diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json
index 77e4cb1ee7..006a4bbd17 100644
--- a/.openpublishing.publish.config.json
+++ b/.openpublishing.publish.config.json
@@ -386,7 +386,14 @@
   "git_repository_branch_open_to_public_contributors": "master",
   "skip_source_output_uploading": false,
   "need_preview_pull_request": true,
+  "enable_incremental_build": true,
   "dependent_repositories": [
+    {
+      "path_to_root": "_themes.pdf",
+      "url": "https://github.com/Microsoft/templates.docs.msft.pdf",
+      "branch": "master",
+      "branch_mapping": {}
+    },
     {
       "path_to_root": "_themes",
       "url": "https://github.com/Microsoft/templates.docs.msft",
@@ -394,5 +401,14 @@
       "branch_mapping": {}
     }
   ],
-  "need_generate_pdf_url_template": false
+  "branch_target_mapping": {
+    "live": ["Publish","Pdf"],
+    "master": ["Publish", "Pdf"]
+  }, 
+  "need_generate_pdf_url_template": true,
+  "Targets": {
+    "Pdf": {
+      "template_folder": "_themes.pdf"
+    }
+  }
 }
\ No newline at end of file
diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index cdd94c4cbb..e5b91868f9 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -1471,6 +1471,11 @@
 "redirect_document_id": true
 },
 {
+"source_path": "windows/manage/windows-spotlight.md",
+"redirect_url": "/windows/configuration/windows-spotlight",
+"redirect_document_id": true
+},
+{
 "source_path": "windows/deploy/activate-forest-by-proxy-vamt.md",
 "redirect_url": "/windows/deployment/volume-activation/activate-forest-by-proxy-vamt",
 "redirect_document_id": true
@@ -8214,6 +8219,21 @@
 "source_path": "education/get-started/index.md",
 "redirect_url": "/education/get-started/get-started-with-microsoft-education",
 "redirect_document_id": true
+},
+{
+"source_path": "windows/keep-secure/windows-10-enterprise-security-guides.md",
+"redirect_url": "/windows/windows-10/index",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/keep-secure/change-history-for-keep-windows-10-secure.md",
+"redirect_url": "/windows/windows-10/index",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/manage/change-history-for-manage-and-update-windows-10.md",
+"redirect_url": "/windows/windows-10/index",
+"redirect_document_id": true
 }
 ]
 }
\ No newline at end of file
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index f5c90d0691..99dceed75d 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -18,7 +18,7 @@ We've tried to make editing an existing, public file as simple as possible.
 
 **To edit a topic**
 
-1.	Go to the page on TechNet that you want to update, and then click **Edit**.
+1.	Go to the page on docs.microsoft.com that you want to update, and then click **Edit**.
 
     ![GitHub Web, showing the Edit link](images/contribute-link.png)
 
@@ -62,14 +62,23 @@ We've tried to make editing an existing, public file as simple as possible.
     The pull request is sent to the writer of the topic and your edits are reviewed. If your request is accepted, updates are published to one of the following places:
 
     - [Windows 10](https://docs.microsoft.com/windows/windows-10)
-    - [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy)    
+    
+    - [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy)
+    
     - [Surface](https://docs.microsoft.com/surface)
+    
     - [Surface Hub](https://docs.microsoft.com/surface-hub)
+    
     - [HoloLens](https://docs.microsoft.com/hololens)
+    
     - [Microsoft Store](https://docs.microsoft.com/microsoft-store)
+    
     - [Windows 10 for Education](https://docs.microsoft.com/education/windows)
+    
     - [Windows 10 for SMB](https://docs.microsoft.com/windows/smb)
+    
     - [Internet Explorer 11](https://docs.microsoft.com/internet-explorer)
+    
     - [Microsoft Desktop Optimization Pack](https://docs.microsoft.com/microsoft-desktop-optimization-pack)
 
 
diff --git a/browsers/edge/available-policies.md b/browsers/edge/available-policies.md
index 8c8984005a..3289a9892e 100644
--- a/browsers/edge/available-policies.md
+++ b/browsers/edge/available-policies.md
@@ -357,7 +357,7 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A
     
             https://fabrikam.com/opensearch.xml
     
-    - If you disable this setting, the policy-set default search engine is removed. If this is also the current in-use default, the engine changes to the Microsoft Edge specified engine for the market.<p>If you don't configure this setting, the default search engine is set to the one specified in App settings.
+    - If you disable this setting, the policy-set default search engine is removed. If this is also the current in-use default, the engine changes to the Microsoft Edge specified engine for the market.
 
     - If you don't configure this setting (default), the default search engine is set to the one specified in App settings.
 
diff --git a/devices/hololens/hololens-enroll-mdm.md b/devices/hololens/hololens-enroll-mdm.md
index 87a2cfa705..cfc6dc0467 100644
--- a/devices/hololens/hololens-enroll-mdm.md
+++ b/devices/hololens/hololens-enroll-mdm.md
@@ -11,7 +11,7 @@ localizationpriority: medium
 
 # Enroll HoloLens in MDM
 
-You can manage multiple Microsoft HoloLens devices simultaneously using solutions like Microsoft InTune. You will be able to manage settings, select apps to install and set security configurations tailored to your organization's need.
+You can manage multiple Microsoft HoloLens devices simultaneously using solutions like Microsoft Intune. You will be able to manage settings, select apps to install and set security configurations tailored to your organization's need.
 
 >[!NOTE]
 >Mobile device management (MDM) for the Development edition of HoloLens does not include VPN, BitLocker, or kiosk mode. Those features are only available when you [upgrade to Windows Holographic for Business](hololens-upgrade-enterprise.md).
@@ -22,7 +22,7 @@ You can manage multiple Microsoft HoloLens devices simultaneously using solution
 
 ## Auto-enrollment in MDM 
 
-If your organization uses Azure Active Directory (Azure AD) and an MDM solution that accepts an AAD token for authentication (currently, only supported in Microsoft Intune and Airwatch), your IT admin can configure Azure AD to automatically allow MDM enrollment after the user signs in with their Azure AD account. [Learn how to configure Azure AD enrollment.](https://docs.microsoft.com/intune/deploy-use/set-up-windows-device-management-with-microsoft-intune#azure-active-directory-enrollment) 
+If your organization uses Azure Active Directory (Azure AD) and an MDM solution that accepts an AAD token for authentication (currently, only supported in Microsoft Intune and AirWatch), your IT admin can configure Azure AD to automatically allow MDM enrollment after the user signs in with their Azure AD account. [Learn how to configure Azure AD enrollment.](https://docs.microsoft.com/intune/deploy-use/set-up-windows-device-management-with-microsoft-intune#azure-active-directory-enrollment) 
 
 When auto-enrollment is enabled, no additional manual enrollment is needed. When the user signs in with an Azure AD account, the device is enrolled in MDM after completing the first-run experience.
 
@@ -36,4 +36,4 @@ When auto-enrollment is enabled, no additional manual enrollment is needed. When
 
 4. Upon successful authentication to the MDM server, a success message is shown.
 
-Your device is now enrolled with your MDM server. The device will need to restart to acquire policies, certificates, and apps. The Settings app will now reflect that the device is enrolled in device management.
\ No newline at end of file
+Your device is now enrolled with your MDM server. The device will need to restart to acquire policies, certificates, and apps. The Settings app will now reflect that the device is enrolled in device management.
diff --git a/devices/hololens/index.md b/devices/hololens/index.md
index 9593ca5aeb..15d7cafd87 100644
--- a/devices/hololens/index.md
+++ b/devices/hololens/index.md
@@ -23,7 +23,7 @@ localizationpriority: medium
 | [HoloLens in the enterprise: requirements](hololens-requirements.md) | Lists requirements for general use, Wi-Fi, and device management |
 | [Set up HoloLens](hololens-setup.md) | How to set up HoloLens for the first time  |
 | [Unlock Windows Holographic for Business features](hololens-upgrade-enterprise.md)  | How to upgrade your Development Edition HoloLens to Windows Holographic for Business|
-| [Enroll HoloLens in MDM](hololens-enroll-mdm.md) | Manage multiple HoloLens devices simultaneously using solutions like Microsoft InTune |
+| [Enroll HoloLens in MDM](hololens-enroll-mdm.md) | Manage multiple HoloLens devices simultaneously using solutions like Microsoft Intune |
 | [Set up HoloLens in kiosk mode](hololens-kiosk.md) | Enable kiosk mode for HoloLens, which limits the user's ability to launch new apps or change the running app  |
 | [Configure HoloLens using a provisioning package](hololens-provisioning.md) | Provisioning packages make it easy for IT administrators to configure HoloLens devices without imaging |
 | [Install apps on HoloLens](hololens-install-apps.md) | Use Microsoft Store for Business, mobile device management (MDM), or the Windows Device Portal to install apps on HoloLens|
@@ -37,4 +37,4 @@ localizationpriority: medium
 
 - [HoloLens Commercial Suite](https://www.microsoft.com/microsoft-hololens/hololens-commercial)
 
-- [HoloLens release notes](https://developer.microsoft.com/en-us/windows/mixed-reality/release_notes)
\ No newline at end of file
+- [HoloLens release notes](https://developer.microsoft.com/en-us/windows/mixed-reality/release_notes)
diff --git a/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md b/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md
index 8d241210d7..e118798d48 100644
--- a/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md
+++ b/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md
@@ -13,7 +13,7 @@ author: Scottmca
 
 Fundamentally, management and deployment of Surface devices with System Center Configuration Manager is the same as the management and deployment of any other PC. Like any other PC, a deployment to Surface devices includes importing drivers, importing a Windows image, preparing a deployment task sequence, and then deploying the task sequence to a collection. After deployment, Surface devices are like any other Windows client – to publish apps, settings, and policies, you use the same process that you would use for any other device.
 
-You can find more information about how to use Configuration Manager to deploy and manage devices in the [Documentation for System Center Configuration Manager](https://docs.microsoft.com/sccm/index) article in the TechNet Library.
+You can find more information about how to use Configuration Manager to deploy and manage devices in the [Documentation for System Center Configuration Manager](https://docs.microsoft.com/sccm/index).
 
 Although the deployment and management of Surface devices is fundamentally the same as any other PC, there are some scenarios that may require additional considerations or steps. This article provides descriptions and guidance for these scenarios; the solutions documented in this article may apply to other devices and manufacturers as well.
 
diff --git a/store-for-business/distribute-apps-with-management-tool.md b/store-for-business/distribute-apps-with-management-tool.md
index 391e5173f4..befde0855e 100644
--- a/store-for-business/distribute-apps-with-management-tool.md
+++ b/store-for-business/distribute-apps-with-management-tool.md
@@ -59,7 +59,7 @@ This diagram shows how you can use a management tool to distribute an online-lic
 ## Related topics
 
 [Configure MDM Provider](configure-mdm-provider-windows-store-for-business.md)
-[Manage apps you purchased from the Microsoft Store for Business and Education with Microsoft InTune](https://technet.microsoft.com/library/mt676514.aspx)
+[Manage apps you purchased from the Microsoft Store for Business and Education with Microsoft Intune](https://technet.microsoft.com/library/mt676514.aspx)
 
  
 
diff --git a/windows/access-protection/credential-guard/credential-guard-manage.md b/windows/access-protection/credential-guard/credential-guard-manage.md
index 9396f2dd47..05f08ab263 100644
--- a/windows/access-protection/credential-guard/credential-guard-manage.md
+++ b/windows/access-protection/credential-guard/credential-guard-manage.md
@@ -143,8 +143,8 @@ For client machines that are running Windows 10 1703, LSAIso is running whenever
     -   **Event ID 15** Credential Guard (LsaIso.exe) is configured but the secure kernel is not running; continuing without Credential Guard.
     -   **Event ID 16** Credential Guard (LsaIso.exe) failed to launch: \[error code\]
     -   **Event ID 17** Error reading Credential Guard (LsaIso.exe) UEFI configuration: \[error code\]
-    You can also verify that TPM is being used for key protection by checking the following event in the **Microsoft** -&gt; **Windows** -&gt; **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0.
-    -   **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.
+    You can also verify that TPM is being used for key protection by checking Event ID 51 in the **Microsoft** -&gt; **Windows** -&gt; **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0.
+        -   **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.
       
 ## Disable Credential Guard
 
diff --git a/windows/access-protection/credential-guard/credential-guard-requirements.md b/windows/access-protection/credential-guard/credential-guard-requirements.md
index e87463063e..0053b52421 100644
--- a/windows/access-protection/credential-guard/credential-guard-requirements.md
+++ b/windows/access-protection/credential-guard/credential-guard-requirements.md
@@ -25,7 +25,7 @@ For Credential Guard to provide protections, the computers you are protecting mu
 
 ## Hardware and software requirements
 
-To provide basic protection against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Credential Manager uses:
+To provide basic protection against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Credential Guard uses:
 - Support for Virtualization-based security (required)
 - Secure boot (required)
 - TPM 2.0 either discrete or firmware (preferred - provides binding to hardware)
diff --git a/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password.md
index 1aa658b96a..208b3e6a3c 100644
--- a/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password.md
+++ b/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password.md
@@ -49,7 +49,7 @@ The Windows Hello for Business PIN is subject to the same set of IT management p
 ## What if someone steals the laptop or phone?
 
 To compromise a Windows Hello credential that TPM protects, an attacker must have access to the physical device, and then must find a way to spoof the user’s biometrics or guess his or her PIN—and all of this must be done before [TPM anti-hammering](/windows/device-security/tpm/tpm-fundamentals#anti-hammering) protection locks the device.
-You can provide additional protection for laptops that don't have TPM by enablng BitLocker and setting a policy to limit failed sign-ins.
+You can provide additional protection for laptops that don't have TPM by enabling BitLocker and setting a policy to limit failed sign-ins.
 
 **Configure BitLocker without TPM**
 1.  Use the Local Group Policy Editor (gpedit.msc) to enable the following policy:
diff --git a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 804d9de6f8..b5b9ec5163 100644
--- a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -25,7 +25,7 @@ If you want to minimize connections from Windows to Microsoft services, or confi
 
 You can configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. There are many reasons why these communications are enabled by default, such as updating malware definitions and maintain current certificate revocation lists, which is why we strongly recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience.
 
-To help make it easier to deploy settings to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887). This baseline was created in the same way as the [Windows security baselines](/windows/device-security/windows-security-baselines) that are often used to efficiently configure Windows to a known secure state. Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document. However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended. Make sure should you've chosen the right settings configuration for your environment before applying. Applying this baseline is equivalent to applying the Windows 10 steps covered in this article.
+To help make it easier to deploy settings to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887). This baseline was created in the same way as the [Windows security baselines](/windows/device-security/windows-security-baselines) that are often used to efficiently configure Windows to a known secure state. Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document. However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended. Make sure should you've chosen the right settings configuration for your environment before applying. You should not extract this package to the the windows\\system32 folder because it will not apply correctly. Applying this baseline is equivalent to applying the Windows 10 steps covered in this article.
 
 We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com.
 
diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md
index bcb7ee811a..41222e1796 100644
--- a/windows/configuration/provisioning-packages/provisioning-packages.md
+++ b/windows/configuration/provisioning-packages/provisioning-packages.md
@@ -71,7 +71,7 @@ The following table describes settings that you can configure using the wizards
 
 <table><tr><td align="left">**Step**</td><td align="left">**Description**</td><td>**Desktop</br>wizard**</td><td align="center">**Mobile</br>wizard**</td><td>**Kiosk</br>wizard**</td></tr>
 <tr><td valign="top">Set up device</td><td valign="top">Assign device name,</br>enter product key to upgrade Windows,</br>configure shared used,</br>remove pre-installed software</td><td align="center" valign="top">![yes](../images/checkmark.png)</td><td align="center" valign="top">![yes](../images/checkmark.png)</br>(Only device name and upgrade key)</td><td align="center" valign="top">![yes](../images/checkmark.png)</td></tr>
-<tr><td valign="top">Set up network</td><td valign="top">Connect to a Wi-Fit network</td><td align="center" valign="top">![yes](../images/checkmark.png)</td><td align="center" valign="top">![yes](../images/checkmark.png)</td><td align="center" valign="top">![yes](../images/checkmark.png)</td></tr>
+<tr><td valign="top">Set up network</td><td valign="top">Connect to a Wi-Fi network</td><td align="center" valign="top">![yes](../images/checkmark.png)</td><td align="center" valign="top">![yes](../images/checkmark.png)</td><td align="center" valign="top">![yes](../images/checkmark.png)</td></tr>
 <tr><td valign="top">Account management</td><td valign="top">Enroll device in Active Directory,</br>enroll device in Azure Active Directory,</br>or create a local administrator account</td><td align="center" valign="top">![yes](../images/checkmark.png)</td><td align="center" valign="top">![no](../images/crossmark.png)</td><td align="center" valign="top">![yes](../images/checkmark.png)</td></tr>
 <tr><td valign="top">Bulk Enrollment in Azure AD</td><td valign="top">Enroll device in Azure Active Directory</br></br>Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup).</td><td align="center" valign="top">![no](../images/crossmark.png)</td><td align="center" valign="top">![yes](../images/checkmark.png)</td><td align="center" valign="top">![no](../images/crossmark.png)</td></tr>
 <tr><td valign="top">Add applications</td><td valign="top">Install applications using the provisioning package.</td><td align="center" valign="top">![yes](../images/checkmark.png)</td><td align="center" valign="top">![no](../images/crossmark.png)</td><td align="center" valign="top">![yes](../images/checkmark.png)</td></tr>
diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md
index 283aaf793a..0a1d7e7ce0 100644
--- a/windows/deployment/update/waas-configure-wufb.md
+++ b/windows/deployment/update/waas-configure-wufb.md
@@ -90,12 +90,6 @@ Starting with version 1703, when configuring pause through policy, a start date
 
 In cases where the pause policy is first applied after the configured start date has passed, administrators will be able to extend the pause period up to a total of 35 days by configuring a later start date.
 
-With version 1703, pausing through the settings app will provide a more consistent experience:
-- Any active restart notification are cleared or closed
-- Any pending restarts are canceled
-- Any pending update installations are canceled
-- Any update installation running when pause is activated will attempt to rollback
-
 >[!IMPORTANT]
 >This policy does not apply to Windows 10 Mobile Enterprise.
 >
@@ -123,6 +117,12 @@ The local group policy editor (GPEdit.msc) will not reflect if your Feature Upda
 >[!NOTE]
 >If not configured by policy, users can pause feature updates, by going to **Settings > Update & security > Windows Update > Advanced options**.
 
+With version 1703, pausing through the settings app will provide a more consistent experience:
+- Any active restart notification are cleared or closed
+- Any pending restarts are canceled
+- Any pending update installations are canceled
+- Any update installation running when pause is activated will attempt to rollback
+
 ## Configure when devices receive Quality Updates
 
 Quality Updates are typically published the first Tuesday of every month, though can be released at any time by Microsoft. You can define if, and for how long, you would like to defer receiving Quality Updates following their availability. You can defer receiving these Quality Updates for a period of up to 35 days from their release by setting the **DeferQualityUpdatesPeriodinDays** value.  
@@ -152,12 +152,6 @@ Starting with version 1703, when configuring pause through policy, a start date
 
 In cases where the pause policy is first applied after the configured start date has passed, administrators will be able to extend the pause period up to a total of 35 days by configuring a later start date.
 
-With version 1703, pause will provide a more consistent experience:
-- Any active restart notification are cleared or closed
-- Any pending restarts are canceled
-- Any pending update installations are canceled
-- Any update installation running when pause is activated will attempt to rollback
-
 >[!IMPORTANT]
 >This policy pauses both Feature and Quality Updates on Windows 10 Mobile Enterprise.
 
@@ -183,6 +177,12 @@ The local group policy editor (GPEdit.msc) will not reflect if your Quality Upda
 >[!NOTE]
 >If not configured by policy, users can pause quality updates, by going to **Settings > Update & security > Windows Update > Advanced options**.
 
+With version 1703, pausing through the settings app will provide a more consistent experience:
+- Any active restart notification are cleared or closed
+- Any pending restarts are canceled
+- Any pending update installations are canceled
+- Any update installation running when pause is activated will attempt to rollback
+
 ## Exclude drivers from Quality Updates
 
 In Windows 10, starting with version 1607, you can selectively option out of receiving driver update packages as part of your normal quality update cycle.  This policy will not pertain to updates to inbox drivers (which will be packaged within a security or critical update) or to Feature Updates, where drivers may be dynamically installed to ensure the Feature Update process can complete.
@@ -225,7 +225,7 @@ Below are quick-reference tables of the supported Windows Update for Business po
 
 ## Update devices to newer versions
 
-Due to the changes in the Windows Update for Business feature set, Windows 10, version 1607, uses different GPO and MDM keys than those available in version 1511. Windows 10, version 1703, is also using a few new GPO and MDM keys than those available in version 1607. However,Windows Update for Business clients running version older versions will still see their policies honored after they update to a newer version; the old policy keys will continue to exist with their values ported forward during the update. Following the update to a newer version, it should be noted that only the old keys will be populated and not the new version keys, until the newer keys are explicitly defined on the device by the administrator.
+Due to the changes in the Windows Update for Business feature set, Windows 10, version 1607, uses different GPO and MDM keys than those available in version 1511. Windows 10, version 1703, also uses a few GPO and MDM keys that are different to what's available in version 1607. However, Windows Update for Business clients running version older versions will still see their policies honored after they update to a newer version; the old policy keys will continue to exist with their values ported forward during the update. Following the update to a newer version, it should be noted that only the old keys will be populated and not the new version keys, until the newer keys are explicitly defined on the device by the administrator.
 
 ### How older version policies are respected on newer versions
 
diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md
index 98b6cc928a..91ec6739f4 100644
--- a/windows/deployment/update/waas-manage-updates-wufb.md
+++ b/windows/deployment/update/waas-manage-updates-wufb.md
@@ -36,54 +36,39 @@ Windows Update for Business is a free service that is available for Windows Pro,
 
 Windows Update for Business provides three types of updates to Windows 10 devices:
 
-- **Feature Updates**: previously referred to as *upgrades*, Feature Updates contain not only security and quality revisions, but also significant feature additions and changes; they are released at a slower cadence, every 4 to 8 months.
+- **Feature Updates**: previously referred to as *upgrades*, Feature Updates contain not only security and quality revisions, but also significant feature additions and changes; they are released semi-anually.
 - **Quality Updates**: these are traditional operating system updates, typically released the second Tuesday of each month (though they can be released at any time).  These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as those for Microsoft Office or Visual Studio) as Quality Updates. These non-Windows Updates are known as *Microsoft Updates* and devices can be optionally configured to receive such updates along with their Windows Updates.
 - **Non-deferrable updates**: Currently, antimalware and antispyware Definition Updates from Windows Update cannot be deferred.
  
 Both Feature and Quality Updates can be deferred from deploying to client devices by a Windows Update for Business administrator within a bounded range of time from when those updates are first made available on the Windows Update Service. This deferral capability allows administrators to validate deployments as they are pushed to all client devices configured for Windows Update for Business.
 
-<table>
-<tr>
-<th>Category</th>
-<th>Maximum deferral</th>
-<th>Deferral increments</th>
-<th>Example</th>
-<th>Classification GUID</th>
-</tr>
-<tr>
-<td>Feature Updates</td>
-<td>180 days</td>
-<td>Days</td>
-<td>From Windows 10, version 1511 to version 1607</td>
-<td>3689BDC8-B205-4AF4-8D4A-A63924C5E9D5</td>
-</tr>
-<tr>
-<td rowspan="4">Quality Updates</td>
-<td rowspan="4">30 days</td>
-<td rowspan="4">Days</td>
-<td>Security updates</td>
-<td>0FA1201D-4330-4FA8-8AE9-B877473B6441</td>
-</tr>
-<tr>
-<td>Drivers (optional)</td>
-<td>EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0</td>
-</tr>
-<tr>
-<td>Non-security updates</td>
-<td>CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83</td>
-</tr><tr><td>Microsoft updates (Office, Visual Studio, etc.)</td><td>varies</td></tr>
-<tr>
-<td>Non-deferrable</td>
-<td>No deferral</td>
-<td>No deferral</td>
-<td>Definition updates</td>
-<td>E0789628-CE08-4437-BE74-2495B842F43B</td>
-</tr>
-</table> 
+| Category | Maximum deferral | Deferral increments | Example | Classification GUID |
+| --- | --- | --- | --- | --- |
+| Feature Updates | 365 days | Days | From Windows 10, version 1511 to version 1607 maximum was 180 days</br>In Windows 10, version 1703 maximum is 365 | 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5 |
+| Quality Updates | 30 days | Days | Security updates</br>Drivers (optional)</br>Non-security updates</br>Microsoft updates (Office,Visual Studio, etc.) | 0FA1201D-4330-4FA8-8AE9-B877473B6441</br>EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0</br>CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83</br>varies |
+| Non-deferrable | No deferral | No deferral | Definition updates | E0789628-CE08-4437-BE74-2495B842F43B |
 
 >[!NOTE]
 >For information about classification GUIDs, see [WSUS Classification GUIDs](https://msdn.microsoft.com/en-us/library/ff357803.aspx).
 
+## Changes to Windows Update for Business in Windows 10, version 1703
+
+### Options added to Settings
+
+We have added a few controls into settings to allow users to control Windows Update for Business through an interface. 
+- [Configuring the device's branch readiness level](waas-configure-wufb.md#configure-devices-for-current-branch-or-current-branch-for-business), through **Settings > Update & security > Windows Update > Advanced options**
+- [Pausing feature updates](waas-configure-wufb.md#pause-feature-updates), through **Settings > Update & security > Window Update > Advanced options**
+
+### Adjusted time periods
+
+We have adjusted the maximum pause period for both quality and feature updates to be 35 days, as opposed to 30 and 60 days previously, respectively.
+
+We have also adjusted the maximum feature update deferral period to be 365 days, as opposed to 180 days previously.
+
+### Additional changes
+
+The pause period is now calculated starting from the set start date. For additional details, see [Pause Feature Updates](waas-configure-wufb.md#pause-feature-updates) and [Pause Quality Updates](waas-configure-wufb.md#pause-quality-updates). Due to that, some policy keys are now named differently. For more information, see [Comparing the version 1607 keys to the version 1703 keys](waas-configure-wufb.md#comparing-the-version-1607-keys-to-the-version-1703-keys).
+
 ## Comparing Windows Update for Business in Windows 10, version 1511 and version 1607
 
 Windows Update for Business was first made available in Windows 10, version 1511. In Windows 10, version 1607 (also known as the Anniversary Update), there are several new or changed capabilities provided as well as updated behavior.   
diff --git a/windows/deployment/update/waas-quick-start.md b/windows/deployment/update/waas-quick-start.md
index 8b7414fd7d..ae3f319cef 100644
--- a/windows/deployment/update/waas-quick-start.md
+++ b/windows/deployment/update/waas-quick-start.md
@@ -36,7 +36,7 @@ Windows 10 gains new functionality with twice-per-year feature update releases.
 
 Each Windows 10 feature update will be serviced with quality updates for 18 months from the date of the feature update release. 
 
-Windows 10 Enterprise LTSB is a separate **Long Term Servicing Branch (LTSB)** version.  Each release is supported for a total of 10 years (five years standard support, five years extended support).  New releases are expected about every three years.
+Windows 10 Enterprise LTSB is a separate **Long Term Servicing Channel** version.  Each release is supported for a total of 10 years (five years standard support, five years extended support).  New releases are expected about every three years.
 
 See [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) for more information.
 
diff --git a/windows/deployment/usmt/usmt-requirements.md b/windows/deployment/usmt/usmt-requirements.md
index 14f8a1dd19..e96eb8e095 100644
--- a/windows/deployment/usmt/usmt-requirements.md
+++ b/windows/deployment/usmt/usmt-requirements.md
@@ -30,6 +30,7 @@ The User State Migration Tool (USMT) 10.0 does not have any explicit RAM or CPU
 The following table lists the operating systems supported in USMT.
 
 <table>
+
 <colgroup>
 <col width="33%" />
 <col width="33%" />
@@ -83,7 +84,8 @@ You can migrate a 32-bit operating system to a 64-bit operating system. However,
 
 USMT does not support any of the Windows Server® operating systems, Windows 2000, Windows XP, or any of the starter editions for Windows Vista or Windows 7.
 
- 
+USMT for Windows 10 should not be used for migrating from Windows 7 to Windows 8.1. It is meant to migrate to Windows 10.
+For more information about previous releases of the USMT tools, see [User State Migration Tool (USMT) 4.0 User’s Guide](https://go.microsoft.com/fwlink/p/?LinkId=246564). 
 
 ## Windows PE
 
diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md
index 0ce8558c9c..4e36256cae 100644
--- a/windows/deployment/windows-10-poc-sc-config-mgr.md
+++ b/windows/deployment/windows-10-poc-sc-config-mgr.md
@@ -4,8 +4,7 @@ description: Deploy Windows 10 in a test lab using System Center Configuration M
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: deploy
-keywords: deployment, automate, tools, configure, sccm, configuration manager
+ms.pagetype: deploykeywords: deployment, automate, tools, configure, sccm, configuration manager
 localizationpriority: high
 author: greg-lindsay
 ---
@@ -15,7 +14,6 @@ author: greg-lindsay
 **Applies to**
 
 -   Windows 10
-
 **Important**: This guide leverages the proof of concept (PoC) environment, and some settings that are configured in the following guides:
 - [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md)
 - [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md)
@@ -26,7 +24,6 @@ The PoC environment is a virtual network running on Hyper-V with three virtual m
 - **DC1**: A contoso.com domain controller, DNS server, and DHCP server.
 - **SRV1**: A dual-homed contoso.com domain member server, DNS server, and default gateway providing NAT service for the PoC network.
 - **PC1**: A contoso.com member computer running Windows 7, Windows 8, or Windows 8.1 that has been cloned from a physical computer on your corporate network for testing purposes.
-
 This guide leverages the Hyper-V server role to perform procedures. If you do not complete all steps in a single session, consider using [checkpoints](https://technet.microsoft.com/library/dn818483.aspx) and [saved states](https://technet.microsoft.com/library/ee247418.aspx) to pause, resume, or restart your work.
 
 >Multiple features and services are installed on SRV1 in this guide. This is not a typical installation, and is only done to set up a lab environment with a bare minimum of resources. However, if less than 4 GB of RAM is allocated to SRV1 in the Hyper-V console, some procedures will be extremely slow to complete. If resources are limited on the Hyper-V host, consider reducing RAM allocation on DC1 and PC1, and then increasing the RAM allocation on SRV1. You can adjust RAM allocation for a VM by right-clicking the VM in the Hyper-V Manager console, clicking **Settings**, clicking **Memory**, and modifying the value next to **Maximum RAM**.
@@ -38,7 +35,6 @@ This guide provides end-to-end instructions to install and configure System Cent
 Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed.
 
 <div style='font-size:9.0pt'>
-
 <TABLE border=1 cellspacing=0 cellpadding=0>
 <TR><TD BGCOLOR="#a0e4fa"><B>Topic</B><TD BGCOLOR="#a0e4fa"><B>Description</B><TD BGCOLOR="#a0e4fa"><B>Time</B>
 
@@ -48,8 +44,7 @@ Topics and procedures in this guide are summarized in the following table. An es
 <TR><TD>[Prepare for Zero Touch installation](#prepare-for-zero-touch-installation)<TD>Prerequisite procedures to support Zero Touch installation.<TD>60 minutes
 <TR><TD>[Create a boot image for Configuration Manager](#create-a-boot-image-for-configuration-manager)<TD>Use the MDT wizard to create the boot image in Configuration Manager.<TD>20 minutes
 <TR><TD>[Create a Windows 10 reference image](#create-a-windows-10-reference-image)<TD>This procedure can be skipped if it was done previously, otherwise instructions are provided to create a reference image.<TD>0-60 minutes
-<TR><TD>[Add a Windows 10 operating system image](#add-a-windows-10-operating-system-image)<TD>Add a Windows 10 operating system image and distribute it.<TD>10 minutes
-<TR><TD>[Create a task sequence](#create-a-task-sequence)<TD>Create a Configuration Manager task sequence with MDT integration using the MDT wizard<TD>15 minutes
+<TR><TD>[Add a Windows 10 operating system image](#add-a-windows-10-operating-system-image)<TD>Add a Windows 10 operating system image and distribute it.<TD>10 minutes<TR><TD>[Create a task sequence](#create-a-task-sequence)<TD>Create a Configuration Manager task sequence with MDT integration using the MDT wizard<TD>15 minutes
 <TR><TD>[Finalize the operating system configuration](#finalize-the-operating-system-configuration)<TD>Enable monitoring, configure rules, and distribute content.<TD>30 minutes
 <TR><TD>[Deploy Windows 10 using PXE and Configuration Manager](#deploy-windows-10-using-pxe-and-configuration-manager)<TD>Deploy Windows 10 using Configuration Manager deployment packages and task sequences.<TD>60 minutes
 <TR><TD>[Replace a client with Windows 10 using Configuration Manager](#replace-a-client-with-windows-10-using-configuration-manager)<TD>Replace a client computer with Windows 10 using Configuration Manager.<TD>90 minutes
@@ -60,7 +55,6 @@ Topics and procedures in this guide are summarized in the following table. An es
 </div>
 
 ## Install prerequisites
-
 1. Before installing System Center Configuration Manager, we must install prerequisite services and features. Type the following command at an elevated Windows PowerShell prompt on SRV1: 
 
     ```
@@ -78,7 +72,7 @@ Topics and procedures in this guide are summarized in the following table. An es
 
     This command mounts the .ISO file to drive D on SRV1.
 
-4. Type the following command at an elevated Windows PowerShell prompt on SRV1 to install SQL Server 2012 SP2:
+4. Type the following command at an elevated Windows PowerShell prompt on SRV1 to install SQL Server:
 
     ```
     D:\setup.exe /q /ACTION=Install /ERRORREPORTING="False" /FEATURES=SQLENGINE,RS,IS,SSMS,TOOLS,ADV_SSMS,CONN /INSTANCENAME=MSSQLSERVER /INSTANCEDIR="C:\Program Files\Microsoft SQL Server" /SQLSVCACCOUNT="NT AUTHORITY\System" /SQLSYSADMINACCOUNTS="BUILTIN\ADMINISTRATORS" /SQLSVCSTARTUPTYPE=Automatic /AGTSVCACCOUNT="NT AUTHORITY\SYSTEM" /AGTSVCSTARTUPTYPE=Automatic /RSSVCACCOUNT="NT AUTHORITY\System" /RSSVCSTARTUPTYPE=Automatic /ISSVCACCOUNT="NT AUTHORITY\System" /ISSVCSTARTUPTYPE=Disabled /ASCOLLATION="Latin1_General_CI_AS" /SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS" /TCPENABLED="1" /NPENABLED="1" /IAcceptSQLServerLicenseTerms
diff --git a/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md b/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md
index 35cd55629e..3a9804aa1c 100644
--- a/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md
+++ b/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md
@@ -106,7 +106,7 @@ Typically, deployment of Device Guard happens best in phases, rather than being
 
 ## Device Guard deployment in virtual machines
 
-Device Guard can protect a Hyper-V virtual machine, just as it would a physical machine. The enablement steps are the same from within the virtual machine.
+Device Guard can protect a Hyper-V virtual machine, just as it would a physical machine. The steps to enable Device Guard are the same from within the virtual machine.
 
 Device Guard protects against malware running in the guest virtual machine. It does not provide additional protection from the host administrator. From the host, you can disable Device Guard for a virtual machine:
 
@@ -116,6 +116,10 @@ Device Guard protects against malware running in the guest virtual machine. It d
 ### Requirements for running Device Guard in Hyper-V virtual machines 
  -   The Hyper-V host must run at least Windows Server 2016 or Windows 10 version 1607.
  -   The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10. 
+ -   Device Guard and [nested virtualization](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) cannot be enabled at the same time. 
+ -   Virtual Fibre Channel adapters are not compatible with Device Guard. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using Set-VMSecurity.
+ -   The AllowFullSCSICommandSet option for pass-through disks is not compatible with Device Guard. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using Set-VMSecurity.
+
 
 ## Reviewing your applications: application signing and catalog files 
 
diff --git a/windows/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md
index 3f71267756..c801b3feab 100644
--- a/windows/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md
@@ -27,7 +27,7 @@ You can define custom alert definitions and indicators of compromise (IOC) using
 Before creating custom alerts, you'll need to enable the threat intelligence application in Azure Active Directory and generate access tokens. For more information, see [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md).
 
 ### Use the threat intelligence REST API to create custom threat intelligence alerts
-You can call and specify the resource URLs using one of the following operations to access and manipulate a threat intelligence resource, you call and specify the resource URLs using one of the following operations:
+You can call and specify the resource URLs using one of the following operations to access and manipulate a threat intelligence resource:
 
 -	GET
 -	POST
diff --git a/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
index a0815dd8f5..6eb46cb27f 100644
--- a/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
@@ -29,6 +29,15 @@ There are some minimum requirements for onboarding your network and endpoints.
 You must be on Windows 10, version 1607 at a minimum.
 For more information, see [Windows 10 Enterprise edition](https://www.microsoft.com/en-us/WindowsForBusiness/buy).
 
+### Licensing requirements
+Windows Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
+
+-	Windows 10 Enterprise E5
+-	Windows 10 Education E5
+- Secure Productive Enterprise E5 (SPE E5) which includes Windows 10 Enterprise E5
+
+For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx#tab=2).
+
 ### Network and data storage and configuration requirements
 When you run the onboarding wizard for the first time, you must choose where your Windows Defender Advanced Threat Protection-related information is stored: either in a European or United States datacenter.
 
diff --git a/windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md
index 2a7a40abd6..0acb1a9351 100644
--- a/windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md
@@ -23,7 +23,16 @@ localizationpriority: high
 
 You need to onboard to Windows Defender ATP before you can use the service.
 
-For more information, see [Onboard your Windows 10 endpoints to Windows Defender ATP](https://www.youtube.com/watch?v=JT7VGYfeRlA&feature=youtu.be). 
+For more information, see [Onboard your Windows 10 endpoints to Windows Defender ATP](https://www.youtube.com/watch?v=JT7VGYfeRlA&feature=youtu.be).
+
+## Licensing requirements
+Windows Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
+
+  -	Windows 10 Enterprise E5
+  -	Windows 10 Education E5
+  - Secure Productive Enterprise E5 (SPE E5) which includes Windows 10 Enterprise E5
+
+For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx#tab=2).
 
 ## In this section
 Topic | Description
diff --git a/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
index 6025221e43..85ad29fad8 100644
--- a/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
@@ -260,6 +260,14 @@ If the verification fails and your environment is using a proxy to connect to th
 
     ![Image of registry key for Windows Defender](images/atp-disableantispyware-regkey.png)
 
+## Licensing requirements
+Windows Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
+
+  -	Windows 10 Enterprise E5
+  -	Windows 10 Education E5
+  - Secure Productive Enterprise E5 (SPE E5) which includes Windows 10 Enterprise E5
+
+For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx#tab=2).
 
 
 ## Related topics
diff --git a/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md b/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md
index 31ea9b52b2..5bcc8e1a05 100644
--- a/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md
+++ b/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md
@@ -510,21 +510,21 @@ Optionally, if you don’t want everyone in your organization to be able to shar
 >For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-custom-templates) topic.
 
 ## Related topics
-- [What is Azure Rights Management?]( https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-azure-rms)
-
-- [Create and deploy Windows Information Protection (WIP) app protection policy with Intune](https://docs.microsoft.com/en-us/intune/deploy-use/create-windows-information-protection-policy-with-intune)
-
-- [Intune MAM Without Enrollment](https://blogs.technet.microsoft.com/configmgrdogs/2016/02/04/intune-mam-without-enrollment/)
-
+- [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md)
+ 
 - [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md)
 
 - [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md)
 
 - [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
 
+- [What is Azure Rights Management?]( https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-azure-rms)
+
+- [Create and deploy Windows Information Protection (WIP) app protection policy with Intune and MAM](https://docs.microsoft.com/en-us/intune/deploy-use/create-windows-information-protection-policy-with-intune)
+
+- [Intune MAM Without Enrollment](https://blogs.technet.microsoft.com/configmgrdogs/2016/02/04/intune-mam-without-enrollment/)
+
 - [Azure RMS Documentation Update for May 2016](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/azure-rms-documentation-update-for-may-2016/)
 
-
-
 >[!NOTE]
 >Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
diff --git a/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md b/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md
index 828d6becd9..59a4720f61 100644
--- a/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md
+++ b/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md
@@ -490,13 +490,21 @@ After you've finished configuring your policy, you can review all of your info o
 ## Deploy the WIP policy
 After you’ve created your WIP policy, you'll need to deploy it to your organization's devices. For info about your deployment options, see these topics:
 - [Operations and Maintenance for Compliance Settings in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=708224)
+
 - [How to Create Configuration Baselines for Compliance Settings in Configuration Manager]( https://go.microsoft.com/fwlink/p/?LinkId=708225)
+
 - [How to Deploy Configuration Baselines in Configuration Manager]( https://go.microsoft.com/fwlink/p/?LinkId=708226)
 
 ## Related topics
 - [System Center Configuration Manager and Endpoint Protection (Version 1606)](https://go.microsoft.com/fwlink/p/?LinkId=717372)
+
 - [TechNet documentation for Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=691623)
+
 - [Manage mobile devices with Configuration Manager and Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=691624)
 
+- [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md)
+
+- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
+
 >[!NOTE]
 >Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
\ No newline at end of file
diff --git a/windows/threat-protection/windows-information-protection/mandatory-settings-for-wip.md b/windows/threat-protection/windows-information-protection/mandatory-settings-for-wip.md
index d4b9837475..dfd5630dc2 100644
--- a/windows/threat-protection/windows-information-protection/mandatory-settings-for-wip.md
+++ b/windows/threat-protection/windows-information-protection/mandatory-settings-for-wip.md
@@ -24,7 +24,7 @@ This list provides all of the tasks and settings that are required for the opera
 |Task|Description|
 |----|-----------|
 |Add at least one app to the **Allowed apps** list in your WIP policy.|You must have at least one app added to your **Allowed apps** list. For more info about where this area is and how to add apps, see the **Add apps to your Allowed apps list** section of the policy creation topics.|
-|Choose your WIP protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Hide Overrides**. For more info about where this area is and how to decide on your protection level, see the **Manage the WIP protection mode for your enterprise data** section of the policy creation topics.|
+|Choose your WIP protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Hide Overrides**. For more info about where this area is and how to decide on your protection level, see the **Manage the WIP protection mode for your enterprise data** section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).|
 |Specify your corporate identity.|This field is automatically filled out for you by Microsoft Intune. However, you must manually correct it if it’s incorrect or if you need to add additional domains. For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics.
 |Specify your network domain names.|Starting with Windows 10, version 1703, this field is optional.<br><br>Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics.|
 |Specify your enterprise IPv4 or IPv6 ranges.|Starting with Windows 10, version 1703, this field is optional.<br><br>Specify the addresses for a valid IPv4 or IPv6 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries. For more info about where this area is and what it means, see the table that appears in the **Define your enterprise-managed corporate identity** section of the policy creation topics.|
diff --git a/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md
index 896d97f4a0..d00786a7cf 100644
--- a/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md
+++ b/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md
@@ -132,6 +132,9 @@ You can set your WIP policy to use 1 of 4 protection and management modes:
 |Silent |WIP runs silently, logging inappropriate data sharing, without stopping anything that would’ve been prompted for employee interaction while in Allow overrides mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.|
 |Off |WIP is turned off and doesn't help to protect or audit your data.<p>After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.<p>**Note**<br>For more info about setting your WIP-protection modes, see either [Create a Windows Information Protection (WIP) policy using Intune](create-wip-policy-using-intune.md) or [Create and deploy a Windows Information Protection (WIP) policy using Configuration Manager](create-wip-policy-using-sccm.md), depending on your management solution. |
 
+>[!NOTE]
+>For info about how to collect your audit logs, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
+
 ## Turn off WIP
 You can turn off all Windows Information Protection and restrictions, decrypting all devices managed by WIP and reverting to where you were pre-WIP, with no data loss. However, this isn’t recommended. If you choose to turn WIP off, you can always turn it back on, but your decryption and policy info won’t be automatically reapplied.