package with Office. For more information, see [Deploying Visio 2013 and Project 2013 with Office](#bkmk-deploy-visio-project).|
+|Packaging|All Office applications you wish to deploy to users must be in a single package.<br>In App-V and later, you must use the Office Deployment Tool to create packages. The Sequencer doesn't support package creation.<br>If you're deploying Microsoft Visio 2013 and Microsoft Project 2013 along with Office, you must include them in the same package with Office. For more information, see [Deploying Visio 2013 and Project 2013 with Office](#deploying-visio-2013-and-project-2013-with-office).|
 |Publishing|You can only publish one Office package per client computer.<br>You must publish the Office package globally, not to the user.|
 |Deploying Office 365 ProPlus, Visio Pro for Office 365, or Project Pro for Office 365 to a shared computer using Remote Desktop Services.|You must enable [shared computer activation](https://docs.microsoft.com/DeployOffice/overview-of-shared-computer-activation-for-office-365-proplus).<br>You don’t need to use shared computer activation if you’re deploying a volume licensed product, such as Office Professional Plus 2013, Visio Professional 2013, or Project Professional 2013.|
 
@@ -45,7 +45,7 @@ The following table describes the recommended methods for excluding specific Off
 |Task|Details|
 |---|---|
 |Use the **ExcludeApp** setting when you create the package by using the Office Deployment Tool.|Enables you to exclude specific Office applications from the package when the Office Deployment Tool creates the package. For example, you can use this setting to create a package that contains only Microsoft Word.<br>For more information, see [ExcludeApp element](https://docs.microsoft.com/DeployOffice/configuration-options-for-the-office-2016-deployment-tool?ui=en-US&rs=en-US&ad=US#excludeapp-element).|
-|Modify the **DeploymentConfig.xml** file|Modify the **DeploymentConfig.xml** file after creating the package. This file contains the default package settings for all users on a computer running the App-V Client.<br>For more information, see [Disabling Office 2013 applications](#bkmk-disable-office-apps).|
+|Modify the **DeploymentConfig.xml** file|Modify the **DeploymentConfig.xml** file after creating the package. This file contains the default package settings for all users on a computer running the App-V Client.<br>For more information, see [Disabling Office 2013 applications](#disabling-office-2013-applications).|
 
 ## Creating an Office 2013 package for App-V with the Office Deployment Tool
 
@@ -268,12 +268,12 @@ Add-AppvClientPackage <Path_to_AppV_Package> | Publish-AppvClientPackage –glob
 
 To manage your Office App-V packages, use the same operations as you would for any other package, but there are a few exceptions, as outlined in the following sections.
 
-* [Enabling Office plug-ins by using connection groups](#bkmk-enable-office-plugins)
+* [Enabling Office plug-ins by using connection groups](#enabling-office-plug-ins-by-using-connection-groups)
-* [Disabling Office 2013 applications](#bkmk-disable-office-apps)
+* [Disabling Office 2013 applications](#disabling-office-2013-applications)
-* [Disabling Office 2013 shortcuts](#bkmk-disable-shortcuts)
+* [Disabling Office 2013 shortcuts](#disabling-office-2013-shortcuts)
-* [Managing Office 2013 package upgrades](#bkmk-manage-office-pkg-upgrd)
+* [Managing Office 2013 package upgrades](#managing-office-2013-package-upgrades)
-* [Managing Office 2013 licensing upgrades](#bkmk-manage-office-lic-upgrd)
+* [Managing Office 2013 licensing upgrades](#managing-office-2013-licensing-upgrades)
-* [Deploying Visio 2013 and Project 2013 with Office](#bkmk-deploy-visio-project)
+* [Deploying Visio 2013 and Project 2013 with Office](#deploying-visio-2013-and-project-2013-with-office)
 
 ### Enabling Office plug-ins by using connection groups
 

windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md

@@ -1,7 +1,7 @@
 ---
 title: Release Notes for App-V for Windows 10, version 1703 (Windows 10)
 description: A list of known issues and workarounds for App-V running on Windows 10, version 1703.
-author: eross-msft
+author: jdeckerms
 ms.pagetype: mdop, appcompat, virtualization
 ms.mktglfcycl: deploy
 ms.sitesec: library

windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md

@@ -1,7 +1,7 @@
 ---
 title: Release Notes for App-V for Windows 10, version 1607 (Windows 10)
 description: A list of known issues and workarounds for App-V running on Windows 10, version 1607.
-author: eross-msft
+author: jdeckerms
 ms.pagetype: mdop, appcompat, virtualization
 ms.mktglfcycl: deploy
 ms.sitesec: library

windows/application-management/app-v/appv-sequence-a-new-application.md

@@ -1,7 +1,7 @@
 ---
 title: Manually sequence a new app using the Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10)
 description: How to manually sequence a new app using the App-V Sequencer
-author: eross-msft
+author: jdeckerms
 ms.pagetype: mdop, appcompat, virtualization
 ms.mktglfcycl: deploy
 ms.sitesec: library

windows/client-management/mdm/policy-csp-authentication.md

@@ -296,6 +296,8 @@ Added in Windows 10, version 1607. Allows secondary authentication devices to w
 
 The default for this policy must be on for consumer devices (defined as local or Microsoft account connected device) and off for enterprise devices (such as cloud domain-joined, cloud domain-joined in an on-premises only environment, cloud domain-joined in a hybrid environment, and BYOD).
 
+In the next major release of Windows 10, the default for this policy for consumer devices will be changed to off. This will only affect users that have not already set up a secondary authentication device.
+
 <!--/Description-->
 <!--ADMXMapped-->
 ADMX Info:  

windows/client-management/mdm/policy-csp-restrictedgroups.md

@@ -113,8 +113,14 @@ Here is an example:
 
 ```
 <groupmembership>
- <accessgroup desc="Group SID for Administrators">
+    <accessgroup desc="Administrators">
-    <member name = "S-188-5-5666-5-688"/>
+        <member name="AzureAD\CSPTest@contoso.com" />
+        <member name="CSPTest22306\administrator" />
+        <member name = "AzureAD\patlewis@contoso.com" />
+    </accessgroup>
+    <accessgroup desc = "testcsplocal">
+        <member name = "CSPTEST22306\patlewis" />
+        <member name = "AzureAD\CSPTest@contoso.com" />
     </accessgroup>
 </groupmembership>
 ```
@@ -125,6 +131,10 @@ Here is an example:
 <!--/Policy-->
 <hr/>
 
+Take note:
+* You must include the local administrator in the administrators group or the policy will fail
+* Include the entire UPN after AzureAD
+
 Footnote:
 
 -   1 - Added in Windows 10, version 1607.

windows/configuration/cortana-at-work/cortana-at-work-crm.md

@@ -4,9 +4,9 @@ description: How to set up Cortana to help your salespeople get proactive insigh
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-author: eross-msft
+author: jdeckerms
 ms.localizationpriority: medium
-ms.author: lizross
+ms.author: dougkim
 ms.date: 10/05/2017
 ---
 

windows/configuration/cortana-at-work/cortana-at-work-feedback.md

@@ -4,9 +4,9 @@ description: How to send feedback to Microsoft about Cortana at work.
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-author: eross-msft
+author: jdeckerms
 ms.localizationpriority: medium
-ms.author: lizross
+ms.author: dougkim
 ms.date: 10/05/2017
 ---
 

windows/configuration/cortana-at-work/cortana-at-work-o365.md

@@ -4,9 +4,9 @@ description: How to connect Cortana to Office 365 so your employees are notified
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-author: eross-msft
+author: jdeckerms
 ms.localizationpriority: medium
-ms.author: lizross
+ms.author: dougkim
 ms.date: 10/05/2017
 ---
 

windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md

@@ -4,9 +4,9 @@ description: The list of Group Policy and mobile device management (MDM) policy
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-author: eross-msft
+author: jdeckerms
 ms.localizationpriority: medium
-ms.author: lizross
+ms.author: dougkim
 ms.date: 10/05/2017
 ---
 

windows/configuration/cortana-at-work/cortana-at-work-powerbi.md

@@ -4,9 +4,9 @@ description: How to integrate Cortana with Power BI to help your employees get a
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-author: eross-msft
+author: jdeckerms
 ms.localizationpriority: medium
-ms.author: lizross
+ms.author: dougkim
 ms.date: 10/05/2017
 ---
 

windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md

@@ -4,9 +4,9 @@ description: A test scenario walking you through signing in and managing the not
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-author: eross-msft
+author: jdeckerms
 ms.localizationpriority: medium
-ms.author: lizross
+ms.author: dougkim
 ms.date: 10/05/2017
 ---
 

windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md

@@ -4,9 +4,9 @@ description: A test scenario about how to perform a quick search with Cortana at
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-author: eross-msft
+author: jdeckerms
 ms.localizationpriority: medium
-ms.author: lizross
+ms.author: dougkim
 ms.date: 10/05/2017
 ---
 

windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md

@@ -4,9 +4,9 @@ description: A test scenario about how to set a location-based reminder using Co
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-author: eross-msft
+author: jdeckerms
 ms.localizationpriority: medium
-ms.author: lizross
+ms.author: dougkim
 ms.date: 10/05/2017
 ---
 

windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md

@@ -4,9 +4,9 @@ description: A test scenario about how to use Cortana at work to find your upcom
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-author: eross-msft
+author: jdeckerms
 ms.localizationpriority: medium
-ms.author: lizross
+ms.author: dougkim
 ms.date: 10/05/2017
 ---
 

windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md

@@ -4,9 +4,9 @@ description: A test scenario about how to use Cortana at work to send email to a
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-author: eross-msft
+author: jdeckerms
 ms.localizationpriority: medium
-ms.author: lizross
+ms.author: dougkim
 ms.date: 10/05/2017
 ---
 

windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md

@@ -4,9 +4,9 @@ description: A test scenario about how to use Cortana with the Suggested reminde
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-author: eross-msft
+author: jdeckerms
 ms.localizationpriority: medium
-ms.author: lizross
+ms.author: dougkim
 ms.date: 10/05/2017
 ---
 

windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md

@@ -4,9 +4,9 @@ description: An optional test scenario about how to use Cortana at work with Win
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-author: eross-msft
+author: jdeckerms
 ms.localizationpriority: medium
-ms.author: lizross
+ms.author: dougkim
 ms.date: 10/05/2017
 ---
 

windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md

@@ -4,9 +4,9 @@ description: A list of suggested testing scenarios that you can use to test Cort
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-author: eross-msft
+author: jdeckerms
 ms.localizationpriority: medium
-ms.author: lizross
+ms.author: dougkim
 ms.date: 10/05/2017
 ---
 

windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md

@@ -4,9 +4,9 @@ description: How to create voice commands that use Cortana to perform voice-enab
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-author: eross-msft
+author: jdeckerms
 ms.localizationpriority: medium
-ms.author: lizross
+ms.author: dougkim
 ms.date: 10/05/2017
 ---
 

windows/configuration/kiosk-shelllauncher.md

@@ -33,7 +33,7 @@ Using Shell Launcher, you can configure a kiosk device that runs a Windows deskt
 >- [AppLocker](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview) - Application control policies
 >- [Mobile Device Management](https://docs.microsoft.com/windows/client-management/mdm) - Enterprise management of device security policies
 >
->You can also configure a kiosk device that runs a Windows desktop application by using the [Provision kiosk devices wizard](#wizard).
+>You can also configure a kiosk device that runs a Windows desktop application by using the [Provision kiosk devices wizard](kiosk-single-app.md#wizard).
 
  
 

windows/configuration/lock-down-windows-10-to-specific-apps.md

@@ -49,6 +49,7 @@ You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provi
 To configure a kiosk in Microsoft Intune, see [Windows 10 and Windows Holographic for Business device settings to run as a dedicated kiosk using Intune](https://docs.microsoft.com/intune/kiosk-settings). For explanations of the specific settings, see [Windows 10 and later device settings to run as a kiosk in Intune](https://docs.microsoft.com/intune/kiosk-settings-windows).
 
 
+<span id="provision" />
 ## Configure a kiosk using a provisioning package
 
 Process:

windows/configuration/manage-wifi-sense-in-enterprise.md

@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: mobile
-author: eross-msft
+author: jdeckerms
 ms.localizationpriority: medium
 ms.date: 05/02/2018
 ms.topic: article

windows/configuration/set-up-shared-or-guest-pc.md

@@ -187,7 +187,7 @@ On a desktop computer, navigate to **Settings** > **Accounts** > **Work ac
 ## Guidance for accounts on shared PCs
 
 * We recommend no local admin accounts on the PC to improve the reliability and security of the PC.
-* When a PC is set up in shared PC mode with the default deletion policy, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account managment happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Guest** and **Kiosk** will also be deleted automatically at sign out.
+* When a PC is set up in shared PC mode with the default deletion policy, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account managment happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Guest** and **Kiosk** will be deleted automatically at sign out.
 * On a Windows PC joined to Azure Active Directory:
     * By default, the account that joined the PC to Azure AD will have an admin account on that PC. Global administrators for the Azure AD domain will also have admin accounts on the PC.
     * With Azure AD Premium, you can specify which accounts have admin accounts on a PC using the **Additional administrators on Azure AD Joined devices** setting on the Azure portal.

windows/configuration/start-layout-xml-desktop.md

@@ -156,6 +156,7 @@ The following table describes the attributes that you must use to specify the si
 
 For example, a tile with Size="2x2", Row="2", and Column="2" results in a tile located at (2,2) where (0,0) is the top-left corner of a group.
 
+<span id="start-tile" />
 #### start:Tile
 
 You can use the **start:Tile** tag to pin any of the following apps to Start:
@@ -178,6 +179,7 @@ The following example shows how to pin the Microsoft Edge Universal Windows app:
           Column="0"/>
  ```
 
+<span id="start-desktopapplicationtile" />
 #### start:DesktopApplicationTile
 
 You can use the **start:DesktopApplicationTile** tag to pin a Windows desktop application to Start. There are two ways you can specify a Windows desktop application: 
@@ -238,6 +240,7 @@ The following example shows how to create a tile of the Web site's URL, which yo
 >[!NOTE]
 >In Windows 10, version 1703, **Export-StartLayout** will use **DesktopApplicationLinkPath** for the .url shortcut. You must change **DesktopApplicationLinkPath** to **DesktopApplicationID** and provide the URL.
 
+<span id="start-secondarytile" />
 #### start:SecondaryTile
 
 You can use the **start:SecondaryTile** tag to pin a Web link through a Microsoft Edge secondary tile. This method doesn't require any additional action compared to the method of using legacy .url shortcuts (through the start:DesktopApplicationTile tag).

windows/deployment/TOC.md

@@ -229,7 +229,9 @@
 #### [Windows Update error code reference](update/windows-update-error-reference.md)
 #### [Other Windows Update resources](update/windows-update-resources.md)
 ### [Optimize Windows 10 update delivery](update/waas-optimize-windows-10-updates.md)
-#### [Configure Delivery Optimization for Windows 10 updates](update/waas-delivery-optimization.md)
+#### [Delivery Optimization for Windows 10 updates](update/waas-delivery-optimization.md)
+#### [Set up Delivery Optimization for Windows 10 updates](update/waas-delivery-optimization-setup.md)
+#### [Delivery Optimization reference](update/waas-delivery-optimization-reference.md)
 #### [Configure BranchCache for Windows 10 updates](update/waas-branchcache.md)
 #### [Whitepaper: Windows Updates using forward and reverse differentials](update/PSFxWhitepaper.md)
 ### [Best practices for feature updates on mission-critical devices](update/feature-update-mission-critical.md)

windows/deployment/planning/act-technical-reference.md

@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: plan
 ms.pagetype: appcompat
 ms.sitesec: library
-author: eross-msft
+author: jdeckerms
 ms.date: 04/19/2017
 ms.topic: article
 ---

windows/deployment/update/update-compliance-delivery-optimization.md

@@ -30,7 +30,7 @@ The Delivery Optimization Status section includes three blades:
 
  
 ## Device Configuration blade
-Devices can be set to use different download modes; these download modes determine in what situations Delivery Optimization will use peer-to-peer distribution to accomplish the downloads. The top section shows the number of devices configured to use peer-to-peer distribution in *Peering On* compared to *Peering Off* modes. The table shows a breakdown of the various download mode configurations seen in your environment. For more information about the different configuration options, see [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md#download-mode).
+Devices can be set to use different download modes; these download modes determine in what situations Delivery Optimization will use peer-to-peer distribution to accomplish the downloads. The top section shows the number of devices configured to use peer-to-peer distribution in *Peering On* compared to *Peering Off* modes. The table shows a breakdown of the various download mode configurations seen in your environment. For more information about the different configuration options, see [Set up Delivery Optimization for Windows 10 updates](waas-delivery-optimization-setup.md) for recommendations for different scenarios or [Delivery Optimization reference](waas-delivery-optimization-reference.md#download-mode) for complete details of this setting.
  
 ## Content Distribution (%) blade
 The first of two blades showing information on content breakdown, this blade shows a ring chart summarizing **Bandwidth Savings %**, which is the percentage of data received from peer sources out of the total data downloaded (for any device that used peer-to-peer distribution).

windows/deployment/update/waas-delivery-optimization-reference.md

@@ -0,0 +1,223 @@
+---
+title: Delivery Optimization reference
+description: Reference of all Delivery Optimization settings and descriptions of same
+keywords: oms, operations management suite, wdav, updates, downloads, log analytics
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: JaimeO
+ms.localizationpriority: medium
+ms.author: jaimeo
+ms.collection: M365-modern-desktop
+ms.topic: article
+---
+
+# Delivery Optimization reference
+
+**Applies to**
+
+- Windows 10
+
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+
+There are a great many details you can set in Delivery Optimization to customize it to do just what you need it to. This topic summarizes them for your reference.
+
+## Delivery Optimization options
+
+You can use Group Policy or an MDM solution like Intune to configure Delivery Optimization. 
+
+You will find the Delivery Optimization settings in Group Policy under **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization**.
+In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimization/**.
+
+[//]: # (something about Intune UX--perhaps link to relevant Intune docs?)
+
+### Summary of Delivery Optimization settings :
+
+| Group Policy setting | MDM setting | Supported from version |
+| --- | --- | --- |
+| [Download mode](#download-mode) | DODownloadMode | 1511 |
+| [Group ID](#group-id)  | DOGroupID | 1511 |
+| [Minimum RAM (inclusive) allowed to use Peer Caching](#minimum-ram-allowed-to-use-peer-caching) | DOMinRAMAllowedToPeer | 1703 |
+| [Minimum disk size allowed to use Peer Caching](#minimum-disk-size-allowed-to-use-peer-caching) | DOMinDiskSizeAllowedToPeer | 1703 |
+| [Max Cache Age](#max-cache-age) | DOMaxCacheAge | 1511 |
+| [Max Cache Size](#max-cache-size)  | DOMaxCacheSize | 1511 |
+| [Absolute Max Cache Size](#absolute-max-cache-size) | DOAbsoluteMaxCacheSize | 1607 |
+| [Modify Cache Drive](#modify-cache-drive) | DOModifyCacheDrive | 1607 |
+| [Minimum Peer Caching Content File Size](#minimum-peer-caching-content-file-size) | DOMinFileSizeToCache | 1703 |
+| [Maximum Download Bandwidth](#maximum-download-bandwidth) | DOMaxDownloadBandwidth | 1607 |
+| [Percentage of Maximum Download Bandwidth](#percentage-of-maximum-download-bandwidth) | DOPercentageMaxDownloadBandwidth | 1607 |
+| [Max Upload Bandwidth](#max-upload-bandwidth) | DOMaxUploadBandwidth | 1607 |
+| [Monthly Upload Data Cap](#monthly-upload-data-cap) | DOMonthlyUploadDataCap | 1607 |
+| [Minimum Background QoS](#minimum-background-qos) | DOMinBackgroundQoS | 1607 |
+| [Enable Peer Caching while the device connects via VPN](#enable-peer-caching-while-the-device-connects-via-vpn) | DOAllowVPNPeerCaching | 1709 |
+| [Allow uploads while the device is on battery while under set Battery level](#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) | DOMinBatteryPercentageAllowedToUpload | 1709 |
+| [MaxForegroundDownloadBandwidth](#maximum-foreground-download-bandwidth) | DOPercentageMaxForegroundBandwidth | 1803 |
+| [MaxBackgroundDownloadBandwidth](#maximum-background-download-bandwidth) | DOPercentageMaxBackgroundBandwidth | 1803 |
+| [SetHoursToLimitBackgroundDownloadBandwidth](#set-business-hours-to-limit-background-download-bandwidth) | DOSetHoursToLimitBackgroundDownloadBandwidth | 1803 |
+| [SetHoursToLimitForegroundDownloadBandwidth](#set-business-hours-to-limit-foreground-download-bandwidth)  |DOSetHoursToLimitForegroundDownloadBandwidth | 1803 |
+| [Select a method to restrict Peer Selection](#select-a-method-to-restrict-peer-selection) |DORestrictPeerSelectionBy | 1803 |
+| [Select the source of Group IDs](#select-the-source-of-group-ids) | DOGroupIDSource | 1803 |
+| [Delay background download from http (in secs)](#delay-background-download-from-http-in-secs) | DODelayBackgroundDownloadFromHttp | 1803 |
+| [Delay foreground download from http (in secs)](#delay-foreground-download-from-http-in-secs) | DODelayForegroundDownloadFromHttp | 1803 |
+
+### More detail on Delivery Optimization settings:
+
+[Group ID](#group-id), combined with Group [Download mode](#download-mode), enables administrators to create custom device groups that will share content between devices in the group.
+
+Delivery Optimization uses locally cached updates. In cases where devices have ample local storage and you would like to cache more content, or if you have limited storage and would like to cache less, use the following settings to adjust the Delivery Optimization cache to suit your scenario:
+- [Max Cache Size](#max-cache-size) and [Absolute Max Cache Size](#absolute-max-cache-size) control the amount of space the Delivery Optimization cache can use.
+- [Max Cache Age](#max-cache-age) controls the retention period for each update in the cache.
+- The system drive is the default location for the Delivery Optimization cache. [Modify Cache Drive](#modify-cache-drive) allows administrators to change that location.
+
+>[!NOTE]
+>It is possible to configure preferred cache devices. For more information, see [Set “preferred” cache devices for Delivery Optimization](#set-preferred-cache-devices).
+
+All cached files have to be above a set minimum size. This size is automatically set by the Delivery Optimization cloud services, but when local storage is sufficient and the network isn't strained or congested, administrators might choose to change it to obtain increased performance. You can set the minimum size of files to cache by adjusting [Minimum Peer Caching Content File Size](#minimum-peer-caching-content-file-size).
+
+Additional options available that control the impact Delivery Optimization has on your network include the following:
+- [Maximum Download Bandwidth](#maximum-download-bandwidth) and [Percentage of Maximum Download Bandwidth](#percentage-of-maximum-download-bandwidth) control the download bandwidth used by Delivery Optimization.
+- [Max Upload Bandwidth](#max-upload-bandwidth) controls the Delivery Optimization upload bandwidth usage.
+- [Monthly Upload Data Cap](#monthly-upload-data-cap) controls the amount of data a client can upload to peers each month.
+- [Minimum Background QoS](#minimum-background-qos) lets administrators guarantee a minimum download speed for Windows updates. This is achieved by adjusting the amount of data downloaded directly from Windows Update or WSUS servers, rather than other peers in the network.
+- [Maximum Foreground Download Bandwidth](#maximum-foreground-download-bandwidth) specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth.
+- [Maximum Background Download Bandwidth](#maximum-background-download-bandwidth) specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth.
+- [Set Business Hours to Limit Background Download Bandwidth](#set-business-hours-to-limit-background-download-bandwidth) specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.
+- [Set Business Hours to Limit Foreground Download Bandwidth](#set-business-hours-to-limit-foreground-download-bandwidth) specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.
+- [Select a method to restrict Peer Selection](#select-a-method-to-restrict-peer-selection) restricts peer selection by the options you select.
+- [Select the source of Group IDs](#select-the-source-of-group-ids) restricts peer selection to a specific source.
+- [Delay background download from http (in secs)](#delay-background-download-from-http-in-secs) allows you to delay the use of an HTTP source in a background download that is allowed to use P2P.
+- [Delay foreground download from http (in secs)](#delay-foreground-download-from-http-in-secs) allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use P2P.
+
+Administrators can further customize scenarios where Delivery Optimization will be used with the following settings:
+- [Minimum RAM (inclusive) allowed to use Peer Caching](#minimum-ram-allowed-to-use-peer-caching) sets the minimum RAM required for peer caching to be enabled.
+- [Minimum disk size allowed to use Peer Caching](#minimum-disk-size-allowed-to-use-peer-caching) sets the minimum disk size required for peer caching to be enabled.
+- [Enable Peer Caching while the device connects via VPN](#enable-peer-caching-while-the-device-connects-via-vpn) allows clients connected through VPN to use peer caching.
+- [Allow uploads while the device is on battery while under set Battery level](#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) controls the minimum battery level required for uploads to occur. You must enable this policy to allow upload while on battery.
+
+### Download mode
+
+Download mode dictates which download sources clients are allowed to use when downloading Windows updates in addition to Windows Update servers. The following table shows the available download mode options and what they do. Additional technical details for these policies are available in [Policy CSP - Delivery Optimization](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization).
+
+| Download mode option | Functionality when set |
+| --- | --- |
+| HTTP Only (0) | This setting disables peer-to-peer caching but still allows Delivery Optimization to download content over HTTP from the download's original source. This mode uses additional metadata provided by the Delivery Optimization cloud services for a peerless reliable and efficient download experience. |
+| LAN (1 – Default) | This default operating mode for Delivery Optimization enables peer sharing on the same network. The Delivery Optimization cloud service finds other clients that connect to the Internet using the same public IP as the target client. These clients then attempts to connect to other peers on the same network by using their private subnet IP.| 
+| Group (2) | When group mode is set, the group is automatically selected based on the device’s Active Directory Domain Services (AD DS) site (Windows 10, version 1607) or the domain the device is authenticated to (Windows 10, version 1511). In group mode, peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices. You can use GroupID option to create your own custom group independently of domains and AD DS sites. Starting with Windows 10, version 1803, you can use the GroupIDSource parameter to take advantage of other method to create groups dynamically. Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization. |
+| Internet (3) | Enable Internet peer sources for Delivery Optimization. |
+| Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable, unreachable or when the content file size is less than 10 MB. In this mode, Delivery Optimization provides a reliable download experience, with no peer-to-peer caching. |
+|Bypass (100) |	Bypass Delivery Optimization and use BITS, instead. You should only select this mode if you use WSUS and prefer to use BranchCache. You do not need to set this option if you are using SCCM. If you want to disable peer-to-peer functionality, it's best to set **DownloadMode** to **0** or **99**. |
+
+>[!NOTE]
+>Group mode is a best-effort optimization and should not be relied on for an authentication of identity of devices participating in the group.
+
+### Group ID
+
+By default, peer sharing on clients using the group download mode is limited to the same domain in Windows 10, version 1511, and the same domain and AD DS site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but do not fall within those domain or AD DS site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example, you could create a sub-group representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to be peers. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group.
+
+[//]: # (SCCM Boundary Group option; GroupID Source policy)
+
+>[!NOTE]
+>To generate a GUID using Powershell, use [```[guid]::NewGuid()```](https://blogs.technet.microsoft.com/heyscriptingguy/2013/07/25/powertip-create-a-new-guid-by-using-powershell/)
+>
+>This configuration is optional and not required for most implementations of Delivery Optimization.
+
+### Select the source of Group IDs
+Starting in Windows 10, version 1803, set this policy to restrict peer selection to a specific source. The options are:
+- 0 = not set
+- 1 = AD Site
+- 2 = Authenticated domain SID
+- 3 = DHCP Option ID (with this option, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID)
+- 4 = DNS Suffix 
+
+When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy will be ignored. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-4, the policy is ignored.  
+
+
+### Minimum RAM (inclusive) allowed to use Peer Caching  
+
+This setting specifies the minimum RAM size in GB required to use Peer Caching. For example if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. The recommended values are 1 to 4 GB, and the default value is 4 GB.
+
+### Minimum disk size allowed to use Peer Caching
+
+This setting specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. The recommended values are 64 to 256 GB, and the default value is 32 GB.
+
+>[!NOTE]
+>If the [Modify Cache Drive](#modify-cache-drive) policy is set, the disk size check will apply to the new working directory specified by this policy.
+
+
+### Max Cache Age
+
+In environments configured for Delivery Optimization, you might want to set an expiration on cached updates and Windows application installation files. If so, this setting defines the maximum number of seconds each file can be held in the Delivery Optimization cache on each Windows 10 client device. The default Max Cache Age value is 259,200 seconds (3 days). Alternatively, organizations might choose to set this value to “0” which means “unlimited” to avoid peers re-downloading content. When “Unlimited” value is set, Delivery Optimization will hold the files in the cache longer and will clean up the cache as needed (for example when the cache size exceeded the maximum space allowed).
+
+### Max Cache Size
+
+This setting limits the maximum amount of space the Delivery Optimization cache can use as a percentage of the available drive space, from 1 to 100. For example, if you set this value to 10 on a Windows 10 client device that has 100 GB of available drive space, then Delivery Optimization will use up to 10 GB of that space. Delivery Optimization will constantly assess the available drive space and automatically clear the cache to keep the maximum cache size under the set percentage. The default value for this setting is 20.
+
+### Absolute Max Cache Size
+
+This setting specifies the maximum number of gigabytes the Delivery Optimization cache can use. This is different from the [**Max Cache Size**](#max-cache-size) setting, which is a percentage of available disk space. Also, if you configure this policy, it will override the [**Max Cache Size**](#max-cache-size) setting. The default value for this setting is 10 GB.
+
+### Minimum Peer Caching Content File Size
+
+This setting specifies the minimum content file size in MB enabled to use Peer Caching. The recommended values are from 1 to 100000 MB.
+
+### Maximum Download Bandwidth
+
+This setting specifies the maximum download bandwidth that can be used across all concurrent Delivery Optimization downloads in kilobytes per second (KB/s). A default value of 0 means that Delivery Optimization will dynamically adjust and optimize the maximum bandwidth used.
+
+### Maximum Foreground Download Bandwidth
+
+Starting in Windows 10, version 1803, specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. The default value of 0 means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads. However, downloads from LAN peers are not throttled even when this policy is set.
+
+### Maximum Background Download Bandwidth
+
+Starting in Windows 10, version 1803, specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. The default value of 0 means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads. However, downloads from LAN peers are not throttled even when this policy is set.
+
+### Percentage of Maximum Download Bandwidth
+
+This setting specifies the maximum download bandwidth that Delivery Optimization can use across all concurrent download activities as a percentage of available download bandwidth. The default value 0 means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
+
+### Max Upload Bandwidth
+
+This setting allows you to limit the amount of upload bandwidth individual clients can use for Delivery Optimization. Consider this setting when clients are providing content to requesting peers on the network. This option is set in kilobytes per second (KB/s). The default setting is 0, or “unlimited” which means Delivery Optimization dynamically optimizes for minimal usage of upload bandwidth; however it does not cap the upload bandwidth rate at a set rate.
+
+### Set Business Hours to Limit Background Download Bandwidth
+Starting in Windows 10, version 1803, specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.
+
+### Set Business Hours to Limit Foreground Download Bandwidth
+Starting in Windows 10, version 1803, specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.
+
+### Select a method to restrict peer selection
+Starting in Windows 10, version 1803, set this policy to restrict peer selection via selected option.  
+Currently the only available option is **1 = Subnet mask** This option (Subnet mask) applies to both Download Modes LAN (1) and Group (2).  
+
+
+
+### Delay background download from http (in secs)
+Starting in Windows 10, version 1803, this allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer.
+
+### Delay foreground download from http (in secs)
+Starting in Windows 10, version 1803, allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer.
+
+### Minimum Background QoS
+
+This value specifies the minimum download speed guarantee that a client attempts to achieve and will fulfill by downloading more kilobytes from Windows Update servers or WSUS. Simply put, the lower this value is, the more content will be sourced using peers on the network rather than Windows Update. The higher this value, the more content is received from Windows Update servers or WSUS, versus peers on the local network.
+
+### Modify Cache Drive
+
+This setting allows for an alternate Delivery Optimization cache location on the clients. By default, the cache is stored on the operating system drive through the %SYSTEMDRIVE% environment variable. You can set the value to an environment variable (e.g., %SYSTEMDRIVE%), a drive letter (e.g., D:), or a folder path (e.g., D:\DOCache).
+
+### Monthly Upload Data Cap
+
+This setting specifies the total amount of data in gigabytes that a Delivery Optimization client can upload to Internet peers per month. A value of 0 means that an unlimited amount of data can be uploaded. The default value for this setting is 20 GB.
+
+### Enable Peer Caching while the device connects via VPN
+
+This setting determines whether a device will be allowed to participate in Peer Caching while connected to VPN. Specify "true" to allow the device to participate in Peer Caching while connected via VPN to the domain network. This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network.
+
+### Allow uploads while the device is on battery while under set Battery level
+
+This setting specifies battery levels at which a device will be allowed to upload data. Specify any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and Group peers while on DC power (Battery). Uploads will automatically pause when the battery level drops below the set minimum battery level. The recommended value to set if you allow uploads on battery is 40 (for 40%).
+The device can download from peers while on battery regardless of this policy.
+
+>[!IMPORTANT]
+> By default, devices **will not upload while on battery**. To enable uploads while on battery, you need to enable this policy and set the battery value under which uploads pause.

windows/deployment/update/waas-delivery-optimization-setup.md

@@ -0,0 +1,159 @@
+---
+title: Set up Delivery Optimization
+description: Delivery Optimization is a new peer-to-peer distribution method in Windows 10
+keywords: oms, operations management suite, wdav, updates, downloads, log analytics
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: JaimeO
+ms.localizationpriority: medium
+ms.author: jaimeo
+ms.collection: M365-modern-desktop
+ms.topic: article
+---
+
+# Set up Delivery Optimization for Windows 10 updates
+
+**Applies to**
+
+- Windows 10
+
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+
+## Recommended Delivery Optimization settings
+
+Delivery Optimization offers a great many settings to fine-tune its behavior (see [Delivery Optimization reference](waas-delivery-optimization-reference.md) for a comprehensive list), but for the most efficient performance, there are just a few key parameters that will have the greates impact if particular situations exist in your deployment:
+
+- Does your topology include multiple breakouts to the internet (i.e., a "hybrid WAN") or are there only a few connections to the internet, so that all requests appear to come from a single external IP address (a "hub and spoke" topology)?
+- If you use boundary groups in your topology, how many devices are present in a given group?
+- What percentage of your devices are mobile?
+- Do your devices have a lot of free space on their drives?
+- Do you have a lab scenario with many devices on AC power?
+
+>[!NOTE]
+>These scenarios (and the recommended settings for each) are not mutually exclusive. It's possible that your deployment might involve more than one of these scenarios, in which case you can employ the related settings in any combination as needed. In all cases, however, "download mode" is the most important one to set.
+
+Quick-reference table:
+
+| Use case | Policy | Recommended value | Reason |
+| --- | --- | --- | --- |
+| Hub & spoke topology | Download mode | 1 or 2 | Automatic grouping of peers to match your topology |
+| Sites with > 30 devices | Minimum file size to cache | 10 MB (or 1 MB) | Leverage peers-to-peer capability in more downloads |
+| Large number of mobile devices | Allow uploads on battery power | 60% | Increase # of devices that can upload while limiting battery drain |
+| Labs with AC-powered devices | Content Expiration | 7 (up to 30) days | Leverage devices that can upload more for a longer period |
+
+
+### Hybrid WAN scenario
+
+For this scenario, grouping devices by domain allows devices to be included in peer downloads and uploads across VLANs. **Set Download Mode to 2 - Group**. The default group is the authenticated domain or Active Directory site. If your domain-based group is too wide, or your Active Directory sites aren’t aligned with your site network topology, then you should consider additional options for dynamically creating groups, for example by using the GroupIDSrc parameter.
+
+
+[//]: # is there a topic on GroupIDSrc we can link to?
+
+To do this in Group Policy go to **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**.
+
+To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set DODownloadMode to 1 or 2.
+
+### Hub and spoke topology with boundary groups
+
+The default download mode setting is **1**; this means all devices breaking out to the internet using the same public IP will be considered as a single peer group. To prevent peer-to-peer activity across groups, you should set the download mode to **2**. If you have already defined Active Directory sites per hub or branch office, then you don't need to do anything else. If you're not using Active Directory sites, you should set *RestrictPeerSelectionBy* policies to restrict the activity to the subnet or set a different source for Groups by using the GroupIDSrc parameter. See [Select a method to restrict peer selection](waas-delivery-optimization-reference.md#select-a-method-to-restrict-peer-selection).
+
+
+
+To do this in Group Policy go to **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**.
+
+To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set **DODownloadMode** to **2**.
+
+
+### Large number of mobile devices
+
+If you have a mobile workforce with a great many mobile devices, set Delivery Optimization to allow uploads on battery power, while limiting the use to prevent battery drain. A setting for **DOMinBatteryPercentageAllowedToUpload** of 60% is a good starting point, though you might want to adjust it later.
+
+To do this in Group Policy, go to **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization** and set **Allow uploads while the device is on battery while under set Battery level** to 60. 
+
+To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set **DOMinBatteryPercentageAllowedToUpload** to 60. 
+
+### Plentiful free space and large numbers of devices
+
+Many devices now come with large internal drives. You can set Delivery Optimization to take better advantage of this space (especially if you have large numbers of devices) by changing the minimum file size to cache. If you have more than 30 devices in your local network or group, change it from the default 50 MB to 10 MB. If you have more than 100 devices (and are running Windows 10, version 1803 or later), set this value to 1 MB.
+
+[//]: # default of 50 aimed at consumer
+
+To do this in Group Policy, go to **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization** and set **Minimum Peer Caching Content File Size** to 100 (if you have more than 30 devices) or 1 (if you have more than 100 devices).
+
+To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set **DOMinFileSizeToCache** to 100 (if you have more than 30 devices) or 1 (if you have more than 100 devices).
+
+### Lab scenario
+
+In a lab situation, you typically have a large number of devices that are plugged in and have a lot of free disk space. By increasing the content expiration interval, you can take advantage of these devices, using them as excellent upload sources in order to upload much more content over a longer period.
+
+To do this in Group Policy, go to **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization** and set **Max Cache Age** to **6048000** (7 days) or more (up to 30 days).
+
+To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set DOMaxCacheAge to 7 or more (up to 30 days).
+
+[//]: # material about "preferred" devices; remove MinQos/MaxCacheAge; table format?
+
+
+## Monitor Delivery Optimization
+[//]: # How to tell if it’s working? What values are reasonable; which are not? If not, which way to adjust and how? -- check PercentPeerCaching for files > minimum >= 50%
+
+### Windows PowerShell cmdlets for analyzing usage
+**Starting in Windows 10, version 1703**, you can use two new PowerShell cmdlets to check the performance of Delivery Optimization:
+
+`Get-DeliveryOptimizationStatus` returns a real-time snapshot of all current Delivery Optimization jobs.
+
+| Key | Value |
+| --- | --- |
+| File ID | A GUID that identifies the file being processed |
+| Priority | Priority of the download; values are **foreground** or **background** |
+| FileSize | Size of the file |
+| TotalBytesDownloaded | The number of bytes from any source downloaded so far |
+| PercentPeerCaching |The percentage of bytes downloaded from peers versus over HTTP |
+| BytesFromPeers | Total bytes downloaded from peer devices (sum of bytes downloaded from LAN, Group, and Internet Peers) |
+| BytesfromHTTP | Total number of bytes received over HTTP |
+| DownloadDuration | Total download time in seconds |
+| Status | Current state of the operation. Possible values are: **Downloading** (download in progress); **Complete** (download completed, but is not uploading yet); **Caching** (download completed successfully and is ready to upload or uploading); **Paused** (download/upload paused by caller) |
+
+
+ 
+`Get-DeliveryOptimizationPerfSnap` returns a list of key performance data:
+
+- Number of files downloaded 
+- Number of files uploaded 
+- Total bytes downloaded 
+- Total bytes uploaded 
+- Average transfer size (download); that is, the number bytes downloaded divided by the number of files 
+- Average transfer size (upload); the number of bytes uploaded divided by the number of files
+- Peer efficiency; same as PercentPeerCaching
+
+Using the `-Verbose` option returns additional information:
+
+- Bytes from peers (per type) 
+- Bytes from CDN  (the number of bytes received over HTTP)
+- Average number of peer connections per download 
+
+
+**Starting in Windows 10, version 1803:**
+
+`Get-DeliveryOptimizationLog [-Path <etl file path, supports wildcards>] [-Flush]`
+
+If `Path` is not specified, this cmdlet reads all logs from the dosvc log directory, which requires administrator permissions. If `Flush` is specified, the cmdlet stops dosvc before reading logs.
+ 
+Log entries are written to the PowerShell pipeline as objects. To dump logs to a text file, run `Get-DeliveryOptimizationLog | Set-Content <output file>` or something similar.
+
+[//]: # (section on what to look for in logs, list of peers, connection failures)
+
+`Get-DeliveryOptimizationPerfSnapThisMonth`
+
+Returns data similar to that from `Get-DeliveryOptimizationPerfSnap` but limited to the current calendar month.
+
+[//]: # (possibly move to Troubleshooting)
+
+### Monitor with Update Compliance
+
+The Update Compliance solution of Windows Analytics provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer distribution over the past 28 days.
+
+![DO status](images/UC_workspace_DO_status.png)
+
+For details, see [Delivery Optimization in Update Compliance](update-compliance-delivery-optimization.md).
+

windows/deployment/update/waas-delivery-optimization.md

@@ -1,6 +1,6 @@
 ---
 title: Configure Delivery Optimization for Windows 10 updates (Windows 10)
-description: Delivery Optimization is a new peer-to-peer distribution method in Windows 10
+description: Delivery Optimization is a peer-to-peer distribution method in Windows 10
 keywords: oms, operations management suite, wdav, updates, downloads, log analytics
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -8,12 +8,11 @@ ms.sitesec: library
 author: JaimeO
 ms.localizationpriority: medium
 ms.author: jaimeo
-ms.date: 04/30/2018
 ms.collection: M365-modern-desktop
 ms.topic: article
 ---
 
-# Configure Delivery Optimization for Windows 10 updates
+# Delivery Optimization for Windows 10 updates
 
 
 **Applies to**
@@ -22,7 +21,7 @@ ms.topic: article
 
 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) 
 
-Windows updates, upgrades, and applications can contain packages with very large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment. Delivery Optimization can accomplish this because it is a self-organizing distributed cache that allows clients to download those packages from alternate sources (such as other peers on the network) in addition to the traditional Internet-based Windows Update servers. You can use Delivery Optimization in conjunction with stand-alone Windows Update, Windows Server Update Services (WSUS), Windows Update for Business, or System Center Configuration Manager when installation of Express Updates is enabled.  
+Windows updates, upgrades, and applications can contain packages with very large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment. Delivery Optimization can accomplish this because it is a self-organizing distributed cache that allows clients to download those packages from alternate sources (such as other peers on the network) in addition to the traditional Internet-based servers. You can use Delivery Optimization in conjunction with Windows Update, Windows Server Update Services (WSUS), Windows Update for Business, or System Center Configuration Manager (when installation of Express Updates is enabled).  
 
 Delivery Optimization is a cloud-managed solution. Access to the Delivery Optimization cloud services is a requirement. This means that in order to use the peer-to-peer functionality of Delivery Optimization, devices must have access to the internet.
 
@@ -30,6 +29,8 @@ Delivery Optimization is a cloud-managed solution. Access to the Delivery Optimi
 >[!NOTE]
 >WSUS can also use [BranchCache](waas-branchcache.md) for content sharing and caching. If Delivery Optimization is enabled on devices that use BranchCache, Delivery Optimization will be used instead. 
 
+## Requirements
+
 The following table lists the minimum Windows 10 version that supports Delivery Optimization:
 
 | Device type | Minimum Windows version |
@@ -39,325 +40,57 @@ The following table lists the minimum Windows 10 version that supports Delivery
 | IoT devices | 1803 |
 | HoloLens devices | 1803 |
 
+**Types of download packages supported by Delivery Optimization**
 
-By default in Windows 10 Enterprise and Education editions, Delivery Optimization allows peer-to-peer sharing on the organization's own network only, but you can configure it differently in Group Policy and mobile device management (MDM) solutions such as Microsoft Intune.
+| Download package | Minimum Windows version |
+|------------------|---------------|
+| Windows 10 updates (feature updates and quality updates) | 1511 |
+| Windows 10 drivers | 1511 |
+| Windows Store files | 1511 |
+| Windows Store for Business files | 1511 |
+| Windows Defender definition updates | 1511 |
+| Office Click-to-Run updates | 1709 |
+| Win32 apps for Intune | 1709 |
+| SCCM Express Updates | 1709 + Configuration Manager version 1711 |
 
-For more details, see [Download mode](#download-mode).
+[//]: # (**Network requirements**)
 
-## Delivery Optimization options
+
+
+
+By default in Windows 10 Enterprise and Education editions, Delivery Optimization allows peer-to-peer sharing on the organization's own network only (specifically, all of the devices must be behind the same NAT), but you can configure it differently in Group Policy and mobile device management (MDM) solutions such as Microsoft Intune.
+
+For more details, see "Download mode" in [Delivery optimization reference](waas-delivery-optimization-reference.md#download-mode).
+
+
+## Set up Delivery Optimization
+
+See [Set up Delivery Optimization](waas-delivery-optimization-setup.md) for suggested values for a number of common scenarios.
 
 You can use Group Policy or an MDM solution like Intune to configure Delivery Optimization. 
 
 You will find the Delivery Optimization settings in Group Policy under **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization**.
 In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimization/**.
 
-Several Delivery Optimization features are configurable:
+[//]: # (Starting with Windows Intune version 1902, you can set many Delivery Optimization policies as a profile which you can then apply to groups of devices. For more information, see {LINK}.)
 
-| Group Policy setting | MDM setting | Supported from version |
+## Reference
-| --- | --- | --- |
+
-| [Download mode](#download-mode) | DODownloadMode | 1511 |
+For complete list of every possible Delivery Optimization setting, see [Delivery Optimization reference](waas-delivery-optimization-reference.md).
-| [Group ID](#group-id)  | DOGroupID | 1511 |
-| [Minimum RAM (inclusive) allowed to use Peer Caching](#minimum-ram-allowed-to-use-peer-caching) | DOMinRAMAllowedToPeer | 1703 |
-| [Minimum disk size allowed to use Peer Caching](#minimum-disk-size-allowed-to-use-peer-caching) | DOMinDiskSizeAllowedToPeer | 1703 |
-| [Max Cache Age](#max-cache-age) | DOMaxCacheAge | 1511 |
-| [Max Cache Size](#max-cache-size)  | DOMaxCacheSize | 1511 |
-| [Absolute Max Cache Size](#absolute-max-cache-size) | DOAbsoluteMaxCacheSize | 1607 |
-| [Modify Cache Drive](#modify-cache-drive) | DOModifyCacheDrive | 1607 |
-| [Minimum Peer Caching Content File Size](#minimum-peer-caching-content-file-size) | DOMinFileSizeToCache | 1703 |
-| [Maximum Download Bandwidth](#maximum-download-bandwidth) | DOMaxDownloadBandwidth | 1607 |
-| [Percentage of Maximum Download Bandwidth](#percentage-of-maximum-download-bandwidth) | DOPercentageMaxDownloadBandwidth | 1607 |
-| [Max Upload Bandwidth](#max-upload-bandwidth) | DOMaxUploadBandwidth | 1607 |
-| [Monthly Upload Data Cap](#monthly-upload-data-cap) | DOMonthlyUploadDataCap | 1607 |
-| [Minimum Background QoS](#minimum-background-qos) | DOMinBackgroundQoS | 1607 |
-| [Enable Peer Caching while the device connects via VPN](#enable-peer-caching-while-the-device-connects-via-vpn) | DOAllowVPNPeerCaching | 1709 |
-| [Allow uploads while the device is on battery while under set Battery level](#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) | DOMinBatteryPercentageAllowedToUpload | 1709 |
-| [MaxForegroundDownloadBandwidth](#maximum-foreground-download-bandwidth) | DOPercentageMaxForegroundBandwidth | 1803 |
-| [MaxBackgroundDownloadBandwidth](#maximum-background-download-bandwidth) | DOPercentageMaxBackgroundBandwidth | 1803 |
-| [SetHoursToLimitBackgroundDownloadBandwidth](#set-business-hours-to-limit-background-download-bandwidth) | DOSetHoursToLimitBackgroundDownloadBandwidth | 1803 |
-| [SetHoursToLimitForegroundDownloadBandwidth](#set-business-hours-to-limit-foreground-download-bandwidth)  |DOSetHoursToLimitForegroundDownloadBandwidth | 1803 |
-| [Select a method to restrict Peer Selection](#select-a-method-to-restrict-peer-selection) |DORestrictPeerSelectionBy | 1803 |
-| [Select the source of Group IDs](#select-the-source-of-group-ids) | DOGroupIdSource | 1803 |
-| [Delay background download from http (in secs)](#delay-background-download-from-http-in-secs) | DODelayBackgroundDownloadFromHttp | 1803 |
-| [Delay foreground download from http (in secs)](#delay-foreground-download-from-http-in-secs) | DODelayForegroundDownloadFromHttp | 1803 |
 
 
-
+## How Microsoft uses Delivery Optimization
-
-When configuring Delivery Optimization on Windows 10 devices, the first and most important thing to configure is the [Download mode](#download-mode), which dictates how Delivery Optimization downloads Windows updates.
-
-While every other feature setting is optional, they offer enhanced control of the Delivery Optimization behavior.
-
-[Group ID](#group-id), combined with Group [Download mode](#download-mode), enables administrators to create custom device groups that will share content between devices in the group.
-
-Delivery Optimization uses locally cached updates. In cases where devices have ample local storage and you would like to cache more content, or if you have limited storage and would like to cache less, use the following settings to adjust the Delivery Optimization cache to suit your scenario:
-- [Max Cache Size](#max-cache-size) and [Absolute Max Cache Size](#absolute-max-cache-size) control the amount of space the Delivery Optimization cache can use.
-- [Max Cache Age](#max-cache-age) controls the retention period for each update in the cache.
-- The system drive is the default location for the Delivery Optimization cache. [Modify Cache Drive](#modify-cache-drive) allows administrators to change that location.
-
->[!NOTE]
->It is possible to configure preferred cache devices. For more information, see [Set “preferred” cache devices for Delivery Optimization](#set-preferred-cache-devices).
-
-All cached files have to be above a set minimum size. This size is automatically set by the Delivery Optimization cloud services, but when local storage is sufficient and the network isn't strained or congested, administrators might choose to change it to obtain increased performance. You can set the minimum size of files to cache by adjusting [Minimum Peer Caching Content File Size](#minimum-peer-caching-content-file-size).
-
-Additional options available that control the impact Delivery Optimization has on your network include the following:
-- [Maximum Download Bandwidth](#maximum-download-bandwidth) and [Percentage of Maximum Download Bandwidth](#percentage-of-maximum-download-bandwidth) control the download bandwidth used by Delivery Optimization.
-- [Max Upload Bandwidth](#max-upload-bandwidth) controls the Delivery Optimization upload bandwidth usage.
-- [Monthly Upload Data Cap](#monthly-upload-data-cap) controls the amount of data a client can upload to peers each month.
-- [Minimum Background QoS](#minimum-background-qos) lets administrators guarantee a minimum download speed for Windows updates. This is achieved by adjusting the amount of data downloaded directly from Windows Update or WSUS servers, rather than other peers in the network.
-- [Maximum Foreground Download Bandwidth](#maximum-foreground-download-bandwidth) specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth.
-- [Maximum Background Download Bandwidth](#maximum-background-download-bandwidth) specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth.
-- [Set Business Hours to Limit Background Download Bandwidth](#set-business-hours-to-limit-background-download-bandwidth) specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.
-- [Set Business Hours to Limit Foreground Download Bandwidth](#set-business-hours-to-limit-foreground-download-bandwidth) specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.
-- [Select a method to restrict Peer Selection](#select-a-method-to-restrict-peer-selection) restricts peer selection by the options you select.
-- [Select the source of Group IDs](#select-the-source-of-group-ids) restricts peer selection to a specific source.
-- [Delay background download from http (in secs)](#delay-background-download-from-http-in-secs) allows you to delay the use of an HTTP source in a background download that is allowed to use P2P.
-- [Delay foreground download from http (in secs)](#delay-foreground-download-from-http-in-secs) allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use P2P.
-
-
-Administrators can further customize scenarios where Delivery Optimization will be used with the following settings:
-- [Minimum RAM (inclusive) allowed to use Peer Caching](#minimum-ram-allowed-to-use-peer-caching) sets the minimum RAM required for peer caching to be enabled.
-- [Minimum disk size allowed to use Peer Caching](#minimum-disk-size-allowed-to-use-peer-caching) sets the minimum disk size required for peer caching to be enabled.
-- [Enable Peer Caching while the device connects via VPN](#enable-peer-caching-while-the-device-connects-via-vpn) allows clients connected through VPN to use peer caching.
-- [Allow uploads while the device is on battery while under set Battery level](#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) controls the minimum battery level required for uploads to occur. You must enable this policy to allow upload while on battery.
-
-### How Microsoft uses Delivery Optimization
 At Microsoft, to help ensure that ongoing deployments weren’t affecting our network and taking away bandwidth for other services, Microsoft IT used a couple of different bandwidth management strategies. Delivery Optimization, peer-to-peer caching enabled through Group Policy, was piloted and then deployed to all managed devices using Group Policy. Based on recommendations from the Delivery Optimization team, we used the "group" configuration to limit sharing of content to only the devices that are members of the same Active Directory domain. The content is cached for 24 hours. More than 76 percent of content came from peer devices versus the Internet.
 
 For more details, check out the [Adopting Windows as a Service at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/851/Adopting-Windows-as-a-service-at-Microsoft) technical case study.
 
-The following is a detailed description of every configurable feature setting. Use these details when configuring any of the settings.
 
-### Download mode
-
-Download mode dictates which download sources clients are allowed to use when downloading Windows updates in addition to Windows Update servers. The following table shows the available download mode options and what they do. Additional technical details for these policies are available in [Policy CSP - Delivery Optimization](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization).
-
-| Download mode option | Functionality when set |
-| --- | --- |
-| HTTP Only (0) | This setting disables peer-to-peer caching but still allows Delivery Optimization to download content from Windows Update servers or WSUS servers. This mode uses additional metadata provided by the Delivery Optimization cloud services for a peerless reliable and efficient download experience. |
-| LAN (1 – Default) | This default operating mode for Delivery Optimization enables peer sharing on the same network. The Delivery Optimization cloud service finds other clients that connect to the Internet using the same public IP as the target client. These clients then attempts to connect to other peers on the same network by using their private subnet IP.| 
-| Group (2) | When group mode is set, the group is automatically selected based on the device’s Active Directory Domain Services (AD DS) site (Windows 10, version 1607) or the domain the device is authenticated to (Windows 10, version 1511). In group mode, peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices. You can use the GroupID option to create your own custom group independently of domains and AD DS sites. Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization. |
-| Internet (3) | Enable Internet peer sources for Delivery Optimization. |
-| Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable, unreachable or when the content file size is less than 10 MB. In this mode, Delivery Optimization provides a reliable download experience, with no peer-to-peer caching. |
-|Bypass (100) |	Bypass Delivery Optimization and use BITS, instead. For example, select this mode so that clients can use BranchCache. |
-
->[!NOTE]
->Group mode is a best-effort optimization and should not be relied on for an authentication of identity of devices participating in the group.
-
-### Group ID
-
-By default, peer sharing on clients using the group download mode is limited to the same domain in Windows 10, version 1511, and the same domain and AD DS site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but do not fall within those domain or AD DS site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example, you could create a sub-group representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to be peers. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group. 
-
->[!NOTE]
->To generate a GUID using Powershell, use [```[guid]::NewGuid()```](https://blogs.technet.microsoft.com/heyscriptingguy/2013/07/25/powertip-create-a-new-guid-by-using-powershell/)
->
->This configuration is optional and not required for most implementations of Delivery Optimization.
-
-<span id="minimum-ram-allowed-to-use-peer-caching"/>
-### Minimum RAM (inclusive) allowed to use Peer Caching  
-
-This setting specifies the minimum RAM size in GB required to use Peer Caching. For example if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. The recommended values are 1 to 4 GB, and the default value is 4 GB.
-
-### Minimum disk size allowed to use Peer Caching
-
-This setting specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. The recommended values are 64 to 256 GB, and the default value is 32 GB.
-
->[!NOTE]
->If the [Modify Cache Drive](#modify-cache-drive) policy is set, the disk size check will apply to the new working directory specified by this policy.
-
-
-### Max Cache Age
-
-In environments configured for Delivery Optimization, you might want to set an expiration on cached updates and Windows application installation files. If so, this setting defines the maximum number of seconds each file can be held in the Delivery Optimization cache on each Windows 10 client device. The default Max Cache Age value is 259,200 seconds (3 days). Alternatively, organizations might choose to set this value to “0” which means “unlimited” to avoid peers re-downloading content. When “Unlimited” value is set, Delivery Optimization will hold the files in the cache longer and will clean up the cache as needed (for example when the cache size exceeded the maximum space allowed).
-
-### Max Cache Size
-
-This setting limits the maximum amount of space the Delivery Optimization cache can use as a percentage of the available drive space, from 1 to 100. For example, if you set this value to 10 on a Windows 10 client device that has 100 GB of available drive space, then Delivery Optimization will use up to 10 GB of that space. Delivery Optimization will constantly assess the available drive space and automatically clear the cache to keep the maximum cache size under the set percentage. The default value for this setting is 20.
-
-### Absolute Max Cache Size
-
-This setting specifies the maximum number of gigabytes the Delivery Optimization cache can use. This is different from the [**Max Cache Size**](#max-cache-size) setting, which is a percentage of available disk space. Also, if you configure this policy, it will override the [**Max Cache Size**](#max-cache-size) setting. The default value for this setting is 10 GB.
-
-### Minimum Peer Caching Content File Size
-
-This setting specifies the minimum content file size in MB enabled to use Peer Caching. The recommended values are from 1 to 100000 MB.
-
-### Maximum Download Bandwidth
-
-This setting specifies the maximum download bandwidth that can be used across all concurrent Delivery Optimization downloads in kilobytes per second (KB/s). A default value of 0 means that Delivery Optimization will dynamically adjust and optimize the maximum bandwidth used.
-
-### Maximum Foreground Download Bandwidth
-
-Starting in Windows 10, version 1803, specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. The default value of 0 means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads. However, downloads from LAN peers are not throttled even when this policy is set.
-
-### Maximum Background Download Bandwidth
-
-Starting in Windows 10, version 1803, specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. The default value of 0 means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads. However, downloads from LAN peers are not throttled even when this policy is set.
-
-### Percentage of Maximum Download Bandwidth
-
-This setting specifies the maximum download bandwidth that Delivery Optimization can use across all concurrent download activities as a percentage of available download bandwidth. The default value 0 means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
-
-### Max Upload Bandwidth
-
-This setting allows you to limit the amount of upload bandwidth individual clients can use for Delivery Optimization. Consider this setting when clients are providing content to requesting peers on the network. This option is set in kilobytes per second (KB/s). The default setting is 0, or “unlimited” which means Delivery Optimization dynamically optimizes for minimal usage of upload bandwidth; however it does not cap the upload bandwidth rate at a set rate.
-
-### Set Business Hours to Limit Background Download Bandwidth
-Starting in Windows 10, version 1803, specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.
-
-### Set Business Hours to Limit Foreground Download Bandwidth
-Starting in Windows 10, version 1803, specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.
-
-### Select a method to restrict peer selection
-Starting in Windows 10, version 1803, set this policy to restrict peer selection via selected option.  
-Currently the only available option is **1 = Subnet mask** This option (Subnet mask) applies to both Download Modes LAN (1) and Group (2).  
-
-### Select the source of Group IDs
-Starting in Windows 10, version 1803, set this policy to restrict peer selection to a specific source. The options are:
-- 0 = not set
-- 1 = AD Site
-- 2 = Authenticated domain SID
-- 3 = DHCP Option ID (with this option, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID)
-- 4 = DNS Suffix 
-
-When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy will be ignored. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-4, the policy is ignored.  
-
-
-### Delay background download from http (in secs)
-Starting in Windows 10, version 1803, allows you to delay the use of an HTTP source in a background download that is allowed to use P2P.
-
-### Delay foreground download from http (in secs)
-Starting in Windows 10, version 1803, allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use P2P.
-
-### Minimum Background QoS
-
-This value specifies the minimum download speed guarantee that a client attempts to achieve and will fulfill by downloading more kilobytes from Windows Update servers or WSUS. Simply put, the lower this value is, the more content will be sourced using peers on the network rather than Windows Update. The higher this value, the more content is received from Windows Update servers or WSUS, versus peers on the local network.
-
-### Modify Cache Drive
-
-This setting allows for an alternate Delivery Optimization cache location on the clients. By default, the cache is stored on the operating system drive through the %SYSTEMDRIVE% environment variable. You can set the value to an environment variable (e.g., %SYSTEMDRIVE%), a drive letter (e.g., D:), or a folder path (e.g., D:\DOCache).
-
-### Monthly Upload Data Cap
-
-This setting specifies the total amount of data in gigabytes that a Delivery Optimization client can upload to Internet peers per month. A value of 0 means that an unlimited amount of data can be uploaded. The default value for this setting is 20 GB.
-
-### Enable Peer Caching while the device connects via VPN
-
-This setting determines whether a device will be allowed to participate in Peer Caching while connected to VPN. Specify "true" to allow the device to participate in Peer Caching while connected via VPN to the domain network. This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network.
-
-### Allow uploads while the device is on battery while under set Battery level
-
-This setting specifies battery levels at which a device will be allowed to upload data. Specify any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and Group peers while on DC power (Battery). Uploads will automatically pause when the battery level drops below the set minimum battery level. The recommended value to set if you allow uploads on battery is 40 (for 40%).
-The device can download from peers while on battery regardless of this policy.
-
->[!IMPORTANT]
-> By default, devices **will not upload while on battery**. To enable uploads while on battery, you need to enable this policy and set the battery value under which uploads pause.
-
-<span id="set-preferred-cache-devices"/>
-
-## Set “preferred” cache devices for Delivery Optimization
-
-In some cases, IT pros may have an interest in identifying specific devices that will be “preferred” as sources to other devices—for example, devices that have hard-wired connections, large drives that you can use as caches, or a high-end hardware profile. These preferred devices will act as a “master” for the update content related to that devices’s configuration (Delivery Optimization only caches content relative to the client downloading the content).
-
-To specify which devices are preferred, you can set the **Max Cache Age** configuration with a value of **Unlimited** (0). As a result, these devices will be used more often as sources for other devices downloading the same files.
-
-On devices that are not preferred, you can choose to set the following policy to prioritize data coming from local peers instead of the Internet. Set **DOMinBackgroundQoS** with a low value, for example, `64` (which is the equivalent of 64 KB/s).
-
-## Troubleshooting steps if you don't see any bytes from peers
-
-If you don’t see any bytes coming from peers the cause might be one of the following issues:
-
-- Clients aren’t able to reach the Delivery Optimization cloud services.
-- The cloud service doesn’t see other peers on the network. 
-- Clients aren’t able to connect to peers that are offered back from the cloud service.
- 
-### Clients aren't able to reach the Delivery Optimization cloud services.
-
-To fix this issue, try the following steps:
-
-1. Start a download of an app that is larger than 50 MB from the Store (for example Candy Crush Saga).
-2. Run `Get-DeliveryOptimizationStatus` from an elevated window and share the output (by setting the `DownloadMode` field to **1**).
-
-### The cloud service doesn't see other peers on the network.
-
-If you suspect this is the problem, try these steps:
-
-1. Download the same app on another device on the same network.
-2. Run `Get-DeliveryOptimizationPerfSnap` from an elevated window (the `NumberOfPeers` field should be non-zero).
-
-
-### Clients aren't able to connect to peers offered by the cloud service
-
-If you suspect this is the problem, run a Telnet test between two devices on the network to ensure they can connect using port 7680. To do this, follow these steps:
-
-1. Install Telnet by running **dism /online /Enable-Feature /FeatureName:TelnetClient** from an elevated command prompt.
-2. Run the test. For example, if you are on device with IP 192.168.8.12 and you are trying to test the connection to 192.168.9.17 run **telnet 192.168.9.17 7680** (the syntax is *telnet [destination IP] [port]*. You will either see a connection error or a blinking cursor like this /_. The blinking cursor means success.
-
-
-## Windows PowerShell cmdlets for analyzing usage
-Starting in Windows 10, version 1703, you can use two new PowerShell cmdlets to check the performance of Delivery Optimization:
-
-`Get-DeliveryOptimizationStatus` returns a real-time snapshot of all current Delivery Optimization jobs.
-
-| Key | Value |
-| --- | --- |
-| File ID | A GUID that identifies the file being processed |
-| Priority | Priority of the download; values are **foreground** or **background** |
-| FileSize | Size of the file |
-| TotalBytesDownloaded | The number of bytes from any source downloaded so far |
-| PercentPeerCaching |The percentage of bytes downloaded from peers versus over HTTP |
-| BytesFromPeers | Total bytes downloaded from peer devices (sum of bytes downloaded from LAN, Group, and Internet Peers) |
-| BytesfromHTTP | Total number of bytes received over HTTP |
-| DownloadDuration | Total download time in seconds |
-| Status | Current state of the operation. Possible values are: **Downloading** (download in progress); **Complete** (download completed, but is not uploading yet); **Caching** (download completed successfully and is ready to upload or uploading); **Paused** (download/upload paused by caller) |
-
-Using the `-Verbose` option returns additional information:
-
-| Key | Value |
-| --- | --- |
-| HTTPUrl| The URL where the download originates |
-| BytesFromLANPeers | Total bytes from peer devices on the same LAN | 
-| BytesFromGroupPeers | Total bytes from peer devices in the same Group | 
-| BytesFrom IntPeers | Total bytes from internet peers |
-| HTTPConnectionCount | Number of active connections over HTTP | 
-| LANConnectionCount | Number of active connections over LAN |
-| GroupConnectionCount | Number of active connections to other devices in the Group | 
-| IntConnectionCount | Number of active connections to internet peers | 
-| DownloadMode | Indicates the download mode (see the "Download Mode" section for details) |
- 
-`Get-DeliveryOptimizationPerfSnap` returns a list of key performance data:
-
-- Number of files downloaded 
-- Number of files uploaded 
-- Total bytes downloaded 
-- Total bytes uploaded 
-- Average transfer size (download); that is, the number bytes downloaded divided by the number of files 
-- Average transfer size (upload); the number of bytes uploaded divided by the number of files
-- Peer efficiency; same as PercentPeerCaching
-
-Using the `-Verbose` option returns additional information:
-
-- Bytes from peers (per type) 
-- Bytes from CDN  (the number of bytes received over HTTP)
-- Average number of peer connections per download 
-
-
-Starting in Windows 10, version 1803:
-
-`Get-DeliveryOptimizationLog [-Path <etl file path, supports wildcards>] [-Flush]`
-
-If `Path` is not specified, this cmdlet reads all logs from the dosvc log directory, which requires administrator permissions. If `Flush` is specified, the cmdlet stops dosvc before reading logs.
- 
-Log entries are written to the PowerShell pipeline as objects. To dump logs to a text file, run `Get-DeliveryOptimizationLog | Set-Content <output file>` or something similar.
-
-`Get-DeliveryOptimizationPerfSnapThisMonth`
-
-Returns data similar to that from `Get-DeliveryOptimizationPerfSnap` but limited to the current calendar month.
 
 ## Frequently asked questions
 
 **Does Delivery Optimization work with WSUS?**: Yes. Devices will obtain the update payloads from the WSUS server, but must also have an internet connection as they communicate with the Delivery Optimization cloud service for coordination.
 
-**Which ports does Delivery Optimization use?**: For peer-to-peer traffic, it uses 7680 or 3544 (Teredo). For client-service communication, it uses port 80/443.
+**Which ports does Delivery Optimization use?**: For peer-to-peer traffic, it uses 7680 for TCP/IP or 3544 for NAT traversal (optionally Teredo). For client-service communication, it uses HTTP or HTTPS over port 80/443.
 
 **What are the requirements if I use a proxy?**: You must allow Byte Range requests. See [Proxy requirements for Windows Update](https://support.microsoft.com/help/3175743/proxy-requirements-for-windows-update) for details.
 
@@ -375,7 +108,10 @@ For the payloads (optional):
 - *.download.windowsupdate.com 
 - *.windowsupdate.com
 
+**Does Delivery Optimization use multicast?**: No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP.
 
+[//]: # (**What data does Delivery Optimization send to the service?**)
+[//]: # (??????????????? I'm not sure we can avoid sharing this, per GDPR guidelines)
 
 
 

windows/deployment/upgrade/upgrade-readiness-deployment-script.md

@@ -17,7 +17,7 @@ To automate the steps provided in [Get started with Upgrade Readiness](upgrade-r
 >[!IMPORTANT]
 >Upgrade Readiness was previously called Upgrade Analytics. References to Upgrade Analytics in any scripts or online content pertain to the Upgrade Readiness solution.
 
-For detailed information about using the Upgrade Readiness (also known as upgrade analytics) deployment script, see the [Upgrade Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics/2016/09/20/new-version-of-the-upgrade-analytics-deployment-script-available/).
+For detailed information about using the Upgrade Readiness (also known as upgrade analytics) deployment script, see the [Upgrade Analytics blog](https://techcommunity.microsoft.com/t5/Windows-Analytics-Blog/New-version-of-the-Upgrade-Analytics-Deployment-Script-available/ba-p/187164?advanced=false&collapse_discussion=true&q=new%20version%20of%20the%20upgrade%20analytics%20deployment%20script%20available&search_type=thread).
 
 > The following guidance applies to version 11.11.16 or later of the Upgrade Readiness deployment script. If you are using an older version, download the latest from the [Download Center](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409).
 

windows/hub/release-information.md

@@ -11,24 +11,15 @@ author: lizap
 ms.author: elizapo
 ms.localizationpriority: high
 ---
-# Windows 10 - Release information
+# Windows 10 release information
 
->[!IMPORTANT]
+Feature updates for Windows 10 are released twice a year, targeting March and September, via the Semi-Annual Channel (SAC) and will be serviced with monthly quality updates for 18 months from the date of the release. We recommend that you begin deployment of each SAC release immediately to devices selected for early adoption and ramp up to full deployment at your discretion. This will enable you to gain access to new features, experiences, and integrated security as soon as possible.
-> The URL for the release information page has changed - update your bookmark!
 
-Microsoft has updated its servicing model. The Semi-Annual Channel (SAC) offers twice-per-year feature updates that release around March and September, with an 18-month servicing period for each release. Starting with Windows 10, version 1809, feature updates for Windows 10 Enterprise and Education editions with a targeted release month of September will be serviced for 30 months from their release date (more information can be found [here](https://www.microsoft.com/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop/)). 
+Starting with Windows 10, version 1809, feature updates for Windows 10 Enterprise and Education editions with a targeted release month of September will be serviced for 30 months from their release date. For information about servicing timelines, see the [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853).
 
-If you are not using Windows Update for Business today, “Semi-Annual Channel (Targeted)” (SAC-T) has no impact on your devices (more information can be found [here](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-and-the-disappearing-SAC-T/ba-p/199747)), and we recommend you begin deployment of each Semi-Annual Channel release right away to devices selected for early adoption and ramp up to full deployment at your discretion. This will enable you to gain access to new features, experiences, and integrated security as soon as possible. 
+>[!NOTE]
+>If you are not using Windows Update for Business today, the "Semi-Annual Channel (Targeted)" servicing option has no impact on when your devices will be updated. It merely reflects a milestone for the semi-annual release, the period of time during which Microsoft recommends that your IT team make the release available to specific, "targeted" devices for the purpose of validating and generating data in order to get to a broad deployment decision. For more information, see [this blog post](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523).
 
-If you are using Windows Update for Business today, refer to the table below to understand when your device will be updated, based on which deferral period you have configured, SAC -T or SAC.  
-
-**Notice: November 13, 2018:** All editions of Windows 10 October 2018 Update, version 1809, for Windows client and server have resumed. Customers currently running Windows 10, version 1809, will receive build 17763.134 as part of our regularly scheduled Update Tuesday servicing in November. If you update to the Window 10, version 1809, feature update you will receive build 17763.107. On the next automatic scan for updates, you’ll be taken to the latest cumulative update (build 17763.134 or higher).   
-
-November 13 marks the revised start of the servicing timeline for the Semi-Annual Channel ("Targeted") and Long-Term Servicing Channel (LTSC) release for Windows 10, version 1809, Windows Server 2019, and Windows Server, version 1809.
- 
-For information about the re-release and updates to the support lifecycle, refer to [John Cable's blog](https://blogs.windows.com/windowsexperience/2018/10/09/updated-version-of-windows-10-october-2018-update-released-to-windows-insiders/), [Windows 10 Update History](https://support.microsoft.com/help/4464619), and the [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853).   
-
-<br>
 
 <div class="m-rich-content-block" data-grid="col-12">
     <div id="winrelinfo" xmlns="http://www.w3.org/1999/xhtml"><iframe width="100%" height="866px" id="winrelinfo_iframe" src="https://winreleaseinfoprod.blob.core.windows.net/winreleaseinfoprod/en-US.html" frameborder="0" marginwidth="0" marginheight="0" scrolling="auto"></iframe></div>

windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md

@@ -6,8 +6,12 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: aadake
-ms.date: 12/20/2018
+ms.author: justinha
-ms.topic: article
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 03/26/2019
 ---
 
 # Kernel DMA Protection for Thunderbolt™ 3 
@@ -98,12 +102,12 @@ No, Kernel DMA Protection only protects against drive-by DMA attacks after the O
 DMA-remapping is supported for specific device drivers, and is not universally supported by all devices and drivers on a platform. To check if a specific driver is opted into DMA-remapping, check the values corresponding to the DMA Remapping Policy property in the Details tab of a device in Device Manager*. A value of 0 or 1 means that the device driver does not support DMA-remapping. A value of 2 means that the device driver supports DMA-remapping.
 Please check the driver instance for the device you are testing. Some drivers may have varying values depending on the location of the device (internal vs. external).
 
-*For Windows 10 versions 1803 and 1809, the property field in Device Manager uses a GUID, as highlighted in the image below
+*For Windows 10 versions 1803 and 1809, the property field in Device Manager uses a GUID, as highlighted in the following image. 
 
 ![Kernel DMA protection user experience](images/device-details-tab.png)
 
 ### What should I do if the drivers for my Thunderbolt™ 3 peripherals do not support DMA-remapping?
-If the peripherals do have class drivers provided by Windows 10, please use these drivers on your systems. If there are no class drivers provided by Windows for your peripherals, please contact your peripheral vendor/driver vendor to update the driver to support this functionality.
+If the peripherals do have class drivers provided by Windows 10, please use these drivers on your systems. If there are no class drivers provided by Windows for your peripherals, please contact your peripheral vendor/driver vendor to update the driver to support this functionality. Details for driver compatibility requirements can be found at the [Microsoft Partner Center](https://partner.microsoft.com/dashboard/collaborate/packages/4142).
 
 ### Do Microsoft drivers support DMA-remapping?
 In Windows 10 1803 and beyond, the Microsoft inbox drivers for USB XHCI (3.x) Controllers, Storage AHCI/SATA Controllers and Storage NVMe Controllers support DMA-remapping.

windows/security/information-protection/tpm/manage-tpm-lockout.md

@@ -83,7 +83,7 @@ For information about mitigating dictionary attacks that use the lockout setting
 
 ## Use the TPM cmdlets
 
-You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](https://technet.microsoft.com/library/jj603116.aspx).
+You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/trustedplatformmodule/).
 
 ## Related topics
 

windows/security/threat-protection/TOC.md

@@ -127,10 +127,10 @@
 
 ### [Configure and manage capabilities](windows-defender-atp/onboard.md)
 #### [Configure attack surface reduction](windows-defender-atp/configure-attack-surface-reduction.md)
-####Hardware-based isolation
+#####Hardware-based isolation
-##### [System isolation](windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md)
+###### [System isolation](windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md)
-##### [Application isolation](windows-defender-application-guard/install-wd-app-guard.md)
+###### [Application isolation](windows-defender-application-guard/install-wd-app-guard.md)
-###### [Configuration settings](windows-defender-application-guard/configure-wd-app-guard.md) 
+####### [Configuration settings](windows-defender-application-guard/configure-wd-app-guard.md) 
 ##### [Application control](windows-defender-application-control/windows-defender-application-control.md)
 ##### Device control
 ###### [Control USB devices](device-control/control-usb-devices-using-intune.md)
@@ -139,7 +139,6 @@
 ######## [Hardware qualifications](windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
 ######## [Enable HVCI](windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md)
 ##### [Exploit protection](windows-defender-exploit-guard/enable-exploit-protection.md)
-###### [Customize exploit protection](windows-defender-exploit-guard/customize-exploit-protection.md)
 ###### [Import/export configurations](windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md)
 ##### [Network protection](windows-defender-exploit-guard/enable-network-protection.md)
 ##### [Controlled folder access](windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md)
@@ -388,8 +387,8 @@
   
 #####Rules
 ###### [Manage suppression rules](windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md)
-###### [Manage automation allowed/blocked](windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
+###### [Manage automation allowed/blocked lists](windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
-###### [Manage allowed/blocked](windows-defender-atp/manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
+###### [Manage allowed/blocked lists](windows-defender-atp/manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
 ###### [Manage automation file uploads](windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md)
 ###### [Manage automation folder exclusions](windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md)
   
@@ -414,6 +413,7 @@
 ####Troubleshoot attack surface reduction
 ##### [Network protection](windows-defender-exploit-guard/troubleshoot-np.md)
 ##### [Attack surface reduction rules](windows-defender-exploit-guard/troubleshoot-asr.md)
+##### [Collect diagnostic data for files](windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md)
  
 #### [Troubleshoot next generation protection](windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md)
 

windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md

@@ -35,7 +35,6 @@ Microsoft Defender ATP for Mac system requirements:
 - macOS version: 10.14 (Mojave), 10.13 (High Sierra), 10.12 (Sierra)
 - Disk space during preview: 1GB 
 - The following URLs must be accessible from the Mac device:
-  - ```https://fresno.blob.core.windows.net/preview/macos/wdav.pkg ```<br>
   - ```https://cdn.x.cp.wd.microsoft.com/ ```<br>
   - ```https://eu-cdn.x.cp.wd.microsoft.com/ ```<br>
   - ```https://wu-cdn.x.cp.wd.microsoft.com/ ``` <br>

windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md

@@ -8,7 +8,8 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: justinha
 ms.author: justinha
-ms.date: 11/07/2017
+ms.date: 03/28/2019
+
 ---
 
 # Frequently asked questions - Windows Defender Application Guard 
@@ -22,7 +23,7 @@ Answering frequently asked questions about Windows Defender Application Guard (A
 | | |
 |---|----------------------------|
 |**Q:** |Can I enable Application Guard on machines equipped with 4GB RAM?|
-|**A:** |We recommend 8GB RAM for optimal performance but you may use the following registry values to enable Application Guard on machines that aren't meeting the recommended hardware configuration. |
+|**A:** |We recommend 8GB RAM for optimal performance but you may use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration. |
 ||HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount       - Default is 4 cores. |
 ||HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB            - Default is 8GB.|
 ||HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB - Default is 5GB.|

windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md

@@ -8,7 +8,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: justinha
 ms.author: justinha
-ms.date: 11/27/2018
+ms.date: 03/28/2019
 ---
 
 # Windows Defender Application Guard overview
@@ -40,7 +40,7 @@ Application Guard has been created to target several types of systems:
 | | |
 |---|----------------------------|
 |**Q:** |Can I enable Application Guard on machines equipped with 4GB RAM?|
-|**A:** |We recommend 8GB RAM for optimal performance but you may use the following registry values to enable Application Guard on machines that aren't meeting the recommended hardware configuration. |
+|**A:** |We recommend 8GB RAM for optimal performance but you may use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration. |
 ||HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount       - Default is 4 cores. |
 ||HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB            - Default is 8GB.|
 ||HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB - Default is 5GB.|

windows/security/threat-protection/windows-defender-atp/TOC.md

@@ -136,7 +136,6 @@
 ####### [Hardware qualifications](../windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
 ####### [Enable HVCI](../windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md)
 #### [Exploit protection](../windows-defender-exploit-guard/enable-exploit-protection.md)
-##### [Customize exploit protection](../windows-defender-exploit-guard/customize-exploit-protection.md)
 ##### [Import/export configurations](../windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md)
 #### [Network protection](../windows-defender-exploit-guard/enable-network-protection.md)
 #### [Controlled folder access](../windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md)
@@ -375,8 +374,8 @@
  
 ####Rules
 ##### [Manage suppression rules](manage-suppression-rules-windows-defender-advanced-threat-protection.md)
-##### [Manage automation allowed/blocked](manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
+##### [Manage automation allowed/blocked lists](manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
-##### [Manage allowed/blocked](manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
+##### [Manage allowed/blocked lists](manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
 ##### [Manage automation file uploads](manage-automation-file-uploads-windows-defender-advanced-threat-protection.md)
 ##### [Manage automation folder exclusions](manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md)
  
@@ -403,5 +402,7 @@
 ###Troubleshoot attack surface reduction
 #### [Network protection](../windows-defender-exploit-guard/troubleshoot-np.md)
 #### [Attack surface reduction rules](../windows-defender-exploit-guard/troubleshoot-asr.md)
+#### [Collect diagnostic data for files](../windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md)
+
  
 ### [Troubleshoot next generation protection](../windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md)

windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md

@@ -43,7 +43,7 @@ For tenants created on or after Windows 10, version 1809 the automated investiga
 
 
 ## Block file
-This feature is only available if your organization uses Windows Defender Antivirus as the active antimalware solution and that the cloud-based protection feature is enabled.
+This feature is only available if your organization uses Windows Defender Antivirus as the active antimalware solution and that the cloud-based protection feature is enabled, see [Block files in your network](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection#block-files-in-your-network) for more details.
 
 If your organization satisfies these conditions, the feature is enabled by default. This feature enables you to block potentially malicious files in your network. This operation will prevent it from being read, written, or executed on machines in your organization.
 

windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md

@@ -66,7 +66,7 @@ Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "s
 Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress "reader@Contoso.onmicrosoft.com"
 ```
 
-For more information see, [Manage Azure AD group and role membership](https://technet.microsoft.com/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups).
+For more information see, [Add or remove group memberships](https://technet.microsoft.com/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups).
 
 ## Assign user access using the Azure portal
 For more information, see [Assign administrator and non-administrator roles to uses with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal).

windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md

@@ -52,8 +52,13 @@ You can create rules that determine the machines and alert severities to send em
     - **Rule name** - Specify a name for the notification rule.
     - **Include organization name** - Specify the customer name that appears on the email notification.
     - **Include tenant-specific portal link** - Adds a link with the tenant ID to allow access to a specific tenant.
+    - **Include machine information** - Includes the machine name in the email alert body.
+    
+        >[!NOTE]
+        > This information might be processed by recipient mail servers that ar not in the geographic location you have selected for your Windows Defender ATP data.
+
     - **Machines** - Choose whether to notify recipients for alerts on all machines (Global administrator role only) or on selected machine groups. For more information, see [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md).
-    - **Alert severity** - Choose the alert severity level
+    - **Alert severity** - Choose the alert severity level.
 
 4. Click **Next**.
 	

windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md

@@ -48,7 +48,7 @@ ms.date: 04/24/2018
 
 2.	Extract the contents of the .zip file to a shared, read-only location that can be accessed by the machine. You should have a folder called *OptionalParamsPolicy* and the file *WindowsDefenderATPOnboardingScript.cmd*.
 
-3. Open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
+3. Open the [Group Policy Management Console](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
 
 4. In the **Group Policy Management Editor**, go to **Computer configuration**, then **Preferences**, and then **Control panel settings**.
 
@@ -78,7 +78,7 @@ You can use Group Policy (GP) to configure settings, such as settings for the sa
 
     b.  Copy _AtpConfiguration.adml_ into _C:\\Windows\\PolicyDefinitions\\en-US_
 
-2.  Open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the GPO you want to configure and click **Edit**.
+2.  Open the [Group Policy Management Console](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11), right-click the GPO you want to configure and click **Edit**.
 
 3.  In the **Group Policy Management Editor**, go to **Computer configuration**.
 
@@ -110,7 +110,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
 
 2.	Extract the contents of the .zip file to a shared, read-only location that can be accessed by the machine. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
 
-3.	Open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
+3.	Open the [Group Policy Management Console](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
 
 4.	In the **Group Policy Management Editor**, go to **Computer configuration,** then **Preferences**, and then **Control panel settings**.
 

windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md

@@ -61,7 +61,7 @@ You can use existing System Center Configuration Manager functionality to create
 
 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOnboardingScript.cmd*.
 
-3. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682178.aspx) topic.
+3. Deploy the package by following the steps in the [Packages and Programs in Configuration Manager](https://docs.microsoft.com/en-us/sccm/apps/deploy-use/packages-and-programs) topic.
 
     a. Choose a predefined device collection to deploy the package to.
 
@@ -92,7 +92,7 @@ Possible values are:
 
 The default value in case the registry key doesn’t exist is 1.
 
-For more information about System Center Configuration Manager Compliance see [Compliance Settings in Configuration Manager](https://technet.microsoft.com/library/gg681958.aspx).
+For more information about System Center Configuration Manager Compliance see [Get started with compliance settings in System Center Configuration Manager](https://docs.microsoft.com/sccm/compliance/get-started/get-started-with-compliance-settings).
 
 
 
@@ -115,7 +115,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
 
 2.	Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
 
-3. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682178.aspx) topic.
+3. Deploy the package by following the steps in the [Packages and Programs in Configuration Manager](https://docs.microsoft.com/en-us/sccm/apps/deploy-use/packages-and-programs) topic.
 
     a. Choose a predefined device collection to deploy the package to.
 
@@ -155,7 +155,7 @@ Path: “HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status”
 Name: “OnboardingState”
 Value: “1”
 ```
-For more information about System Center Configuration Manager Compliance see [Compliance Settings in Configuration Manager](https://technet.microsoft.com/library/gg681958.aspx).
+For more information about System Center Configuration Manager Compliance see [Get started with compliance settings in System Center Configuration Manager](https://docs.microsoft.com/sccm/compliance/get-started/get-started-with-compliance-settings).
 
 ## Related topics
 - [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)

windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md

@@ -14,7 +14,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 12/14/2018
 ---
 
 # Onboard servers to the Windows Defender ATP service
@@ -45,7 +44,22 @@ For a practical guidance on what needs to be in place for licensing and infrastr
 
 ## Windows Server 2012 R2 and Windows Server 2016
 
-To onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender ATP, you’ll need to:
+There are two options to onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender ATP:
+
+- **Option 1**: Onboard through Azure Security Center
+- **Option 2**: Onboard through Windows Defender Security Center
+
+### Option 1: Onboard servers through Azure Security Center
+1. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**.
+
+2. Select Windows Server 2012 R2 and 2016 as the operating system.
+
+3. Click **Onboard Servers in Azure Security Center**. 
+
+4. Follow the onboarding instructions in [Windows Defender Advanced Threat Protection with Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp).
+
+### Option 2: Onboard servers through Windows Defender Security Center
+You'll need to tak the following steps if you choose to onboard servers through Windows Defender Security Center. 
 
 - For Windows Server 2012 R2: Configure and update System Center Endpoint Protection clients.
 
@@ -53,7 +67,7 @@ To onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender AT
     >This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2012 R2.
 
 - Turn on server monitoring from Windows Defender Security Center.
-- If you're already leveraging System Center Operations Manager (SCOM) or Operations Management Suite (OMS), simply attach the Microsoft Monitoring Agent (MMA) to report to your Windows Defender ATP workspace through [Multi Homing support](https://blogs.technet.microsoft.com/msoms/2016/05/26/oms-log-analytics-agent-multi-homing-support/). Otherwise, install and configure MMA to report sensor data to Windows Defender ATP as instructed below.
+- If you're already leveraging System Center Operations Manager (SCOM) or Operations Management Suite (OMS), simply attach the Microsoft Monitoring Agent (MMA) to report to your Windows Defender ATP workspace through Multi Homing support. Otherwise, install and configure MMA to report sensor data to Windows Defender ATP as instructed below.
 
 >[!TIP]
 > After onboarding the machine, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md).
@@ -73,7 +87,7 @@ The following steps are required to enable this integration:
 
 1. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**.
 
-2. Select Windows Server 2012R2 and 2016 as the operating system.
+2. Select Windows Server 2012 R2 and 2016 as the operating system.
  
 3. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment set up. When the set up completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent.
 
@@ -201,7 +215,7 @@ To offboard the server, you can use either of the following methods:
 1. Get your Workspace ID:
    a. In the navigation pane, select **Settings** > **Onboarding**.
 
-   b. Select **Windows Server 2012R2 and 2016** as the operating system and get your Workspace ID:
+   b. Select **Windows Server 2012 R2 and 2016** as the operating system and get your Workspace ID:
     
         ![Image of server onboarding](images/atp-server-offboarding-workspaceid.png)
 

windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md

@@ -44,6 +44,11 @@ A reinstalled or renamed machine will generate a new machine entity in Windows D
 **Machine was offboarded**</br>
 If the machine was offboarded it will still appear in machines list. After 7 days, the machine health state should change to inactive.
 
+
+**Machine is not sending signals**
+If the machine is not sending any signals for more than 7 days to any of the Windows Defender ATP channels for any reason including conditions that fall under misconfigured machines classification, a machine can be considered inactive. 
+
+
 Do you expect a machine to be in ‘Active’ status? [Open a support ticket ticket](https://support.microsoft.com/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636206786382823561).
 
 ## Misconfigured machines

windows/security/threat-protection/windows-defender-atp/manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md

@@ -55,6 +55,11 @@ On the top navigation you can:
     
 5. Review the details in the Summary tab, then click **Save**.
 
+
+>[!NOTE]
+>Blocking IPs, domains, or URLs is currently available on limited preview only. This requires sending your custom list to [network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection) to be enforeced. While the option is not yet generally available, it will only be used when identified during an investigation.
+
+
 ## Manage indicators
 1. In the navigation pane, select **Settings** > **Allowed/blocked list**.  
 

windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md

@@ -15,14 +15,11 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 06/14/2018
 ---
 
 # Manage automation allowed/blocked lists
 
 **Applies to:**
-
-
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
 
@@ -70,4 +67,5 @@ You can define the conditions for when entities are identified as malicious or s
 
 ## Related topics
 - [Manage automation file uploads](manage-automation-file-uploads-windows-defender-advanced-threat-protection.md)
+- [Manage allowed/blocked lists](manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
 - [Manage automation folder exclusions](manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md)

windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md

@@ -1,7 +1,7 @@
 ---
 title: Minimum requirements for Windows Defender ATP
-description: Minimum network and data storage configuration, machine hardware and software requirements, and deployment channel requirements for Windows Defender ATP.
+description: Understand the licensing requirements and requirements for onboarding machines to the sercvie
-keywords: minimum requirements, Windows Defender Advanced Threat Protection minimum requirements, network and data storage, machine configuration, deployment channel
+keywords: minimum requirements, licensing, comparison table
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
@@ -15,7 +15,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: conceptual
-ms.date: 11/20/2018
 ---
 
 # Minimum requirements for Windows Defender ATP

windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md

@@ -44,7 +44,7 @@ When you open the portal, you’ll see the main areas of the application:
 - (3) Search, Community center, Time settings, Help and support, Feedback
 
 > [!NOTE]
-> Malware related detections will only appear if your machines are using [Windows Defender Antivirus](https://technet.microsoft.com/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
+> Malware related detections will only appear if your machines are using Windows Defender Antivirus as the default real-time protection antimalware product.
 
 You can navigate through the portal using the menu options available in all sections. Refer to the following table for a description of each section.