diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 551ce8b897..f8f2090d66 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -45,6 +45,16 @@ "redirect_url": "https://docs.microsoft.com/hololens/hololens1-clicker#restart-or-recover-the-clicker", "redirect_document_id": false }, +{ + "source_path": "devices/hololens/hololens-find-and-save-files.md", + "redirect_url": "https://docs.microsoft.com/hololens/holographic-data", + "redirect_document_id": false +}, +{ + "source_path": "devices/hololens/hololens-management-overview.md", + "redirect_url": "https://docs.microsoft.com/hololens", + "redirect_document_id": false +}, { "source_path": "devices/surface/manage-surface-pro-3-firmware-updates.md", "redirect_url": "https://docs.microsoft.com/surface/manage-surface-driver-and-firmware-updates", @@ -956,6 +966,11 @@ "redirect_document_id": false }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview", +"redirect_document_id": true +}, +{ "source_path": "windows/security/threat-protection/microsoft-defender-atp/overview-hunting.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview", "redirect_document_id": false @@ -966,6 +981,51 @@ "redirect_document_id": false }, { +"source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection", "redirect_document_id": true @@ -1657,11 +1717,6 @@ "redirect_document_id": true }, { -"source_path": "windows/security/threat-protection/windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md", -"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview", -"redirect_document_id": true -}, -{ "source_path": "windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score", "redirect_document_id": true diff --git a/browsers/edge/group-policies/index.yml b/browsers/edge/group-policies/index.yml index 7ee2caf174..cb590ce308 100644 --- a/browsers/edge/group-policies/index.yml +++ b/browsers/edge/group-policies/index.yml @@ -2,19 +2,19 @@ documentType: LandingData -title: Microsoft Edge group policies +title: Microsoft Edge Legacy group policies metadata: document_id: - title: Microsoft Edge group policies + title: Microsoft Edge Legacy group policies - description: Learn how to configure group policies in Microsoft Edge on Windows 10. + description: Learn how to configure group policies in Microsoft Edge Legacy on Windows 10. - text: Some of the features in Microsoft Edge gives you the ability to set a custom URL for the New Tab page or Home button. Another new feature allows you to hide or show the Favorites bar, giving you more control over the favorites bar. + text: Some of the features in Microsoft Edge Legacy gives you the ability to set a custom URL for the New Tab page or Home button. Another new feature allows you to hide or show the Favorites bar, giving you more control over the favorites bar. (To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).) - keywords: Microsoft Edge, Windows 10, Windows 10 Mobile + keywords: Microsoft Edge Legacy, Windows 10, Windows 10 Mobile ms.localizationpriority: medium @@ -36,7 +36,7 @@ sections: - type: markdown - text: Microsoft Edge works with Group Policy and Microsoft Intune to help you manage your organization's computer settings. Group Policy objects (GPOs) can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences. + text: (Note - You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).) Microsoft Edge Legacy works with Group Policy and Microsoft Intune to help you manage your organization's computer settings. Group Policy objects (GPOs) can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences. - items: diff --git a/browsers/edge/index.yml b/browsers/edge/index.yml index 0afcf97eb7..61b851adf2 100644 --- a/browsers/edge/index.yml +++ b/browsers/edge/index.yml @@ -2,19 +2,19 @@ documentType: LandingData -title: Microsoft Edge Group Policy configuration options +title: Microsoft Edge Legacy Group Policy configuration options metadata: document_id: - title: Microsoft Edge Group Policy configuration options + title: Microsoft Edge Group Legacy Policy configuration options description: - text: Learn how to deploy and configure group policies in Microsoft Edge on Windows 10. Some of the features coming to Microsoft Edge gives you the ability to set a custom URL for the New Tab page or Home button. Another new feature allows you to hide or show the Favorites bar, giving you more control over the favorites bar. - - keywords: Microsoft Edge, Windows 10 + text: (Note - You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).) Learn how to deploy and configure group policies in Microsoft Edge Legacy on Windows 10. Some of the features coming to Microsoft Edge Legacy gives you the ability to set a custom URL for the New Tab page or Home button. Another new feature allows you to hide or show the Favorites bar, giving you more control over the favorites bar. + + keywords: Microsoft Edge Legacy, Windows 10 ms.localizationpriority: medium @@ -36,7 +36,7 @@ sections: - type: markdown - text: Learn about interoperability goals and enterprise guidance along with system requirements, language support and frequently asked questions. + text: (Note - You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).) Learn about interoperability goals and enterprise guidance along with system requirements, language support and frequently asked questions. - items: diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md index ce3a2dd2a0..d9ff00d3a8 100644 --- a/devices/hololens/TOC.md +++ b/devices/hololens/TOC.md @@ -28,10 +28,11 @@ # Navigating Windows Holographic ## [Start menu and mixed reality home](holographic-home.md) ## [Use your voice with HoloLens](hololens-cortana.md) -## [Find and save files](hololens-find-and-save-files.md) +## [Find and save files](holographic-data.md) ## [Create, share, and view photos and video](holographic-photos-and-videos.md) # User management and access management +## [Accounts on HoloLens](hololens-identity.md) ## [Share your HoloLens with multiple people](hololens-multiple-users.md) ## [Set up HoloLens as a kiosk (single application access)](hololens-kiosk.md) ## [Set up limited application access](hololens-kiosk.md) @@ -53,15 +54,14 @@ ## [Spatial mapping on HoloLens](hololens-spaces.md) # Update, troubleshoot, or recover HoloLens -## [Update, troubleshoot, or recover HoloLens](hololens-management-overview.md) ## [Update HoloLens](hololens-update-hololens.md) ## [Restart, reset, or recover](hololens-recovery.md) ## [Troubleshoot HoloLens](hololens-troubleshooting.md) ## [Known issues](hololens-known-issues.md) ## [Frequently asked questions](hololens-faq.md) +## [Hololens services status](hololens-status.md) # [Release Notes](hololens-release-notes.md) -# [Hololens status](hololens-status.md) # [Give us feedback](hololens-feedback.md) # [Join the Windows Insider program](hololens-insider.md) # [Change history for Microsoft HoloLens documentation](change-history-hololens.md) diff --git a/devices/hololens/holographic-data.md b/devices/hololens/holographic-data.md new file mode 100644 index 0000000000..1f28c4fac9 --- /dev/null +++ b/devices/hololens/holographic-data.md @@ -0,0 +1,100 @@ +--- +title: Find and save files on HoloLens +description: Use File Explorer on HoloLens to view and manage files on your device +keywords: how-to, file picker, files, photos, videos, pictures, OneDrive, storage, file explorer +ms.assetid: 77d2e357-f65f-43c8-b62f-6cd9bf37070a +author: mattzmsft +ms.author: mazeller +manager: v-miegge +ms.reviewer: jarrettrenshaw +ms.date: 12/30/2019 +keywords: hololens +ms.prod: hololens +ms.sitesec: library +ms.topic: article +audience: ITPro +ms.localizationpriority: medium +appliesto: +- HoloLens (1st gen) +- HoloLens 2 +--- + +# Find, open, and save files on HoloLens + +Files you create on HoloLens, including photos and videos, are saved directly to your HoloLens device. View and manage them in the same way you would manage files on Windows 10: + +- Using the File Explorer app to access local folders. +- Within an app's storage. +- In a special folder (such as the video or music library). +- Using a storage service that includes an app and file picker (such as OneDrive). +- Using a desktop PC connected to your HoloLens by using a USB cable, using MTP (Media Transfer Protocol) support. + +## View files on HoloLens using File Explorer + +> Applies to all HoloLens 2 devices and HoloLens (1st gen) as of the [Windows 10 April 2018 Update (RS4) for HoloLens](https://docs.microsoft.com/windows/mixed-reality/release-notes-april-2018). + +Use File Explorer on HoloLens to view and manage files on your device, including 3D objects, documents, and pictures. Go to **Start** > **All apps** > **File Explorer** to get started. + +> [!TIP] +> If there are no files listed in File Explorer, select **This Device** in the top left pane. + +If you don’t see any files in File Explorer, the "Recent" filter may be active (clock icon is highlighted in left pane). To fix this, select the **This Device** document icon in the left pane (beneath the clock icon), or open the menu and select **This Device**. + +## Find and view your photos and videos + +[Mixed reality capture](holographic-photos-and-videos.md) lets you take mixed reality photos and videos on HoloLens. These photos and videos are saved to the device's Camera Roll folder. + +You can access photos and videos taken with HoloLens by: + +- accessing the Camera Roll directly through the [Photos app](holographic-photos-and-videos.md). +- uploading photos and videos to cloud storage by syncing your photos and videos to OneDrive. +- using the Mixed Reality Capture page of the [Windows Device Portal](https://docs.microsoft.com/windows/mixed-reality/using-the-windows-device-portal#mixed-reality-capture). + +### Photos app + +The Photos app is one of the default apps on the **Start** menu, and comes built-in with HoloLens. Learn more about [using the Photos app to view content](holographic-photos-and-videos.md). + +You can also install the [OneDrive app](https://www.microsoft.com/p/onedrive/9wzdncrfj1p3) from the Microsoft Store to sync photos to other devices. + +### OneDrive app + +[OneDrive](https://onedrive.live.com/) lets you access, manage, and share your photos and videos with any device and with any user. To access the photos and videos captured on HoloLens, download the [OneDrive app](https://www.microsoft.com/p/onedrive/9wzdncrfj1p3) from the Microsoft Store on your HoloLens. Once downloaded, open the OneDrive app and select **Settings** > **Camera upload**, and turn on **Camera upload**. + +### Connect to a PC + +If your HoloLens is running the [Windows 10 April 2018 update](https://docs.microsoft.com/windows/mixed-reality/release-notes-april-2018) or later, you can connect your HoloLens to a Windows 10 PC by using a USB cable to browse photos and videos on the device by using MTP (media transfer protocol). You'll need to make sure the device is unlocked to browse files if you have a PIN or password set up on your device. + +If you have enabled the [Windows Device Portal](https://docs.microsoft.com/windows/mixed-reality/using-the-windows-device-portal), you can use it to browse, retrieve, and manage the photos and videos stored on your device. + +## Access files within an app + +If an application saves files on your device, you can use that application to access them. + +### Requesting files from another app + +An application can request to save a file or open a file from another app by using [file pickers](https://docs.microsoft.com/windows/mixed-reality/app-model#file-pickers). + +### Known folders + +HoloLens supports a number of [known folders](https://docs.microsoft.com/windows/mixed-reality/app-model#known-folders) that apps can request permission to access. + +## View HoloLens files on your PC + +Similar to other mobile devices, connect HoloLens to your desktop PC using MTP (Media Transfer Protocol) and open File Explorer on the PC to access your HoloLens libraries for easy transfer. + +To see your HoloLens files in File Explorer on your PC: + +1. Sign in to HoloLens, then plug it into the PC using the USB cable that came with the HoloLens. + +1. Select **Open Device to view files with File Explorer**, or open File Explorer on the PC and navigate to the device. + +To see info about your HoloLens, right-click the device name in File Explorer on your PC, then select **Properties**. + +> [!NOTE] +> HoloLens (1st gen) does not support connecting to external hard drives or SD cards. + +## Sync to the cloud + +To sync photos and other files from your HoloLens to the cloud, install and set up OneDrive on HoloLens. To get OneDrive, search for it in the Microsoft Store on your HoloLens. + +HoloLens doesn't back up app files and data, so it's a good idea to save your important stuff to OneDrive. That way, if you reset your device or uninstall an app, your info will be backed up. diff --git a/devices/hololens/hololens-FAQ.md b/devices/hololens/hololens-FAQ.md index 203d5185f8..a183165e4a 100644 --- a/devices/hololens/hololens-FAQ.md +++ b/devices/hololens/hololens-FAQ.md @@ -137,7 +137,7 @@ Try walking around and looking at the area where you're placing the app so HoloL Free up some storage space by doing one or more of the following: -- Remove some of the holograms you've placed, or remove some saved data from within apps. [How do I find my data?](hololens-find-and-save-files.md) +- Remove some of the holograms you've placed, or remove some saved data from within apps. [How do I find my data?](holographic-data.md) - Delete some pictures and videos in the Photos app. - Uninstall some apps from your HoloLens. In the All apps list, tap and hold the app you want to uninstall, then select **Uninstall**. (This will also delete any of the app's data stored on the device.) diff --git a/devices/hololens/hololens-cortana.md b/devices/hololens/hololens-cortana.md index d7ca664169..82ded27dd3 100644 --- a/devices/hololens/hololens-cortana.md +++ b/devices/hololens/hololens-cortana.md @@ -36,6 +36,9 @@ Get around HoloLens faster with these basic commands. In order to use these you Use these commands throughout Windows Mixed Reality to get around faster. Some commands use the gaze cursor, which you bring up by saying “select.” +>[!NOTE] +>Hand rays are not supported on HoloLens (1st Gen). + | Say this | To do this | | - | - | | "Select" | Say "select" to bring up the gaze cursor. Then, turn your head to position the cursor on the thing you want to select, and say “select” again. | diff --git a/devices/hololens/hololens-find-and-save-files.md b/devices/hololens/hololens-find-and-save-files.md deleted file mode 100644 index 19f153d785..0000000000 --- a/devices/hololens/hololens-find-and-save-files.md +++ /dev/null @@ -1,66 +0,0 @@ ---- -title: Find and save files on HoloLens -description: Use File Explorer on HoloLens to view and manage files on your device -ms.assetid: 77d2e357-f65f-43c8-b62f-6cd9bf37070a -ms.reviewer: jarrettrenshaw -ms.date: 07/01/2019 -manager: v-miegge -keywords: hololens -ms.prod: hololens -ms.sitesec: library -author: v-miegge -ms.author: v-miegge -ms.topic: article -ms.localizationpriority: medium -appliesto: -- HoloLens (1st gen) -- HoloLens 2 ---- - -# Find and save files on HoloLens - -Add content from [Find and save files](https://docs.microsoft.com/windows/mixed-reality/saving-and-finding-your-files) - - -Files you create on HoloLens, including Office documents, photos, and videos, are saved to your HoloLens. To view and manage them, you can use the File Explorer app on HoloLens or File Explorer on your PC. To sync photos and other files to the cloud, use the OneDrive app on HoloLens. - -## View files on HoloLens - -Use File Explorer on HoloLens to view and manage files on your device, including 3D objects, documents, and pictures. Go to Start > All apps > File Explorer on HoloLens to get started. - ->[!TIP] ->If there are no files listed in File Explorer, select **This Device** in the top left pane. - -## View HoloLens files on your PC - -To see your HoloLens files in File Explorer on your PC: - -1. Sign in to HoloLens, then plug it into the PC using the USB cable that came with the HoloLens. - -1. Select **Open Device to view files with File Explorer**, or open File Explorer on the PC and navigate to the device. - ->[!TIP] ->To see info about your HoloLens, right-click the device name in File Explorer on your PC, then select **Properties**. - -## View HoloLens files on Windows Device Portal - ->[!NOTE] ->To use Device Portal you must enable [Developer Mode](https://docs.microsoft.com/windows/mixed-reality/using-the-windows-device-portal#setting-up-hololens-to-use-windows-device-portal). - -1. Enable Developer Mode and Device Portal on your HoloLens. (See note above if not enabled.) - -1. Navigate to the Device Portal page on your PC. - 1. To connect to a HoloLens connected to your PC type in 127.0.0.1:10080/ in your browser. - 1. To connect to a HoloLens wirelessly instead navigate to your IP address. - ->[!TIP] ->You may need to install a certificate, OR you may see more details and navigate to the website anyways. (Path per web broswer will differ.) - -1. Once succesfully connected, on the left side of the windw you can navigate to the [File Explorer](https://docs.microsoft.com/windows/mixed-reality/using-the-windows-device-portal#file-explorer) workspace. - -## Sync to the cloud - -To sync photos and other files from your HoloLens to the cloud, install and set up OneDrive on HoloLens. To get OneDrive, search for it in the Microsoft Store on your HoloLens. - ->[!TIP] ->HoloLens doesn't back up app files and data, so it's a good idea to save your important stuff to OneDrive. That way, if you reset your device or uninstall an app, your info will be backed up. diff --git a/devices/hololens/hololens-identity.md b/devices/hololens/hololens-identity.md new file mode 100644 index 0000000000..3cc6cc4cfc --- /dev/null +++ b/devices/hololens/hololens-identity.md @@ -0,0 +1,111 @@ +--- +title: Managing user identity and login on HoloLens +description: Manage user identity, security, and login on HoloLens. +keywords: HoloLens, user, account, aad, adfs, microsoft account, msa, credentials, reference +ms.assetid: 728cfff2-81ce-4eb8-9aaa-0a3c3304660e +author: scooley +ms.author: scooley +ms.date: 1/6/2019 +ms.prod: hololens +ms.topic: article +ms.sitesec: library +ms.topic: article +ms.localizationpriority: medium +audience: ITPro +manager: jarrettr +appliesto: +- HoloLens (1st gen) +- HoloLens 2 +--- + +# User identity and signin + +> [!NOTE] +> This article is a technical reference for IT Pros and tech enthusiasts. If you're looking for HoloLens set up instructions, read "[Setting up your HoloLens (1st gen)](hololens1-start.md)" or "[Setting up your HoloLens 2](hololens2-start.md)". + +Like other Windows devices, HoloLens always operates under a user context. There is always a user identity. HoloLens treats identity in almost the same manner as other Windows 10 devices do. This article is a deep-dive reference for identity on HoloLens, and focuses on how HoloLens differs from other Windows 10 devices. + +HoloLens supports several kinds of user identities. You can use one or more user accounts to sign in. Here's an overview of the identity types and authentication options on HoloLens: + +| Identity type | Accounts per device | Authentication options | +| --- | --- | --- | +| [Azure Active Directory (AAD)](https://docs.microsoft.com/azure/active-directory/) | 32 (see details) | | +| [Microsoft Account (MSA)](https://docs.microsoft.com/windows/security/identity-protection/access-control/microsoft-accounts) | 1 | | +| [Local account](https://docs.microsoft.com/windows/security/identity-protection/access-control/local-accounts) | 1 | Password | + +Cloud-connected accounts (AAD and MSA) offer more features because they can use Azure services. + +## Setting up users + +The most common way to set up a new user is during the HoloLens out-of-box experience (OOBE). During setup, HoloLens prompts for a user to sign in by using the account that they want to use on the device. This account can be a consumer Microsoft account or an enterprise account that has been configured in Azure. See Setting up your [HoloLens (1st gen)](hololens1-start.md) or [HoloLens 2](hololens2-start.md). + +Like Windows on other devices, signing in during setup creates a user profile on the device. The user profile stores apps and data. The same account also provides Single Sign-on for apps such as Edge or Skype by using the Windows Account Manager APIs. + +If you use an enterprise or organizational account to sign in to HoloLens, HoloLens enrolls in the organization's IT infrastructure. This enrollment allows your IT Admin to configure Mobile Device Management (MDM) to send group policies to your HoloLens. + +By default, as for other Windows 10 devices, you'll have to sign in again when HoloLens restarts or resumes from standby. You can use the Settings app to change this behavior, or the behavior can be controlled by group policy. + +### Linked accounts + +As in the Desktop version of Windows, you can link additional web account credentials to your HoloLens account. Such linking makes it easier to access resources across or within apps (such as the Store) or to combine access to personal and work resources. After you connect an account to the device, you can grant permission to use the device to apps so that you don't have to sign in to each app individually. + +Linking accounts does not separate the user data created on the device, such as images or downloads. + +### Setting up multi-user support (AAD only) + +> [!NOTE] +> **HoloLens (1st gen)** began supporting multiple AAD users in the [Windows 10 April 2018 Update](https://docs.microsoft.com/windows/mixed-reality/release-notes-april-2018) as part of [Windows Holographic for Business](hololens-upgrade-enterprise.md). + +HoloLens supports multiple users from the same AAD tenant. To use this feature, you must use an account that belongs to your organization to set up the device. Subsequently, other users from the same tenant can sign in to the device from the sign-in screen or by tapping the user tile on the Start panel. Only one user can be signed in at a time. When a user signs in, HoloLens signs out the previous user. + +All users can use the apps installed on the device. However, each user has their own app data and preferences. Removing an app from the device removes it for all users. + +## Removing users + +You can remove a user from the device by going to **Settings** > **Accounts** > **Other people**. This action also reclaims space by removing all of that user's app data from the device. + +## Using single sign-on within an app + +As an app developer, you can take advantage of linked identities on HoloLens by using the [Windows Account Manager APIs](https://docs.microsoft.com/uwp/api/Windows.Security.Authentication.Web.Core), just as you would on other Windows devices. Some code samples for these APIs are available [here](https://go.microsoft.com/fwlink/p/?LinkId=620621). + +Any account interrupts that might occur, such as requesting user consent for account information, two-factor authentication, and so forth, must be handled when the app requests an authentication token. + +If your app requires a specific account type that hasn't been linked previously, your app can ask the system to prompt the user to add one. This request triggers the account settings pane to launch as a modal child of your app. For 2D apps, this window renders directly over the center of your app. For Unity apps, this request briefly takes the user out of your holographic app to render the child window. For information about customizing the commands and actions on this pane, see [WebAccountCommand Class](https://docs.microsoft.com/uwp/api/Windows.UI.ApplicationSettings.WebAccountCommand). + +## Enterprise and other authentication + +If your app uses other types of authentication, such as NTLM, Basic, or Kerberos, you can use [Windows Credential UI](https://docs.microsoft.com/uwp/api/Windows.Security.Credentials.UI) to collect, process, and store the user's credentials. The user experience for collecting these credentials is very similar to other cloud-driven account interrupts, and appears as a child app on top of your 2D app or briefly suspends a Unity app to show the UI. + +## Deprecated APIs + +One way in which developing for HoloLens differs from developing for Desktop is that the [OnlineIDAuthenticator](https://docs.microsoft.com/uwp/api/Windows.Security.Authentication.OnlineId.OnlineIdAuthenticator) API is not fully supported. Although the API returns a token if the primary account is in good-standing, interrupts such as those described in this article do not display any UI for the user and fail to correctly authenticate the account. + +## Frequently asked questions + +### Is Windows Hello for Business supported on HoloLens? + +Windows Hello for Business (which supports using a PIN to sign in) is supported for HoloLens. To allow Windows Hello for Business PIN sign-in on HoloLens: + +1. The HoloLens device must be [managed by MDM](hololens-enroll-mdm.md). +1. You must enable Windows Hello for Business for the device. ([See instructions for Microsoft Intune.](https://docs.microsoft.com/intune/windows-hello)) +1. On HoloLens, the user can then use **Settings** > **Sign-in Options** > **Add PIN** to set up a PIN. + +> [!NOTE] +> Users who sign in by using a Microsoft account can also set up a PIN in **Settings** > **Sign-in Options** > **Add PIN**. This PIN is associated with [Windows Hello](https://support.microsoft.com/help/17215/windows-10-what-is-hello), rather than [Windows Hello for Business](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-overview). + +#### Does the type of account change the sign-in behavior? + +Yes, the behavior for the type of account affects the sign-in behavior. If you apply policies for sign-in, the policy is always respected. If no policy for sign-in is applied, these are the default behaviors for each account type: + +- **Microsoft account**: signs in automatically +- **Local account**: always asks for password, not configurable in **Settings** +- **Azure AD**: asks for password by default, and configurable by **Settings** to no longer ask for password. + +> [!NOTE] +> Inactivity timers are currently not supported, which means that the **AllowIdleReturnWithoutPassword** policy is only respected when the device goes into StandBy. + +## Additional resources + +Read much more about user identity protection and authentication on [the Windows 10 security and identity documentation](https://docs.microsoft.com/windows/security/identity-protection/). + +Learn more about setting up hybrid identity infrastructure thorough the [Azure Hybrid identity documentation](https://docs.microsoft.com/azure/active-directory/hybrid/). diff --git a/devices/hololens/hololens-insider.md b/devices/hololens/hololens-insider.md index 604048e203..633f296a3e 100644 --- a/devices/hololens/hololens-insider.md +++ b/devices/hololens/hololens-insider.md @@ -3,11 +3,12 @@ title: Insider preview for Microsoft HoloLens (HoloLens) description: It’s simple to get started with Insider builds and to provide valuable feedback for our next major operating system update for HoloLens. ms.prod: hololens ms.sitesec: library -author: dansimp -ms.author: dansimp +author: scooley +ms.author: scooley ms.topic: article ms.localizationpriority: medium -ms.date: 10/23/2018 +audience: ITPro +ms.date: 1/6/2020 ms.reviewer: manager: dansimp appliesto: @@ -17,38 +18,37 @@ appliesto: # Insider preview for Microsoft HoloLens -Welcome to the latest Insider Preview builds for HoloLens! It’s simple to get started and provide valuable feedback for our next major operating system update for HoloLens. - -## How do I install the Insider builds? - -On a device running the Windows 10 April 2018 Update, go to Settings -> Update & Security -> Windows Insider Program and select Get started. Link the account you used to register as a Windows Insider. +Welcome to the latest Insider Preview builds for HoloLens! It’s simple to get started and provide valuable feedback for our next major operating system update for HoloLens. -Then, select **Active development of Windows**, choose whether you’d like to receive **Fast** or **Slow** builds, and review the program terms. +## Start receiving Insider builds -Select **Confirm -> Restart Now** to finish up. After your device has rebooted, go to **Settings -> Update & Security -> Check for updates** to get the latest build. +On a device running the Windows 10 April 2018 Update, go to **Settings** -> **Update & Security** -> **Windows Insider Program** and select **Get started**. Link the account you used to register as a Windows Insider. -## How do I stop receiving Insider builds? +Then, select **Active development of Windows**, choose whether you’d like to receive **Fast** or **Slow** builds, and review the program terms. -If you no longer want to receive Insider builds of Windows Holographic, you can opt out when your HoloLens is running a production build, or you can [recover your device](https://docs.microsoft.com/windows/mixed-reality/reset-or-recover-your-hololens#perform-a-full-device-recovery) using the Windows Device Recovery Tool to recover your device to a non-Insider version of Windows Holographic. +Select **Confirm -> Restart Now** to finish up. After your device has rebooted, go to **Settings -> Update & Security -> Check for updates** to get the latest build. + +## Stop receiving Insider builds + +If you no longer want to receive Insider builds of Windows Holographic, you can opt out when your HoloLens is running a production build, or you can [recover your device](hololens-recovery.md) using the Windows Device Recovery Tool to recover your device to a non-Insider version of Windows Holographic. To verify that your HoloLens is running a production build: + - Go to **Settings > System > About**, and find the build number. -- If the build number is 10.0.17763.1, your HoloLens is running a production build. [See the list of production build numbers.](https://www.microsoft.com/itpro/windows-10/release-information) +- [See the release notes for production build numbers.](hololens-release-notes.md) To opt out of Insider builds: + - On a HoloLens running a production build, go to **Settings > Update & Security > Windows Insider Program**, and select **Stop Insider builds**. - Follow the instructions to opt out your device. +## Provide feedback and report issues +Please use [the Feedback Hub app](hololens-feedback.md) on your HoloLens to provide feedback and report issues. Using Feedback Hub ensures that all necessary diagnostics information is included to help our engineers quickly debug and resolve the problem. Issues with the Chinese and Japanese version of HoloLens should be reported the same way. + +>[!NOTE] +>Be sure to accept the prompt that asks whether you’d like Feedback Hub to access your Documents folder (select **Yes** when prompted). ## Note for developers You are welcome and encouraged to try developing your applications using Insider builds of HoloLens. Check out the [HoloLens Developer Documentation](https://developer.microsoft.com/windows/mixed-reality/development) to get started. Those same instructions work with Insider builds of HoloLens. You can use the same builds of Unity and Visual Studio that you're already using for HoloLens development. - -## Provide feedback and report issues - -Please use [the Feedback Hub app](https://docs.microsoft.com/windows/mixed-reality/give-us-feedback) on your HoloLens or Windows 10 PC to provide feedback and report issues. Using Feedback Hub ensures that all necessary diagnostics information is included to help our engineers quickly debug and resolve the problem. Issues with the Chinese and Japanese version of HoloLens should be reported the same way. - ->[!NOTE] ->Be sure to accept the prompt that asks whether you’d like Feedback Hub to access your Documents folder (select **Yes** when prompted). - diff --git a/devices/hololens/hololens-management-overview.md b/devices/hololens/hololens-management-overview.md deleted file mode 100644 index 307b2f7f00..0000000000 --- a/devices/hololens/hololens-management-overview.md +++ /dev/null @@ -1,32 +0,0 @@ ---- -title: Update, troubleshoot, or recover HoloLens -description: -author: Teresa-Motiv -ms.author: v-tea -ms.date: 11/27/2019 -ms.prod: hololens -ms.topic: article -ms.custom: CSSTroubleshooting -audience: ITPro -keywords: issues, bug, troubleshoot, fix, help, support, HoloLens -manager: jarrettr -ms.localizationpriority: medium -appliesto: -- HoloLens (1st gen) -- HoloLens 2 ---- - -# Update, troubleshoot, or recover HoloLens - -The articles in this section help you keep your HoloLens up-to-date and help you resolve any issues that you encounter. - -**In this section** - -| Article | Description | -| --- | --- | -| [Update HoloLens](hololens-update-hololens.md) | Describes how to identify the build number of your device, and how to update your device manually. | -| [Manage updates on many HoloLens](hololens-updates.md) | Describes how to use policies to manage device updates. | -| [Restart, reset, or recover](hololens-recovery.md) | Describes how to restart, reset, or recover a HoloLens device | -| [Troubleshoot HoloLens](hololens-troubleshooting.md) | Describes solutions to common HoloLens problems. | -| [Known issues](hololens-known-issues.md) | Describes known HoloLens issues. | -| [Frequently asked questions](hololens-faq.md) | Provides answers to common questions about HoloLens.| diff --git a/devices/hololens/hololens-release-notes.md b/devices/hololens/hololens-release-notes.md index 4d8b9c1a52..aaf200a4b0 100644 --- a/devices/hololens/hololens-release-notes.md +++ b/devices/hololens/hololens-release-notes.md @@ -22,6 +22,10 @@ appliesto: > [!Note] > HoloLens Emulator Release Notes can be found [here](https://docs.microsoft.com/windows/mixed-reality/hololens-emulator-archive). +### January Update - build 18362.1043 + +- Stability improvements for exclusive apps when working with the HoloLens 2 emulator. + ### December Update - build 18362.1042 - Introduces LSR (Last Stage Reproduction) fixes. Improves visual rendering of holograms to appear more stable and crisp by more accurately accounting for their depth. This will be more noticeable if apps do not set the depth of holograms correctly, after this update. diff --git a/devices/hololens/hololens-troubleshooting.md b/devices/hololens/hololens-troubleshooting.md index 75b91e51f9..7102984f4c 100644 --- a/devices/hololens/hololens-troubleshooting.md +++ b/devices/hololens/hololens-troubleshooting.md @@ -33,24 +33,26 @@ If your HoloLens becomes frozen or unresponsive: If these steps don't work, you can try [recovering your device](hololens-recovery.md). -## Holograms don't look good or are moving around +## Holograms don't look good -If your holograms are unstable, jumpy, or don’t look right, try one of these fixes: +If your holograms are unstable, jumpy, or don’t look right, try: -- Clean your device visor and make sure that nothing is obstructing the sensors. -- Make sure that there’s enough light in your room. -- Try walking around and looking at your surroundings so that HoloLens can scan them more completely. -- Try running the Calibration app. It calibrates your HoloLens to work best for your eyes. Go to **Settings** > **System** > **Utilities**. Under **Calibration**, select **Open Calibration**. +- Cleaning your device visor and sensor bar on the front of your HoloLens. +- Increasing the light in your room. +- Walking around and looking at your surroundings so that HoloLens can scan them more completely. +- Calibrating your HoloLens for your eyes. Go to **Settings** > **System** > **Utilities**. Under **Calibration**, select **Open Calibration**. -## HoloLens doesn’t respond to my gestures +## HoloLens doesn’t respond to gestures -To make sure that HoloLens can see your gestures, keep your hand in the gesture frame. The gesture frame extends a couple of feet on either side of you. When HoloLens can see your hand, the cursor changes from a dot to a ring. Learn more about [using gestures](hololens1-basic-usage.md#use-hololens-with-your-hands). +To make sure that HoloLens can see your gestures. Keep your hand in the gesture frame - when HoloLens can see your hand, the cursor changes from a dot to a ring. + +Learn more about using gestures on [HoloLens (1st gen)](hololens1-basic-usage.md#use-hololens-with-your-hands) or [HoloLens 2](hololens2-basic-usage.md#the-hand-tracking-frame). If your environment is too dark, HoloLens might not see your hand, so make sure that there’s enough light. If your visor has fingerprints or smudges, use the microfiber cleaning cloth that came with the HoloLens to clean your visor gently. -## HoloLens doesn’t respond to my voice commands. +## HoloLens doesn’t respond to my voice commands If Cortana isn’t responding to your voice commands, make sure Cortana is turned on. On the All apps list, select **Cortana** > **Menu** > **Notebook** > **Settings** to make changes. To learn more about what you can say, see [Use your voice with HoloLens](hololens-cortana.md). @@ -64,10 +66,6 @@ If HoloLens can’t map or load your space, it enters Limited mode and you won - To see if the correct space is active, or to manually load a space, go to **Settings** > **System** > **Spaces**. - If the correct space is loaded and you’re still having problems, the space may be corrupt. To fix this issue, select the space, then select **Remove**. After you remove the space, HoloLens starts to map your surroundings and create a new space. -## My HoloLens frequently enters Limited mode or shows a “Tracking lost” message - -If your device often shows a "Limited mode" or "Tracking lost" message, try the suggestions listed in [My Holograms don't look good or are moving around](#holograms-dont-look-good-or-are-moving-around). - ## My HoloLens can’t tell what space I’m in If your HoloLens can’t identify and load the space you’re in automatically, check the following factors: @@ -90,3 +88,7 @@ You’ll need to free up some storage space by doing one or more of the followin ## My HoloLens can’t create a new space The most likely problem is that you’re running low on storage space. Try one of the [previous tips](#im-getting-a-low-disk-space-error) to free up some disk space. + +## The HoloLens emulators isn't working + +Information about the HoloLens emulator is located in our developer documentation. Read more about [troubleshooting the HoloLens emulator](https://docs.microsoft.com/windows/mixed-reality/using-the-hololens-emulator#troubleshooting). diff --git a/devices/hololens/hololens2-setup.md b/devices/hololens/hololens2-setup.md index 319644824d..79189a7cf6 100644 --- a/devices/hololens/hololens2-setup.md +++ b/devices/hololens/hololens2-setup.md @@ -62,7 +62,7 @@ To turn on your HoloLens 2, press the Power button. The LED lights below the Po | To turn on | Single button press. | All five lights turn on, then change to indicate the battery level. After four seconds, a sound plays. | | To sleep | Single button press. | All five lights turn on, then fade off one at a time. After the lights turn off, a sound plays and the screen displays "Goodbye." | | To wake from sleep | Single button press. | All five lights turn on, then change to indicate the battery level. A sound immediately plays. | -| To turn off | Press and for hold 5s. | All five lights turn on, then fade off one at a time. After the lights turn off, a sound plays and the screen displays "Goodbye." | +| To turn off | Press and hold for 5s. | All five lights turn on, then fade off one at a time. After the lights turn off, a sound plays and the screen displays "Goodbye." | | To force the Hololens to restart if it is unresponsive | Press and hold for 10s. | All five lights turn on, then fade off one at a time. After the lights turn off. | ## HoloLens behavior reference diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md index 7f3793ed3f..88b0653b00 100644 --- a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md +++ b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md @@ -49,7 +49,8 @@ If you have a single-forest on-premises deployment with Microsoft Exchange 2013 ```PowerShell New-Mailbox -UserPrincipalName HUB01@contoso.com -Alias HUB01 -Name "Hub-01" -Room -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String -AsPlainText -Force) ``` -[!IMPORTANT] ActiveSync Virtual Directory Basic Authentication is required to be enabled as the Surface Hub is unable to authenticate using other authentication methods. +> [!IMPORTANT] +> ActiveSync Virtual Directory Basic Authentication is required to be enabled as the Surface Hub is unable to authenticate using other authentication methods. 3. After setting up the mailbox, you will need to either create a new Exchange ActiveSync policy, or use a compatible existing policy. diff --git a/devices/surface-hub/surface-hub-2s-account.md b/devices/surface-hub/surface-hub-2s-account.md index 3312d5f4ec..fb93b0e7d9 100644 --- a/devices/surface-hub/surface-hub-2s-account.md +++ b/devices/surface-hub/surface-hub-2s-account.md @@ -47,7 +47,7 @@ Create the account using the Microsoft 365 admin center or by using PowerShell. - **Skype for Business:** For Skype for Business only (on-premises or online), you can enable the Skype for Business object by running **Enable-CsMeetingRoom** to enable features such as Meeting room prompt for audio and Lobby hold. -- **Calendar:** Set **Calendar Auto processing** for this account. +- **Microsoft Teams and Skype for Business Calendar:** Set [**Calendar Auto processing**](https://docs.microsoft.com/surface-hub/surface-hub-2s-account?source=docs#set-calendar-auto-processing) for this account. ## Create account using PowerShell Instead of using the Microsoft Admin Center portal, you can create the account using PowerShell. diff --git a/devices/surface-hub/surface-hub-2s-recover-reset.md b/devices/surface-hub/surface-hub-2s-recover-reset.md index 5c28202363..af763b9e26 100644 --- a/devices/surface-hub/surface-hub-2s-recover-reset.md +++ b/devices/surface-hub/surface-hub-2s-recover-reset.md @@ -15,46 +15,55 @@ ms.localizationpriority: Medium # Reset and recovery for Surface Hub 2S -If you encounter problems with Surface Hub 2S, you can reset the device to factory settings or recover using a USB drive. +If you encounter problems with Surface Hub 2S, you can reset the device to factory settings or restore by using a USB drive. -To begin, sign into Surface Hub 2S with admin credentials, open the **Settings** app, select **Update & security**, and then select **Recovery**. +To begin, sign in to Surface Hub 2S with admin credentials, open the **Settings** app, select **Update & security**, and then select **Recovery**. -## Reset device +## Reset the device -1. To reset, select **Get Started**. -2. When the **Ready to reset this device** window appears, select **Reset**. Surface Hub 2S reinstalls the operating system from the recovery partition and may take up to one hour to complete. -3. Run **the first time Setup program** to reconfigure the device. -4. If you manage the device using Intune or other mobile device manager (MDM) solution, retire and delete the previous record and re-enroll the new device. For more information, see [Remove devices by using wipe, retire, or manually unenrolling the device](https://docs.microsoft.com/intune/devices-wipe). +1. To reset the device, select **Get Started**. +2. When the **Ready to reset this device** window appears, select **Reset**. + >[!NOTE] + >Surface Hub 2S reinstalls the operating system from the recovery partition. This may take up to one hour to complete. +3. To reconfigure the device, run the first-time Setup program. +4. If you manage the device using Microsoft Intune or another mobile device management solution, retire and delete the previous record, and then re-enroll the new device. For more information, see [Remove devices by using wipe, retire, or manually unenrolling the device](https://docs.microsoft.com/intune/devices-wipe). ![*Reset and recovery for Surface Hub 2S*](images/sh2-reset.png)
-*Figure 1. Reset and recovery for Surface Hub 2S.* +*Figure 1. Reset and recovery for Surface Hub 2S* -## Recover Surface Hub 2S using USB recovery drive +## Recover Surface Hub 2S by using a USB recovery drive -New in Surface Hub 2S, you can now reinstall the device using a recovery image. +New in Surface Hub 2S, you can now reinstall the device by using a recovery image. -### Recover from USB drive +### Recovery from a USB drive -Surface Hub 2S lets you reinstall the device using a recovery image, which allows you to reinstall the device to factory settings if you lost the Bitlocker key or no longer have admin credentials to the Settings app. +Using Surface Hub 2S, you can reinstall the device by using a recovery image. By doing this, you can reinstall the device to the factory settings if you lost the BitLocker key, or if you no longer have admin credentials to the Settings app. -1. Begin with a USB 3.0 drive with 8 GB or 16 GB of storage, formatted as FAT32. -2. From a separate PC, download the .zip file recovery image from the [Surface Recovery website](https://support.microsoft.com/surfacerecoveryimage?devicetype=surfacehub2s) and then return to these instructions. -3. Unzip the downloaded file onto the root of the USB drive. -4. Connect the USB drive to any USB-C or USB-A port on Surface Hub 2S. -5. Turn off the device. While holding down the Volume down button, press the Power button. Keep holding both buttons until you see the Windows logo. Release the Power button but continue to hold the Volume until the Install UI begins. +>[!NOTE] +>Use a USB 3.0 drive with 8 GB or 16 GB of storage, formatted as FAT32. -![*Use Volume down and power buttons to initiate recovery*](images/sh2-keypad.png)
+1. From a separate PC, download the .zip file recovery image from the [Surface Recovery website](https://support.microsoft.com/surfacerecoveryimage?devicetype=surfacehub2s) and then return to these instructions. +1. Unzip the downloaded file onto the root of the USB drive. +1. Connect the USB drive to any USB-C or USB-A port on Surface Hub 2S. +1. Turn off the device: + 1. While holding down the Volume down button, press the Power button. + 1. Keep holding both buttons until you see the Windows logo. + 1. Release the Power button but continue to hold the Volume until the Install UI begins. -6. In the language selection screen, select the display language for your Surface Hub 2S. -7. Choose **Recover from a drive** and **Fully clean the drive** and then select **Recover**. If prompted for a BitLocker key, select **Skip this drive**. Surface Hub 2S reboots several times and takes approximately 30 minutes to complete the recovery process. -Remove the USB drive when the first time setup screen appears. + ![*Use Volume down and power buttons to initiate recovery*](images/sh2-keypad.png)
+ **Figure 2. Volume and Power buttons** + +1. On the language selection screen, select the display language for your Surface Hub 2S. +1. Select **Recover from a drive** and **Fully clean the drive**, and then select **Recover**. If you're prompted for a BitLocker key, select **Skip this drive**. Surface Hub 2S reboots several times and takes approximately 30 minutes to complete the recovery process. + +When the first-time setup screen appears,remove the USB drive. ## Recover a locked Surface Hub -On rare occasions, Surface Hub 2S may encounter an error during cleanup of user and app data at the end of a session. If this occurs, the device will automatically reboot and resume data cleanup. But if this operation fails repeatedly, the device will be automatically locked to protect user data. +At the end of a session, Surface Hub 2S may occasionally encounter an error during the cleanup of user and app data at the end of a session. If this occurs, the device automatically reboots and resumes the data cleanup. However, if this operation repeatedly fails, the device automatically locks to protect user data. -**To unlock Surface Hub 2S:**
-Reset or recover the device from Windows Recovery Environment (Windows RE). For more information, see [What is Windows RE?](https://technet.microsoft.com/library/cc765966.aspx) +**To unlock a Surface Hub 2S:**
+- Reset or recover the device from the Windows Recovery Environment. For more information, see [What is Windows RE?](https://technet.microsoft.com/library/cc765966.aspx) > [!NOTE] -> To enter recovery mode, you need to physically unplug and replug the power cord three times. +> To enter recovery mode, unplug the power cord and plug it in again three times. diff --git a/devices/surface-hub/surface-hub-site-readiness-guide.md b/devices/surface-hub/surface-hub-site-readiness-guide.md index b3f42b32cf..d12281f55b 100644 --- a/devices/surface-hub/surface-hub-site-readiness-guide.md +++ b/devices/surface-hub/surface-hub-site-readiness-guide.md @@ -1,12 +1,12 @@ --- title: Surface Hub Site Readiness Guide ms.reviewer: -manager: dansimp +manager: laurawi description: Use this Site Readiness Guide to help plan your Surface Hub installation. ms.prod: surface-hub ms.sitesec: library -author: dansimp -ms.author: dansimp +author: greg-lindsay +ms.author: greglin ms.topic: article ms.localizationpriority: medium --- @@ -28,7 +28,7 @@ The room needs to be large enough to provide good viewing angles, but small enou - The screen is not in direct sunlight, which could affect viewing or damage the screen. - Ventilation openings are not blocked. - Microphones are not affected by noise sources, such as fans or vents. -You can find more details in the [55” Microsoft Surface Hub technical information](surface-hub-technical-55.md) or [84” Microsoft Surface Hub technical information](surface-hub-technical-84.md) sections. For cleaning, care, and safety information, see the mounting guides and user guide at http://www.microsoft.com/surface/support/surface-hub. +You can find more details in the [55” Microsoft Surface Hub technical information](surface-hub-technical-55.md) or [84” Microsoft Surface Hub technical information](surface-hub-technical-84.md) sections. For cleaning, care, and safety information, see the mounting guides and user guide at https://www.microsoft.com/surface/support/surface-hub. ### Hardware considerations @@ -47,7 +47,7 @@ For details about cable ports, see the [55” Microsoft Surface Hub technical in Microsoft Surface Hub has an internal PC and does not require an external computer system. -For power recommendations, see [55” Microsoft Surface Hub technical information](surface-hub-technical-55.md) or [84” Microsoft Surface Hub technical information](surface-hub-technical-84.md). For power cable safety warnings, see the mounting guides at http://www.microsoft.com/surface/support/surface-hub. +For power recommendations, see [55” Microsoft Surface Hub technical information](surface-hub-technical-55.md) or [84” Microsoft Surface Hub technical information](surface-hub-technical-84.md). For power cable safety warnings, see the mounting guides at https://www.microsoft.com/surface/support/surface-hub. ### Data and other connections @@ -77,7 +77,7 @@ Before you move Surface Hub, make sure that all the doorways, thresholds, hallwa ### Unpacking Surface Hub -For unpacking information, refer to the unpacking guide included in the shipping container. You can open the unpacking instructions before you open the shipping container. These instructions can also be found here: http://www.microsoft.com/surface/support/surface-hub +For unpacking information, refer to the unpacking guide included in the shipping container. You can open the unpacking instructions before you open the shipping container. These instructions can also be found here: https://www.microsoft.com/surface/support/surface-hub >[!IMPORTANT] >Retain and store all Surface Hub shipping materials—including the pallet, container, and screws—in case you need to ship Surface Hub to a new location or send it @@ -85,17 +85,17 @@ for repairs. For the 84” Surface Hub, retain the lifting handles. ### Lifting Surface Hub -The 55” Surface Hub requires two people to safely lift and mount. The 84” Surface Hub requires four people to safely lift and mount. Those assisting must be able to lift 70 pounds to waist height. Review the unpacking and mounting guide for details on lifting Surface Hub. You can find it at http://www.microsoft.com/surface/support/surface-hub. +The 55” Surface Hub requires two people to safely lift and mount. The 84” Surface Hub requires four people to safely lift and mount. Those assisting must be able to lift 70 pounds to waist height. Review the unpacking and mounting guide for details on lifting Surface Hub. You can find it at https://www.microsoft.com/surface/support/surface-hub. ## Mounting and setup -See your mounting guide at http://www.microsoft.com/surface/support/surface-hub for detailed instructions. +See your mounting guide at https://www.microsoft.com/surface/support/surface-hub for detailed instructions. There are three ways to mount your Surface Hub: - **Wall mount**: Lets you permanently hang Surface Hub on a conference space wall. - **Floor support mount**: Supports Surface Hub on the floor while it is permanently anchored to a conference space wall. -- **Rolling stand**: Supports Surface Hub and lets you move it to other conference locations. For links to guides that provide details about each mounting method, including building requirements, see http://www.microsoft.com/surface/support/surface-hub. +- **Rolling stand**: Supports Surface Hub and lets you move it to other conference locations. For links to guides that provide details about each mounting method, including building requirements, see https://www.microsoft.com/surface/support/surface-hub. For specifications on available mounts for the original Surface Hub, see the following: @@ -129,13 +129,10 @@ For example, to provide audio, video, and touchback capability to all three vide When you create your wired connect cable bundles, check the [55” Microsoft Surface Hub technical information](surface-hub-technical-55.md) or [84” Microsoft Surface Hub technical information](surface-hub-technical-84.md) sections for specific technical and physical details and port locations for each type of Surface Hub. Make the cables long enough to reach from Surface Hub to where the presenter will sit or stand. -For details on Touchback and Inkback, see the user guide at http://www.microsoft.com/surface/support/surface-hub. +For details on Touchback and Inkback, see the user guide at https://www.microsoft.com/surface/support/surface-hub. ## See also -[Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/27/aa/27aa7dd7-7cb7-40ea-9bd6-c7de0795f68c.mov?n=04.07.16_installation_video_01_site_readiness.mov) - - - +[Watch the video (opens in a pop-up media player)](https://compass.xbox.com/assets/27/aa/27aa7dd7-7cb7-40ea-9bd6-c7de0795f68c.mov?n=04.07.16_installation_video_01_site_readiness.mov) diff --git a/devices/surface-hub/surface-hub-start-menu.md b/devices/surface-hub/surface-hub-start-menu.md index b46f7b2edd..468e0d3329 100644 --- a/devices/surface-hub/surface-hub-start-menu.md +++ b/devices/surface-hub/surface-hub-start-menu.md @@ -182,7 +182,3 @@ This example shows a link to a website and a link to a .pdf file. The secondary >[!NOTE] >The default value for `ForegroundText` is light; you don't need to include `ForegroundText` in your XML unless you're changing the value to dark. - -## More information - -- [Blog post: Changing Surface Hub’s Start Menu](https://blogs.technet.microsoft.com/y0av/2018/02/13/47/) diff --git a/devices/surface-hub/surface-hub-update-history.md b/devices/surface-hub/surface-hub-update-history.md index bc07173a20..943400d44c 100644 --- a/devices/surface-hub/surface-hub-update-history.md +++ b/devices/surface-hub/surface-hub-update-history.md @@ -442,7 +442,7 @@ This update brings the Windows 10 Team Anniversary Update to Surface Hub and inc * General * Enabled Audio Device Selection (for Surface Hubs attached using external audio devices) * Enabled support for HDCP on DisplayPort output connector - * System UI changes to settings for usability optimization (refer to [User and Admin Guides](http://www.microsoft.com/surface/support/surface-hub) for additional details) + * System UI changes to settings for usability optimization (refer to [User and Admin Guides](https://www.microsoft.com/surface/support/surface-hub) for additional details) * Bug fixes and performance optimizations to speed up the Azure Active Directory sign-in flow * Significantly improved time needed to reset and restore Surface Hub * Windows Defender UI has been added within settings @@ -520,9 +520,9 @@ This update to the Surface Hub includes quality improvements and security fixes. ## Related topics -* [Windows 10 feature road map](http://go.microsoft.com/fwlink/p/?LinkId=785967) -* [Windows 10 release information](http://go.microsoft.com/fwlink/p/?LinkId=724328) -* [Windows 10 November update: FAQ](http://windows.microsoft.com/windows-10/windows-update-faq) -* [Microsoft Surface update history](http://go.microsoft.com/fwlink/p/?LinkId=724327) -* [Microsoft Lumia update history](http://go.microsoft.com/fwlink/p/?LinkId=785968) -* [Get Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=616447) +* [Windows 10 feature roadmap](https://go.microsoft.com/fwlink/p/?LinkId=785967) +* [Windows 10 release information](https://go.microsoft.com/fwlink/p/?LinkId=724328) +* [Windows 10 November update: FAQ](https://windows.microsoft.com/windows-10/windows-update-faq) +* [Microsoft Surface update history](https://go.microsoft.com/fwlink/p/?LinkId=724327) +* [Microsoft Lumia update history](https://go.microsoft.com/fwlink/p/?LinkId=785968) +* [Get Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=616447) diff --git a/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md b/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md index fe487f8337..61fc8352df 100644 --- a/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md +++ b/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md @@ -11,7 +11,7 @@ ms.author: dansimp ms.topic: article ms.localizationpriority: medium ms.audience: itpro -ms.date: 10/21/2019 +ms.date: 01/15/2020 ms.reviewer: manager: dansimp --- @@ -99,10 +99,7 @@ Because customizations are performed by MDT at the time of deployment, the goal For your deployed Windows environment to function correctly on your Surface devices, you will need to install the drivers used by Windows to communicate with the components of your device. These drivers are available for download in the Microsoft Download Center for each Surface device. You can find the correct Microsoft Download Center page for your device at [Download the latest firmware and drivers for Surface devices](https://technet.microsoft.com/itpro/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices). -When you browse to the specific Microsoft Download Center page for your device, you will notice that there are two files available for download. One file is a Windows Installer (.msi) file. This file is used to update drivers on devices that are already running Windows or that have device management solutions. The other file is an archive (.zip) file. This file contains the individual driver files that are used during deployment, or for manual installation with Device Manager. The file that you will need to download is the .zip archive file. You can read more about the difference between the firmware and driver pack file types at [Manage Surface driver and firmware updates](https://technet.microsoft.com/itpro/surface/manage-surface-pro-3-firmware-updates). - - -In addition to the driver files that help Windows communicate with the hardware components of the Surface device, the .zip file you download will also contain firmware updates. These firmware updates will update the instructions used by the device hardware to communicate between components and Windows. The firmware of Surface device components is updated by installation of specific driver files and thus is installed along with the other drivers during deployment. The firmware of an out-of-date Surface device is thus updated when the device reboots during and after the Windows deployment process. +When you browse to the specific Microsoft Download Center page for your device, you will find a Windows Installer (.msi) file. This file is used to update drivers on devices that are already running Windows or that have device management solutions. Firmware updates maintain the instructions used by the device hardware to communicate between components and Windows. The firmware of Surface device components is updated by installation of specific driver files and thus is installed along with the other drivers during deployment. For more information, see [Manage Surface driver and firmware updates](https://technet.microsoft.com/itpro/surface/manage-surface-pro-3-firmware-updates). >[!NOTE] >Beginning in Windows 10, the drivers for Surface devices are included in the Windows Preinstallation Environment (WinPE). In earlier versions of Windows, specific drivers (like network drivers) had to be imported and configured in MDT for use in WinPE to successfully deploy to Surface devices. @@ -234,7 +231,7 @@ You now have an empty deployment share that is ready for you to add the resource The first resources that are required to perform a deployment of Windows are the installation files from Windows 10 installation media. Even if you have an already prepared reference image, you still need to supply the unaltered installation files from your installation media. The source of these files can be a physical disk, or it can be an ISO file like the download from the Volume Licensing Service Center (VLSC). >[!NOTE] ->A 64-bit operating system is required for compatibility with Surface Studio, Surface Pro 4, Surface Book, Surface Pro 3, and Surface 3. +>A 64-bit operating system is required for compatibility with Surface devices except Surface Pro X which cannot be managed with MDT. To import Windows 10 installation files, follow these steps: @@ -404,9 +401,9 @@ Perform the reference image deployment and capture using the following steps: * **Locale and Time** – Leave the default options for language and time settings selected. The locale and time settings will be specified during deployment of the image to other devices. Click **Next**. * **Capture Image** – Click the **Capture an Image of this Reference Computer** option, as shown in Figure 16. In the **Location** field, keep the default location of the Captures folder. You can keep or change the name of the image file in the **File Name** field. When you are finished, click **Next**. - ![Capture an image of the reference machine](images/surface-deploymdt-fig16.png "Capture an image of the reference machine") + ![Capture an image of the reference machine](images/surface-deploymdt-fig16.png "Capture an image of the reference machine") - *Figure 16. Use the Capture Image page to capture an image of the reference machine after deployment* + *Figure 16. Use the Capture Image page to capture an image of the reference machine after deployment* * **Ready** – You can review your selections by expanding **Details** on the **Ready** page. Click **Begin** when you are ready to perform the deployment and capture of your reference image. diff --git a/devices/surface/enable-surface-keyboard-for-windows-pe-deployment.md b/devices/surface/enable-surface-keyboard-for-windows-pe-deployment.md index 855d637526..d627dec4e9 100644 --- a/devices/surface/enable-surface-keyboard-for-windows-pe-deployment.md +++ b/devices/surface/enable-surface-keyboard-for-windows-pe-deployment.md @@ -1,5 +1,5 @@ --- -title: How to enable the Surface Laptop keyboard during MDT deployment (Surface) +title: How to enable the Surface Laptop keyboard during MDT deployment description: When you use MDT to deploy Windows 10 to Surface laptops, you need to import keyboard drivers to use in the Windows PE environment. keywords: windows 10 surface, automate, customize, mdt ms.prod: w10 @@ -9,7 +9,7 @@ ms.sitesec: library author: Teresa-Motiv ms.author: v-tea ms.topic: article -ms.date: 10/31/2019 +ms.date: 01/17/2020 ms.reviewer: scottmca ms.localizationpriority: medium ms.audience: itpro @@ -22,14 +22,14 @@ appliesto: # How to enable the Surface Laptop keyboard during MDT deployment +This article addresses a deployment approach that uses Microsoft Deployment Toolkit (MDT). You can also apply this information to other deployment methodologies. On most types of Surface devices, the keyboard should work during Lite Touch Installation (LTI). However, Surface Laptop requires some additional drivers to enable the keyboard. For Surface Laptop (1st Gen) and Surface Laptop 2 devices, you must prepare the folder structure and selection profiles that allow you to specify keyboard drivers for use during the Windows Preinstallation Environment (Windows PE) phase of LTI. For more information about this folder structure, see [Deploy a Windows 10 image using MDT: Step 5: Prepare the drivers repository](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt?redirectedfrom=MSDN#step-5-prepare-the-drivers-repository). + > [!NOTE] -> This article addresses a deployment approach that uses Microsoft Deployment Toolkit (MDT). You can also apply this information to other deployment methodologies. +> It is currently not supported to add Surface Laptop 2 and Surface Laptop 3 keyboard drivers in the same Windows PE boot instance due to a driver conflict; use separate instances instead. > [!IMPORTANT] > If you are deploying a Windows 10 image to a Surface Laptop that has Windows 10 in S mode preinstalled, see KB [4032347, Problems when deploying Windows to Surface devices with preinstalled Windows 10 in S mode](https://support.microsoft.com/help/4032347/surface-preinstall-windows10-s-mode-issues). -On most types of Surface devices, the keyboard should work during Lite Touch Installation (LTI). However, Surface Laptop requires some additional drivers to enable the keyboard. For Surface Laptop (1st Gen) and Surface Laptop 2 devices, you must prepare the folder structure and selection profiles that allow you to specify keyboard drivers for use during the Windows Preinstallation Environment (Windows PE) phase of LTI. For more information about this folder structure, see [Deploy a Windows 10 image using MDT: Step 5: Prepare the drivers repository](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt?redirectedfrom=MSDN#step-5-prepare-the-drivers-repository). - To add the keyboard drivers to the selection profile, follow these steps: 1. Download the latest Surface Laptop MSI file from the appropriate locations: diff --git a/devices/surface/microsoft-surface-brightness-control.md b/devices/surface/microsoft-surface-brightness-control.md index 47c2ffed10..1761581ced 100644 --- a/devices/surface/microsoft-surface-brightness-control.md +++ b/devices/surface/microsoft-surface-brightness-control.md @@ -46,9 +46,14 @@ documentation](https://docs.microsoft.com/windows/desktop/sysinfo/registry). 1. Run regedit from a command prompt to open the Windows Registry Editor. - - Computer\HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Surface\Surface + - Computer\HKEY\_LOCAL\_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Surface\Surface Brightness Control\ - + + If you're running an older version of Surface Brightness control, run the following command instead: + + - Computer\HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Surface\Surface + Brightness Control\ + | Registry Setting | Data| Description |-----------|------------|--------------- diff --git a/devices/surface/surface-dock-firmware-update.md b/devices/surface/surface-dock-firmware-update.md index 104b12b126..751ea36a4d 100644 --- a/devices/surface/surface-dock-firmware-update.md +++ b/devices/surface/surface-dock-firmware-update.md @@ -50,9 +50,6 @@ You can use Windows Installer commands (Msiexec.exe) to deploy Surface Dock Firm > [!NOTE] > A log file is not created by default. In order to create a log file, you will need to append "/l*v [path]" -> [!NOTE] -> A log file is not created by default. In order to create a log file, you will need to append "/l*v [path]" - For more information, refer to [Command line options](https://docs.microsoft.com/windows/win32/msi/command-line-options) documentation. > [!IMPORTANT] diff --git a/devices/surface/wake-on-lan-for-surface-devices.md b/devices/surface/wake-on-lan-for-surface-devices.md index 0ee065cb59..00ad750ca8 100644 --- a/devices/surface/wake-on-lan-for-surface-devices.md +++ b/devices/surface/wake-on-lan-for-surface-devices.md @@ -10,7 +10,7 @@ ms.localizationpriority: medium author: dansimp ms.author: dansimp ms.topic: article -ms.date: 10/10/2019 +ms.date: 12/30/2019 ms.reviewer: scottmca manager: dansimp ms.audience: itpro @@ -44,6 +44,8 @@ The following devices are supported for WOL: * Surface Go * Surface Go with LTE Advanced * Surface Studio 2 (see Surface Studio 2 instructions below) +* Surface Pro 7 +* Surface Laptop 3 ## WOL driver @@ -66,15 +68,15 @@ To enable WOL on Surface Studio 2, you must use the following procedure 1. Create the following registry keys: - ``` -; Set CONNECTIVITYINSTANDBY to 1: -[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\F15576E8-98B7-4186-B944-EAFA664402D9] -"Attributes"=dword:00000001 -; Set EnforceDisconnectedStandby to 0 and AllowSystemRequiredPowerRequests to 1: -[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power] -"EnforceDisconnectedStandby"=dword:00000000 -"AllowSystemRequiredPowerRequests"=dword:00000001 -``` + ```console + ; Set CONNECTIVITYINSTANDBY to 1: + [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\F15576E8-98B7-4186-B944-EAFA664402D9] + "Attributes"=dword:00000001 + ; Set EnforceDisconnectedStandby to 0 and AllowSystemRequiredPowerRequests to 1: + [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power] + "EnforceDisconnectedStandby"=dword:00000000 + "AllowSystemRequiredPowerRequests"=dword:00000001 + ``` 2. Run the following command diff --git a/devices/surface/windows-autopilot-and-surface-devices.md b/devices/surface/windows-autopilot-and-surface-devices.md index 6e16d59968..36283c8d84 100644 --- a/devices/surface/windows-autopilot-and-surface-devices.md +++ b/devices/surface/windows-autopilot-and-surface-devices.md @@ -1,5 +1,5 @@ --- -title: Windows Autopilot and Surface Devices +title: Windows Autopilot and Surface devices ms.reviewer: manager: dansimp description: Find out about Windows Autopilot deployment options for Surface devices. @@ -18,21 +18,27 @@ ms.date: 11/26/2019 # Windows Autopilot and Surface devices -Windows Autopilot is a cloud-based deployment technology available in Windows 10. Using Windows Autopilot, you can remotely deploy and configure devices in a zero-touch process right out of the box. Windows Autopilot registered devices are identified over the internet at first boot using a unique device signature, known as a hardware hash, and automatically enrolled and configured using modern management solutions such as Azure Active Directory (AAD) and Mobile Device Management (MDM). +Windows Autopilot is a cloud-based deployment technology in Windows 10. You can use Windows Autopilot to remotely deploy and configure devices in a zero-touch process right out of the box. -With Surface devices, you can choose to register your devices at the time of purchase when purchasing from a Surface partner enabled for Windows Autopilot. New devices can be shipped directly to your end-users and will be automatically enrolled and configured when the units are unboxed and turned on for the first time. This process eliminates need to reimage your devices as part of your deployment process, reducing the work required of your deployment staff and opening up new, agile methods for device management and distribution. +Windows Autopilot-registered devices are identified over the Internet at first startup through a unique device signature that's called a *hardware hash*. They're automatically enrolled and configured by using modern management solutions such as Azure Active Directory (Azure AD) and mobile device management. + +You can register Surface devices at the time of purchase from a Surface partner that's enabled for Windows Autopilot. These partners can ship new devices directly to your users. The devices will be automatically enrolled and configured when they are first turned on. This process eliminates reimaging during deployment, which lets you implement new, agile methods of device management and distribution. ## Modern management -Autopilot is the recommended deployment option for Surface devices including Surface Pro 7, Surface Laptop 3, and Surface Pro X, which is specifically designed to be deployed with Autopilot. +Autopilot is the recommended deployment option for Surface devices, including Surface Pro 7, Surface Laptop 3, and Surface Pro X, which is specifically designed for deployment through Autopilot. - For the best experience, enroll your Surface devices with the assistance of a Microsoft Cloud Solution Provider. Doing so enables you to manage UEFI firmware settings on Surface devices directly from Intune, eliminating the need to physically touch devices for certificate management. For more information, see [Intune management of Surface UEFI settings](surface-manage-dfci-guide.md). + It's best to enroll your Surface devices with the help of a Microsoft Cloud Solution Provider. This step allows you to manage UEFI firmware settings on Surface directly from Intune. It eliminates the need to physically touch devices for certificate management. See [Intune management of Surface UEFI settings](surface-manage-dfci-guide.md) for details. ## Windows version considerations -Support for broad deployments of Surface devices using Windows Autopilot, including enrollment performed by Surface partners at the time of purchase, requires devices manufactured with or otherwise installed with Windows 10 Version 1709 (Fall Creators Update) or later. These versions support a 4000-byte (4k) hash value to uniquely identify devices for Windows Autopilot that is necessary for deployments at scale. All new Surface devices including Surface Pro 7, Surface Pro X, and Surface Laptop 3 ship with Windows 10 Version 1903 or above. +Broad deployment of Surface devices through Windows Autopilot, including enrollment by Surface partners at the time of purchase, requires Windows 10 Version 1709 (Fall Creators Update) or later. + +These Windows versions support a 4,000-byte (4k) hash value that uniquely identifies devices for Windows Autopilot, which is necessary for deployments at scale. All new Surface devices, including Surface Pro 7, Surface Pro X, and Surface Laptop 3, ship with Windows 10 Version 1903 or later. ## Surface partners enabled for Windows Autopilot -Enrolling Surface devices in Windows Autopilot at the time of purchase is performed by select Surface partners that enroll devices on an organization’s behalf. Devices can then be shipped directly to users and configured entirely through the zero-touch process of Windows Autopilot, Azure Active Directory, and Mobile Device Management. -Surface partners enabled for Windows Autopilot include: + +Select Surface partners can enroll Surface devices in Windows Autopilot for you at the time of purchase. They can also ship enrolled devices directly to your users. The devices can be configured entirely through a zero-touch process by using Windows Autopilot, Azure AD, and mobile device management. + +Surface partners that are enabled for Windows Autopilot include: - [ALSO](https://www.also.com/ec/cms5/de_1010/1010_anbieter/microsoft/windows-autopilot/index.jsp) - [Atea](https://www.atea.com/) @@ -47,6 +53,6 @@ Surface partners enabled for Windows Autopilot include: - [Techdata](https://www.techdata.com/) ## Learn more -For more information about Windows Autopilot, refer to: +For more information about Windows Autopilot, see: - [Overview of Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-10-autopilot) - [Windows Autopilot requirements](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot-requirements) \ No newline at end of file diff --git a/mdop/mbam-v25/upgrade-mbam2.5-sp1.md b/mdop/mbam-v25/upgrade-mbam2.5-sp1.md index c9f0e46454..153757ee67 100644 --- a/mdop/mbam-v25/upgrade-mbam2.5-sp1.md +++ b/mdop/mbam-v25/upgrade-mbam2.5-sp1.md @@ -12,7 +12,7 @@ ms.localizationpriority: Normal # Upgrade from MBAM 2.5 to MBAM 2.5 SP1 Servicing Release Update -This article provides step-by-step instructions to upgrade Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 to MBAM 2.5 Service Pack 1 (SP1) together with the Microsoft Desktop Optimization Pack (MDOP) July 2018 servicing update in a standalone configuration. +This article provides step-by-step instructions to upgrade Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 to MBAM 2.5 Service Pack 1 (SP1) together with the [Microsoft Desktop Optimization Pack (MDOP) May 2019 servicing update](https://support.microsoft.com/help/4505175/may-2019-servicing-release-for-microsoft-desktop-optimization-pack) in a standalone configuration. In this guide, we will use a two-server configuration. One server will be a database server that's running Microsoft SQL Server 2016. This server will host the MBAM databases and reports. The other server will be a Windows Server 2012 R2 web server. This server will host "Administration and Monitoring" and "Self-Service Portal." diff --git a/windows/client-management/TOC.md b/windows/client-management/TOC.md index 8da971ed53..cb93e0fb3b 100644 --- a/windows/client-management/TOC.md +++ b/windows/client-management/TOC.md @@ -31,5 +31,6 @@ #### [Advanced troubleshooting for Windows-based computer freeze](troubleshoot-windows-freeze.md) #### [Advanced troubleshooting for stop error or blue screen error](troubleshoot-stop-errors.md) #### [Advanced troubleshooting for stop error 7B or Inaccessible_Boot_Device](troubleshoot-inaccessible-boot-device.md) +#### [Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first"](troubleshoot-event-id-41-restart.md) ## [Mobile device management for solution providers](mdm/index.md) ## [Change history for Client management](change-history-for-client-management.md) diff --git a/windows/client-management/advanced-troubleshooting-boot-problems.md b/windows/client-management/advanced-troubleshooting-boot-problems.md index a9442e6fe9..5986263a1e 100644 --- a/windows/client-management/advanced-troubleshooting-boot-problems.md +++ b/windows/client-management/advanced-troubleshooting-boot-problems.md @@ -220,7 +220,6 @@ If Windows cannot load the system registry hive into memory, you must restore th If the problem persists, you may want to restore the system state backup to an alternative location, and then retrieve the registry hives to be replaced. - ## Kernel Phase If the system gets stuck during the kernel phase, you experience multiple symptoms or receive multiple error messages. These include, but are not limited to, the following: @@ -228,8 +227,9 @@ If the system gets stuck during the kernel phase, you experience multiple sympto - A Stop error appears after the splash screen (Windows Logo screen). - Specific error code is displayed. - For example, "0x00000C2" , "0x0000007B" , "inaccessible boot device" and so on. - [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](https://docs.microsoft.com/windows/client-management/troubleshoot-inaccessible-boot-device) + For example, "0x00000C2" , "0x0000007B" , "inaccessible boot device" and so on. + - [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](https://docs.microsoft.com/windows/client-management/troubleshoot-inaccessible-boot-device) + - [Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first"](troubleshoot-event-id-41-restart.md) - The screen is stuck at the "spinning wheel" (rolling dots) "system busy" icon. diff --git a/windows/client-management/change-history-for-client-management.md b/windows/client-management/change-history-for-client-management.md index 5a50f731b3..8265dd9abc 100644 --- a/windows/client-management/change-history-for-client-management.md +++ b/windows/client-management/change-history-for-client-management.md @@ -9,7 +9,7 @@ ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp -ms.date: 12/13/2019 +ms.date: 12/27/2019 ms.reviewer: manager: dansimp ms.topic: article @@ -24,6 +24,7 @@ This topic lists new and updated topics in the [Client management](index.md) doc New or changed topic | Description --- | --- [Change in default removal policy for external storage media in Windows 10, version 1809](change-default-removal-policy-external-storage-media.md) | New +[Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first"](troubleshoot-event-id-41-restart.md) | New ## December 2018 diff --git a/windows/client-management/mdm/accounts-csp.md b/windows/client-management/mdm/accounts-csp.md index a0cc7de5dd..d6d6a9fc16 100644 --- a/windows/client-management/mdm/accounts-csp.md +++ b/windows/client-management/mdm/accounts-csp.md @@ -1,6 +1,6 @@ --- title: Accounts CSP -description: The Accounts configuration service provider (CSP) is used by the enterprise (1) to rename a device, (2) to create a new local Windows account and joint it to a local user group. +description: The Accounts configuration service provider (CSP) is used by the enterprise to rename devices, as well as create local Windows accounts & joint them to a group. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/device-update-management.md b/windows/client-management/mdm/device-update-management.md index d6aafd84de..eb09896b90 100644 --- a/windows/client-management/mdm/device-update-management.md +++ b/windows/client-management/mdm/device-update-management.md @@ -1,6 +1,6 @@ --- title: Mobile device management MDM for device updates -description: In the current device landscape of PC, tablets, phones, and IoT devices, the Mobile Device Management (MDM) solutions are becoming prevalent as a lightweight device management technology. +description: Windows 10 provides several APIs to help mobile device management (MDM) solutions manage updates. Learn how to use these APIs to implement update management. ms.assetid: C27BAEE7-2890-4FB7-9549-A6EACC790777 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md index 5c2dcefdc4..db52ac149a 100644 --- a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md +++ b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md @@ -1,6 +1,6 @@ --- title: Diagnose MDM failures in Windows 10 -description: To help diagnose enrollment or device management issues in Windows 10 devices managed by an MDM server, you can examine the MDM logs collected from the desktop or mobile device. The following sections describe the procedures for collecting MDM logs. +description: Learn how to collect MDM logs. Examining these logs can help diagnose enrollment or device management issues in Windows 10 devices managed by an MDM server. ms.assetid: 12D8263B-D839-4B19-9346-31E0CDD0CBF9 ms.reviewer: manager: dansimp @@ -118,7 +118,7 @@ Since there is no Event Viewer in Windows 10 Mobile, you can use the [Field Medi **To collect logs manually** -1. Download and install the [Field Medic]( http://go.microsoft.com/fwlink/p/?LinkId=718232) app from the store. +1. Download and install the [Field Medic]( https://go.microsoft.com/fwlink/p/?LinkId=718232) app from the store. 2. Open the Field Medic app and then click on **Advanced**. ![field medic screenshot](images/diagnose-mdm-failures2.png) diff --git a/windows/client-management/mdm/enterprisedataprotection-csp.md b/windows/client-management/mdm/enterprisedataprotection-csp.md index 3e69ceaa92..70759a6c03 100644 --- a/windows/client-management/mdm/enterprisedataprotection-csp.md +++ b/windows/client-management/mdm/enterprisedataprotection-csp.md @@ -1,6 +1,6 @@ --- title: EnterpriseDataProtection CSP -description: The EnterpriseDataProtection configuration service provider (CSP) is used to configure Windows Information Protection (WIP) (formerly known as Enterprise Data Protection) specific settings. +description: The EnterpriseDataProtection configuration service provider (CSP) configures Windows Information Protection (formerly, Enterprise Data Protection) settings. ms.assetid: E2D4467F-A154-4C00-9208-7798EF3E25B3 ms.reviewer: manager: dansimp @@ -249,7 +249,7 @@ typedef enum _PUBLIC_KEY_SOURCE_TAG {

Added in Windows 10, version 1703. This policy controls whether to revoke the WIP keys when a device upgrades from MAM to MDM. If set to 0 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to protected files after upgrade. This is recommended if the MDM service is configured with the same WIP EnterpriseID as the MAM service. - 0 - Don't revoke keys -- 1 (dafault) - Revoke keys +- 1 (default) - Revoke keys

Supported operations are Add, Get, Replace and Delete. Value type is integer. diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md index 97c5865d7e..f52b397125 100644 --- a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md @@ -1,6 +1,6 @@ --- title: EnterpriseDesktopAppManagement CSP -description: The EnterpriseDesktopAppManagement configuration service provider is used to handle enterprise desktop application management tasks, such as querying installed enterprise applications, installing applications, or removing applications. +description: The EnterpriseDesktopAppManagement CSP handles enterprise desktop application management tasks, such as installing or removing applications. ms.assetid: 2BFF7491-BB01-41BA-9A22-AB209EE59FC5 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/index.md b/windows/client-management/mdm/index.md index 7608a417e2..44d416b67a 100644 --- a/windows/client-management/mdm/index.md +++ b/windows/client-management/mdm/index.md @@ -1,6 +1,6 @@ --- title: Mobile device management -description: Windows 10 provides an enterprise management solution to help IT pros manage company security policies and business applications, while avoiding compromise of the users’ privacy on their personal devices. +description: Windows 10 provides an enterprise-level solution to mobile management, to help IT pros comply with security policies while avoiding compromise of user's privacy MS-HAID: - 'p\_phDeviceMgmt.provisioning\_and\_device\_management' - 'p\_phDeviceMgmt.mobile\_device\_management\_windows\_mdm' diff --git a/windows/client-management/mdm/networkqospolicy-ddf.md b/windows/client-management/mdm/networkqospolicy-ddf.md index 7ee6042e75..7535a3ce20 100644 --- a/windows/client-management/mdm/networkqospolicy-ddf.md +++ b/windows/client-management/mdm/networkqospolicy-ddf.md @@ -1,6 +1,6 @@ --- title: NetworkQoSPolicy DDF -description: This topic shows the OMA DM device description framework (DDF) for the NetworkQoSPolicy configuration service provider. DDF files are used only with OMA DM provisioning XML. +description: View the OMA DM device description framework (DDF) for the NetworkQoSPolicy configuration service provider. DDF files are used only with OMA DM provisioning XML ms.assetid: ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 15f103ba47..b1c7501096 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -1,6 +1,6 @@ --- title: What's new in MDM enrollment and management -description: This topic provides information about what's new and breaking changes in Windows 10 mobile device management (MDM) enrollment and management experience across all Windows 10 devices. +description: Discover what's new and breaking changes in Windows 10 mobile device management (MDM) enrollment and management experience across all Windows 10 devices. MS-HAID: - 'p\_phdevicemgmt.mdm\_enrollment\_and\_management\_overview' - 'p\_phDeviceMgmt.new\_in\_windows\_mdm\_enrollment\_management' @@ -58,6 +58,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s - [What is dmwappushsvc?](#what-is-dmwappushsvc) - **Change history in MDM documentation** + - [January 2020](#january-2020) - [November 2019](#november-2019) - [October 2019](#october-2019) - [September 2019](#september-2019) @@ -1935,6 +1936,12 @@ How do I turn if off? | The service can be stopped from the "Services" console o ## Change history in MDM documentation +### January 2020 +|New or updated topic | Description| +|--- | ---| +|[Policy CSP - Defender](policy-csp-defender.md)|Added descriptions for supported actions for Defender/ThreatSeverityDefaultAction.| + + ### November 2019 |New or updated topic | Description| diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md index f8dfc0e3c3..fbb49aae1f 100644 --- a/windows/client-management/mdm/passportforwork-csp.md +++ b/windows/client-management/mdm/passportforwork-csp.md @@ -206,7 +206,7 @@ This node is deprecated. Use **Biometrics/UseBiometrics** node instead. **Biometrics** (only for ./Device/Vendor/MSFT) Node for defining biometric settings. This node was added in Windows 10, version 1511. -*Not supported on Windows Holographic and Windows Holographic for Business prior to Windows 10 version 1903 (May 2019 Update).* +*Not supported on Windows Holographic and Windows Holographic for Business.* **Biometrics/UseBiometrics** (only for ./Device/Vendor/MSFT) Boolean value used to enable or disable the use of biometric gestures, such as face and fingerprint, as an alternative to the PIN gesture for Windows Hello for Business. Users must still configure a PIN if they configure biometric gestures to use in case of failures. This node was added in Windows 10, version 1511. @@ -217,7 +217,7 @@ Default value is true, enabling the biometric gestures for use with Windows Hell Supported operations are Add, Get, Delete, and Replace. -*Not supported on Windows Holographic and Windows Holographic for Business.* +*Not supported on Windows Holographic and Windows Holographic for Business prior to Windows 10 version 1903 (May 2019 Update).* **Biometrics/FacialFeaturesUseEnhancedAntiSpoofing** (only for ./Device/Vendor/MSFT) Boolean value used to enable or disable enhanced anti-spoofing for facial feature recognition on Windows Hello face authentication. This node was added in Windows 10, version 1511. diff --git a/windows/client-management/mdm/passportforwork-ddf.md b/windows/client-management/mdm/passportforwork-ddf.md index 7eaea8a237..f5b345d7d6 100644 --- a/windows/client-management/mdm/passportforwork-ddf.md +++ b/windows/client-management/mdm/passportforwork-ddf.md @@ -1,6 +1,6 @@ --- title: PassportForWork DDF -description: This topic shows the OMA DM device description framework (DDF) for the PassportForWork configuration service provider. DDF files are used only with OMA DM provisioning XML. +description: View the OMA DM device description framework (DDF) for the PassportForWork configuration service provider. DDF files are used only with OMA DM provisioning XML. ms.assetid: A2182898-1577-4675-BAE5-2A3A9C2AAC9B ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index 58bf93fb63..64a83cf92a 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -14,10 +14,14 @@ ms.localizationpriority: medium # Policy CSP - Browser - +> [!NOTE] +> You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).

+> [!NOTE] +> You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/). + ## Browser policies diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index 09ea8790ad..1539c913c4 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.technology: windows author: manikadhiman ms.localizationpriority: medium -ms.date: 09/27/2019 +ms.date: 01/08/2020 ms.reviewer: manager: dansimp --- @@ -3068,7 +3068,7 @@ The following list shows the supported values: Allows an administrator to specify any valid threat severity levels and the corresponding default action ID to take. -This value is a list of threat severity level IDs and corresponding actions, separated by a| using the format "*threat level*=*action*|*threat level*=*action*". For example "1=6|2=2|4=10|5=3 +This value is a list of threat severity level IDs and corresponding actions, separated by a | using the format "*threat level*=*action*|*threat level*=*action*". For example, "1=6|2=2|4=10|5=3". The following list shows the supported values for threat severity levels: @@ -3079,12 +3079,12 @@ The following list shows the supported values for threat severity levels: The following list shows the supported values for possible actions: -- 1 – Clean -- 2 – Quarantine -- 3 – Remove -- 6 – Allow -- 8 – User defined -- 10 – Block +- 1 – Clean. Service tries to recover files and try to disinfect. +- 2 – Quarantine. Moves files to quarantine. +- 3 – Remove. Removes files from system. +- 6 – Allow. Allows file/does none of the above actions. +- 8 – User defined. Requires user to make a decision on which action to take. +- 10 – Block. Blocks file execution. diff --git a/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md b/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md index 0f8b376074..cfa669f4e5 100644 --- a/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md +++ b/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md @@ -1,6 +1,6 @@ --- title: Register your free Azure Active Directory subscription -description: If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services, you have a free subscription to Azure AD. +description: Paid subscribers to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services, have a free subscription to Azure AD. ms.assetid: 97DCD303-BB11-4AFF-84FE-B7F14CDF64F7 ms.reviewer: manager: dansimp @@ -29,21 +29,11 @@ If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Ent ![register azuread](images/azure-ad-add-tenant11.png) -3. On the **Admin center** page, hover your mouse over the Admin tools icon on the left and then click **Azure AD**. This will take you to the Azure Active Directory sign-up page and brings up your existing Office 365 organization account information. +3. On the **Admin center** page, under Admin Centers on the left, click **Azure Active Directory**. This will take you to the Azure Active Directory portal. - ![register azuread](images/azure-ad-add-tenant12.png) + ![Azure-AD-updated](https://user-images.githubusercontent.com/41186174/71594506-e4845300-2b40-11ea-9a08-c21c824e12a4.png) -4. On the **Sign up** page, make sure to enter a valid phone number and then click **Sign up**. - ![register azuread](images/azure-ad-add-tenant13.png) - -5. It may take a few minutes to process the request. - - ![register azuread](images/azure-ad-add-tenant14.png) - -6. You will see a welcome page when the process completes. - - ![register azuread](images/azure-ad-add-tenant15.png)   diff --git a/windows/client-management/mdm/reporting-ddf-file.md b/windows/client-management/mdm/reporting-ddf-file.md index 41ad075f64..5b16192077 100644 --- a/windows/client-management/mdm/reporting-ddf-file.md +++ b/windows/client-management/mdm/reporting-ddf-file.md @@ -1,6 +1,6 @@ --- title: Reporting DDF file -description: This topic shows the OMA DM device description framework (DDF) for the Reporting configuration service provider. This CSP was added in Windows 10, version 1511. Support for desktop security auditing was added for the desktop in Windows 10, version 1607. +description: View the OMA DM device description framework (DDF) for the Reporting configuration service provider. ms.assetid: 7A5B79DB-9571-4F7C-ABED-D79CD08C1E35 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/secureassessment-ddf-file.md b/windows/client-management/mdm/secureassessment-ddf-file.md index f294bbb8a3..383470060b 100644 --- a/windows/client-management/mdm/secureassessment-ddf-file.md +++ b/windows/client-management/mdm/secureassessment-ddf-file.md @@ -1,6 +1,6 @@ --- title: SecureAssessment DDF file -description: This topic shows the OMA DM device description framework (DDF) for the SecureAssessment configuration service provider. DDF files are used only with OMA DM provisioning XML. +description: View the OMA DM device description framework (DDF) for the SecureAssessment configuration service provider. DDF files are used only with OMA DM provisioning XML ms.assetid: 68D17F2A-FAEA-4608-8727-DBEC1D7BE48A ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/unifiedwritefilter-csp.md b/windows/client-management/mdm/unifiedwritefilter-csp.md index f9ff52da32..ae0b5e11c1 100644 --- a/windows/client-management/mdm/unifiedwritefilter-csp.md +++ b/windows/client-management/mdm/unifiedwritefilter-csp.md @@ -1,6 +1,6 @@ --- title: UnifiedWriteFilter CSP -description: The UnifiedWriteFilter (UWF) configuration service provider enables the IT administrator to remotely manage the UWF to help protect physical storage media including any writable storage type. +description: The UnifiedWriteFilter (UWF) configuration service provider allows you to remotely manage the UWF. Understand how it helps protect physical storage media. ms.assetid: F4716AC6-0AA5-4A67-AECE-E0F200BA95EB ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/windows-mdm-enterprise-settings.md b/windows/client-management/mdm/windows-mdm-enterprise-settings.md index 75f0d91a1b..a8be6bba9c 100644 --- a/windows/client-management/mdm/windows-mdm-enterprise-settings.md +++ b/windows/client-management/mdm/windows-mdm-enterprise-settings.md @@ -1,6 +1,6 @@ --- title: Enterprise settings, policies, and app management -description: The actual management interaction between the device and server is done via the DM client. The DM client communicates with the enterprise management server via DM v1.2 SyncML syntax. +description: The DM client manages the interaction between a device and a server. Learn more about the client-server management workflow. MS-HAID: - 'p\_phdevicemgmt.enterprise\_settings\_\_policies\_\_and\_app\_management' - 'p\_phDeviceMgmt.windows\_mdm\_enterprise\_settings' diff --git a/windows/client-management/mdm/windowssecurityauditing-ddf-file.md b/windows/client-management/mdm/windowssecurityauditing-ddf-file.md index a42d7ec535..c4710fae63 100644 --- a/windows/client-management/mdm/windowssecurityauditing-ddf-file.md +++ b/windows/client-management/mdm/windowssecurityauditing-ddf-file.md @@ -1,6 +1,6 @@ --- title: WindowsSecurityAuditing DDF file -description: This topic shows the OMA DM device description framework (DDF) for the WindowsSecurityAuditing configuration service provider. This CSP was added in Windows 10, version 1511. +description: View the OMA DM device description framework (DDF) for the WindowsSecurityAuditing configuration service provider. ms.assetid: B1F9A5FA-185B-48C6-A7F4-0F0F23B971F0 ms.reviewer: manager: dansimp diff --git a/windows/client-management/troubleshoot-event-id-41-restart.md b/windows/client-management/troubleshoot-event-id-41-restart.md new file mode 100644 index 0000000000..b774919abf --- /dev/null +++ b/windows/client-management/troubleshoot-event-id-41-restart.md @@ -0,0 +1,121 @@ +--- +title: Advanced troubleshooting for Event ID 41 - "The system has rebooted without cleanly shutting down first" +description: Describes the circumstances that cause a computer to generate Event ID 41, and provides guidance for troubleshooting the issue +author: Teresa-Motiv +ms.author: v-tea +ms.date: 12/27/2019 +ms.prod: w10 +ms.topic: article +ms.custom: +- CI 111437 +- CSSTroubleshooting +audience: ITPro +ms.localizationpriority: medium +keywords: event id 41, reboot, restart, stop error, bug check code +manager: kaushika + +--- + +# Advanced troubleshooting for Event ID 41: "The system has rebooted without cleanly shutting down first" + +> **Home users** +> This article is intended for use by support agents and IT professionals. If you're looking for more information about blue screen error messages, please visit [Troubleshoot blue screen errors](https://support.microsoft.com/help/14238/windows-10-troubleshoot-blue-screen-errors). + +The preferred way to shut down Windows is to select **Start**, and then select an option to turn off or shut down the computer. When you use this standard method, the operating system closes all files and notifies the running services and applications so that they can write any unsaved data to disk and flush any active caches. + +If your computer shuts down unexpectedly, Windows logs Event ID 41 the next time that the computer starts. The event text resembles the following: + +> Event ID: 41 +> Description: The system has rebooted without cleanly shutting down first. + +This event indicates that some unexpected activity prevented Windows from shutting down correctly. Such a shutdown might be caused by an interruption in the power supply or by a Stop error. If feasible, Windows records any error codes as it shuts down. During the [kernel phase](advanced-troubleshooting-boot-problems.md#kernel-phase) of the next Windows startup, Windows checks for these codes and includes any existing codes in the event data of Event ID 41. + +> EventData +> BugcheckCode 159 +> BugcheckParameter1 0x3 +> BugcheckParameter2 0xfffffa80029c5060 +> BugcheckParameter3 0xfffff8000403d518 +> BugcheckParameter4 0xfffffa800208c010 +> SleepInProgress false +> PowerButtonTimestamp 0Converts to 0x9f (0x3, 0xfffffa80029c5060, 0xfffff8000403d518, 0xfffffa800208c010) + +## How to use Event ID 41 when you troubleshoot an unexpected shutdown or restart + +By itself, Event ID 41 might not contain sufficient information to explicitly define what occurred. Typically, you have to also consider what was occurring at the time of the unexpected shutdown (for example, the power supply failed). Use the information in this article to identify a troubleshooting approach that is appropriate for your circumstances: + +- [Scenario 1](#scen1): The computer restarts because of a Stop error, and Event ID 41 contains a Stop error (bug check) code +- [Scenario 2](#scen2): The computer restarts because you pressed and held the power button +- [Scenario 3](#scen3): The computer is unresponsive or randomly restarts, and Event ID 41 is not logged or the Event ID 41 entry lists error code values of zero + +### Scenario 1: The computer restarts because of a Stop error, and Event ID 41 contains a Stop error (bug check) code + +When a computer shuts down or restarts because of a Stop error, Windows includes the Stop error data in Event ID 41 as part of the additional event data. This information includes the Stop error code (also called a bug check code), as shown in the following example: + +> EventData +> BugcheckCode 159 +> BugcheckParameter1 0x3 +> BugcheckParameter2 0xfffffa80029c5060 +> BugcheckParameter3 0xfffff8000403d518 +> BugcheckParameter4 0xfffffa800208c010 + +> [!NOTE] +> Event ID 41 includes the bug check code in decimal format. Most documentation that describes bug check codes refers to the codes as hexadecimal values instead of decimal values. To convert decimal to hexadecimal, follow these steps: +> +> 1. Select **Start**, type **calc** in the **Search** box, and then select **Calculator**. +> 1. In the **Calculator** window, select **View** > **Programmer**. +> 1. On the left side of calculator, verify that **Dec** is highlighted. +> 1. Use the keyboard to enter the decimal value of the bug check code. +> 1. On the left side of the calculator, select **Hex**. +> The value that the calculator displays is now the hexadecimal code. +> +> When you convert a bug check code to hexadecimal format, verify that the “0x” designation is followed by eight digits (that is, the part of the code after the “x” includes enough zeros to fill out eight digits). For example, 0x9F is typically documented as 0x0000009f, and 0xA is documented as 0x0000000A. In the case of the example event data in this article, "159" converts to 0x0000009f. + +After you identify the hexadecimal value, use the following references to continue troubleshooting: + +- [Advanced troubleshooting for Stop error or blue screen error issue](troubleshoot-stop-errors.md). +- [Bug Check Code Reference](https://docs.microsoft.com/windows-hardware/drivers/debugger/bug-check-code-reference2). This page lists links to documentation for different bug check codes. +- [How to Debug Kernel Mode Blue Screen Crashes (for beginners)](https://blogs.technet.microsoft.com/askcore/2008/10/31/how-to-debug-kernel-mode-blue-screen-crashes-for-beginners/). + +### Scenario 2: The computer restarts because you pressed and held the power button + +Because this method of restarting the computer interferes with the Windows shutdown operation, we recommend that you use this method only if you have no alternative. For example, you might have to use this approach if your computer is not responding. When you restart the computer by pressing and holding the power button, the computer logs an Event ID 41 that includes a non-zero value for the **PowerButtonTimestamp** entry. + +For help when troubleshooting an unresponsive computer, see [Windows Help](https://support.microsoft.com/hub/4338813/windows-help?os=windows-10). Consider searching for assistance by using keywords such as "hang," "responding," or "blank screen." + +### Scenario 3: The computer is unresponsive or randomly restarts, and Event ID 41 is not recorded or the Event ID 41 entry or lists error code values of zero + +This scenario includes the following circumstances: + +- You shut off power to an unresponsive computer, and then you restart the computer. + To verify that a computer is unresponsive, press the CAPS LOCK key on the keyboard. If the CAPS LOCK light on the keyboard does not change when you press the CAPS LOCK key, the computer might be completely unresponsive (also known as a *hard hang*). +- The computer restarts, but it does not generate Event ID 41. +- The computer restarts and generates Event ID 41, but the **BugcheckCode** and **PowerButtonTimestamp** values are zero. + +In such cases, something prevents Windows from generating error codes or from writing error codes to disk. Something might block write access to the disk (as in the case of an unresponsive computer) or the computer might shut down too quickly to write the error codes or even detect an error. + +The information in Event ID 41 provides some indication of where to start checking for problems: + +- **Event ID 41 is not recorded or the bug check code is zero**. This behavior might indicate a power supply problem. If the power to a computer is interrupted, the computer might shut down without generating a Stop error. If it does generate a Stop error, it might not finish writing the error codes to disk. The next time the computer starts, it might not log Event ID 41. Or, if it does, the bug check code is zero. Conditions such as the following might be the cause: + - In the case of a portable computer, the battery was removed or completely drained. + - In the case of a desktop computer, the computer was unplugged or experienced a power outage. + - The power supply is underpowered or faulty. + +- **The PowerButtonTimestamp value is zero**. This behavior might occur if you disconnected the power to a computer that was not responding to input. Conditions such as the following might be the cause: + - A Windows process blocked write access to the disk, and you shut down the computer by pressing and holding the power button for at least four seconds. + - You disconnected the power to an unresponsive computer. + +Typically, the symptoms described in this scenario indicate a hardware problem. To help isolate the problem, do the following: + +- **Disable overclocking**. If the computer has overclocking enabled, disable it. Verify that the issue occurs when the system runs at the correct speed. +- **Check the memory**. Use a memory checker to determine the memory health and configuration. Verify that all memory chips run at the same speed and that every chip is configured correctly in the system. +- **Check the power supply**. Verify that the power supply has enough wattage to appropriately handle the installed devices. If you added memory, installed a newer processor, installed additional drives, or added external devices, such devices can require more energy than the current power supply can provide consistently. If the computer logged Event ID 41 because the power to the computer was interrupted, consider obtaining an uninterruptible power supply (UPS) such as a battery backup power supply. +- **Check for overheating**. Examine the internal temperature of the hardware and check for any overheating components. + +If you perform these checks and still cannot isolate the problem, set the system to its default configuration and verify whether the issue still occurs. + +> [!NOTE] +> If you see a Stop error message that includes a bug check code, but Event ID 41 does not include that code, change the restart behavior for the computer. To do this, follow these steps: +> +> 1. Right-click **My Computer**, then select **Properties** > **Advanced system settings** > **Advanced**. +> 1. In the **Startup and Recovery** section, select **Settings**. +> 1. Clear the **Automatically restart** check box. diff --git a/windows/configuration/cortana-at-work/cortana-at-work-crm.md b/windows/configuration/cortana-at-work/cortana-at-work-crm.md index 095fa77861..250b7d99b0 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-crm.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-crm.md @@ -1,6 +1,6 @@ --- title: Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in your organization (Windows 10) -description: How to set up Cortana to help your salespeople get proactive insights on important CRM activities, including sales leads, accounts, and opportunities; presenting the most relevant info at any given time. +description: How to set up Cortana to give salespeople insights on important CRM activities, including sales leads, accounts, and opportunities. ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library diff --git a/windows/configuration/cortana-at-work/cortana-at-work-o365.md b/windows/configuration/cortana-at-work/cortana-at-work-o365.md index 351942547a..3ec17f6e6c 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-o365.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-o365.md @@ -1,6 +1,6 @@ --- title: Set up and test Cortana with Office 365 in your organization (Windows 10) -description: How to connect Cortana to Office 365 so your employees are notified about regular meetings, unusual events, such as meetings over lunch or during a typical commute time, and about early meetings, even setting an alarm so the employee isn’t late. +description: Learn how to connect Cortana to Office 365 so employees are notified about regular meetings and unusual events. You can even set an alarm for early meetings. ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library diff --git a/windows/configuration/cortana-at-work/cortana-at-work-overview.md b/windows/configuration/cortana-at-work/cortana-at-work-overview.md index cca8151178..fb9e1c7935 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-overview.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-overview.md @@ -2,7 +2,7 @@ title: Cortana integration in your business or enterprise (Windows 10) ms.reviewer: manager: dansimp -description: The world’s first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments. +description: Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments. ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library diff --git a/windows/configuration/stop-employees-from-using-microsoft-store.md b/windows/configuration/stop-employees-from-using-microsoft-store.md index 15ac23506b..0f0d1cd783 100644 --- a/windows/configuration/stop-employees-from-using-microsoft-store.md +++ b/windows/configuration/stop-employees-from-using-microsoft-store.md @@ -1,6 +1,6 @@ --- title: Configure access to Microsoft Store (Windows 10) -description: IT Pros can configure access to Microsoft Store for client computers in their organization. For some organizations, business policies require blocking access to Microsoft Store. +description: Learn how to configure access to Microsoft Store for client computers and mobile devices in your organization. ms.assetid: 7AA60D3D-2A69-45E7-AAB0-B8AFC29C2E97 ms.reviewer: manager: dansimp diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md index 4f3771b9d5..2b89867e2e 100644 --- a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md +++ b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md @@ -1,50 +1,51 @@ ---- -title: Configure MDT settings (Windows 10) -description: One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there is virtually no limitation to what you can do in terms of customization. -ms.assetid: d3e1280c-3d1b-4fad-8ac4-b65dc711f122 -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: customize, customization, deploy, features, tools -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: mdt -audience: itpro author: greg-lindsay -ms.topic: article ---- - -# Configure MDT settings - -One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there is virtually no limitation to what you can do in terms of customization. In this topic, you learn about configuring customizations for your environment. -For the purposes of this topic, we will use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 Standard server, and PC0001 is a Windows 10 Enterprise x64 client used for the MDT simulation environment. OR01 has Microsoft System Center 2012 R2 Orchestrator installed. MDT01, OR01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof). - -![figure 1](../images/mdt-09-fig01.png) - -Figure 1. The machines used in this topic. - -## In this section - -- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) -- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) -- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) -- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) -- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) -- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) -- [Use web services in MDT](use-web-services-in-mdt.md) -- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) - -## Related topics - -[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md) - -[Create a Windows 10 reference image](create-a-windows-10-reference-image.md) - -[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md) - -[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md) - -[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) - -[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md) +--- +title: Configure MDT settings (Windows 10) +description: One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities. Learn how to customize your environment. +ms.assetid: d3e1280c-3d1b-4fad-8ac4-b65dc711f122 +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: customize, customization, deploy, features, tools +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: mdt +audience: itpro +author: greg-lindsay +ms.topic: article +--- + +# Configure MDT settings + +One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there is virtually no limitation to what you can do in terms of customization. In this topic, you learn about configuring customizations for your environment. +For the purposes of this topic, we will use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 Standard server, and PC0001 is a Windows 10 Enterprise x64 client used for the MDT simulation environment. OR01 has Microsoft System Center 2012 R2 Orchestrator installed. MDT01, OR01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof). + +![figure 1](../images/mdt-09-fig01.png) + +Figure 1. The machines used in this topic. + +## In this section + +- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) +- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) +- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) +- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) +- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) +- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) +- [Use web services in MDT](use-web-services-in-mdt.md) +- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) + +## Related topics + +[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md) + +[Create a Windows 10 reference image](create-a-windows-10-reference-image.md) + +[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md) + +[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md) + +[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) + +[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md) diff --git a/windows/deployment/deploy-windows-mdt/integrate-configuration-manager-with-mdt.md b/windows/deployment/deploy-windows-mdt/integrate-configuration-manager-with-mdt.md index 6ebe0fe528..54b6e72815 100644 --- a/windows/deployment/deploy-windows-mdt/integrate-configuration-manager-with-mdt.md +++ b/windows/deployment/deploy-windows-mdt/integrate-configuration-manager-with-mdt.md @@ -1,6 +1,6 @@ --- title: Integrate Configuration Manager with MDT (Windows 10) -description: This topic will help you understand the benefits of integrating the Microsoft Deployment Toolkit with Microsoft System Center 2012 R2 Configuration Manager SP1 when you deploy a new or updated version of the Windows operating system. +description: Understand the benefits of integrating the Microsoft Deployment Toolkit with Microsoft System Center 2012 R2 Configuration Manager SP1 when you deploy Windows. ms.assetid: 3bd1cf92-81e5-48dc-b874-0f5d9472e5a5 ms.reviewer: manager: laurawi diff --git a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md index 2e1b06b5f4..aa2e3ff40e 100644 --- a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md +++ b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md @@ -1,6 +1,6 @@ --- title: Prepare for deployment with MDT (Windows 10) -description: This topic will walk you through the steps necessary to create the server structure required to deploy the Windows 10 operating system using the Microsoft Deployment Toolkit (MDT). +description: Learn how to create the server structure required to deploy the Windows 10 operating system using the Microsoft Deployment Toolkit (MDT). ms.assetid: 5103c418-0c61-414b-b93c-a8e8207d1226 ms.reviewer: manager: laurawi diff --git a/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md b/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md index dee4dd39d2..f02158277d 100644 --- a/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md +++ b/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md @@ -1,6 +1,6 @@ --- title: Replace a Windows 7 computer with a Windows 10 computer (Windows 10) -description: A computer replace scenario for Windows 10 is quite similar to a computer refresh for Windows 10; however, because you are replacing a machine, you cannot store the backup on the old computer. +description: Learn how to replace a Windows 7 device with a Windows 10 device. Although the process is similar to performing a refresh, you'll need to backup data externally ms.assetid: acf091c9-f8f4-4131-9845-625691c09a2a ms.reviewer: manager: laurawi diff --git a/windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md index 34a005a021..975eb2a944 100644 --- a/windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md @@ -1,117 +1,118 @@ ---- -title: Create a custom Windows PE boot image with Configuration Manager (Windows 10) -description: In Microsoft System Center 2012 R2 Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. -ms.assetid: b9e96974-324d-4fa4-b0ce-33cfc49c4809 -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: tool, customize, deploy, boot image -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.topic: article ---- - -# Create a custom Windows PE boot image with Configuration Manager - - -**Applies to** - -- Windows 10 versions 1507, 1511 - ->[!IMPORTANT] ->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). ->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10). - -In Microsoft System Center 2012 R2 Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. This topic shows you how to create a custom Windows PE 5.0 boot image with the Microsoft Deployment Toolkit (MDT) wizard. You can also add the Microsoft Diagnostics and Recovery Toolset (DaRT) 10 to the boot image as part of the boot image creation process. - -For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. Both are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). - -## Add DaRT 10 files and prepare to brand the boot image - - -The steps below outline the process for adding DaRT 10 installation files to the MDT installation directory. You also copy a custom background image to be used later. We assume you have downloaded Microsoft Desktop Optimization Pack (MDOP) 2015 and copied the x64 version of MSDaRT10.msi to the C:\\Setup\\DaRT 10 folder. We also assume you have created a custom background image and saved it in C:\\Setup\\Branding on CM01. In this section, we use a custom background image named ContosoBackground.bmp. - -1. Install DaRT 10 (C:\\Setup\\DaRT 10\\MSDaRT10.msi) using the default settings. - -2. Using File Explorer, navigate to the **C:\\Program Files\\Microsoft DaRT\\v10** folder. - -3. Copy the Toolsx64.cab file to the **C:\\Program Files\\Microsoft Deployment Toolkit\\Templates\\Distribution\\Tools\\x64** folder. - -4. Copy the Toolsx86.cab file to the **C:\\Program Files\\Microsoft Deployment Toolkit\\Templates\\Distribution\\Tools\\x86** folder. - -5. Using File Explorer, navigate to the **C:\\Setup** folder. - -6. Copy the **Branding** folder to **E:\\Sources\\OSD**. - -## Create a boot image for Configuration Manager using the MDT wizard - - -By using the MDT wizard to create the boot image in Configuration Manager, you gain additional options for adding components and features to the boot image. In this section, you create a boot image for Configuration Manager using the MDT wizard. - -1. Using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Boot Images**, and select **Create Boot Image using MDT**. - -2. On the **Package Source** page, in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\Boot\\Zero Touch WinPE x64** and click **Next**. - - >[!NOTE] - >The Zero Touch WinPE x64 folder does not yet exist. The folder will be created later by the wizard. - -3. On the **General Settings** page, assign the name **Zero Touch WinPE x64** and click **Next**. - -4. On the **Options** page, select the **x64** platform, and click **Next**. - -5. On the **Components** page, in addition to the default selected **Microsoft Data Access Components (MDAC/ADO)** support, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box. - - ![Add the DaRT component to the Configuration Manager boot image](../images/mdt-06-fig16.png "Add the DaRT component to the Configuration Manager boot image") - - Figure 15. Add the DaRT component to the Configuration Manager boot image. - -6. On the **Customization** page, select the **Use a custom background bitmap file** check box, and in the **UNC path:** text box, browse to **\\\\CM01\\Sources$\\OSD\\Branding\\ ContosoBackground.bmp**. Then click **Next** twice. - - >[!NOTE] - >It will take a few minutes to generate the boot image. - -7. Distribute the boot image to the CM01 distribution point by selecting the **Boot images** node, right-clicking the **Zero Touch WinPE x64** boot image, and selecting **Distribute Content**. - -8. In the Distribute Content Wizard, add the CM01 distribution point, and complete the wizard. - -9. Using Configuration Manager Trace, review the E:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Do not continue until you can see that the boot image is distributed. Look for the line that reads STATMSG: ID=2301. You also can view Content Status in the Configuration Manager Console by selecting **the Zero Touch WinPE x86** boot image. - - ![Content status for the Zero Touch WinPE x64 boot image](../images/fig16-contentstatus.png "Content status for the Zero Touch WinPE x64 boot image") - - Figure 16. Content status for the Zero Touch WinPE x64 boot image - -10. Using the Configuration Manager Console, right-click the **Zero Touch WinPE x64** boot image and select **Properties**. - -11. In the **Data Source** tab, select the **Deploy this boot image from the PXE-enabled distribution point** check box, and click **OK**. - -12. Using Configuration Manager Trace, review the E:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for this text: Expanding PS10000B to E:\\RemoteInstall\\SMSImages. - -13. Review the **E:\\RemoteInstall\\SMSImages** folder. You should see three folders containing boot images. Two are from the default boot images, and the third folder (PS10000B) is from your new boot image with DaRT. - -## Related topics - - -[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md) - -[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) - -[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md) - -[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md) - -[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md) - -[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md) - -[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md) - -[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md) - -[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) - -  - -  +--- +title: Create a custom Windows PE boot image with Configuration Manager (Windows 10) +description: Microsoft System Center 2012 R2 Configuration Manager can create custom Windows Preinstallation Environment (Windows PE) boot images with extra features. +ms.assetid: b9e96974-324d-4fa4-b0ce-33cfc49c4809 +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: tool, customize, deploy, boot image +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.topic: article +--- + +# Create a custom Windows PE boot image with Configuration Manager + + +**Applies to** + +- Windows 10 versions 1507, 1511 + +>[!IMPORTANT] +>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). +>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10). + +In Microsoft System Center 2012 R2 Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. This topic shows you how to create a custom Windows PE 5.0 boot image with the Microsoft Deployment Toolkit (MDT) wizard. You can also add the Microsoft Diagnostics and Recovery Toolset (DaRT) 10 to the boot image as part of the boot image creation process. + +For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. Both are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). + +## Add DaRT 10 files and prepare to brand the boot image + + +The steps below outline the process for adding DaRT 10 installation files to the MDT installation directory. You also copy a custom background image to be used later. We assume you have downloaded Microsoft Desktop Optimization Pack (MDOP) 2015 and copied the x64 version of MSDaRT10.msi to the C:\\Setup\\DaRT 10 folder. We also assume you have created a custom background image and saved it in C:\\Setup\\Branding on CM01. In this section, we use a custom background image named ContosoBackground.bmp. + +1. Install DaRT 10 (C:\\Setup\\DaRT 10\\MSDaRT10.msi) using the default settings. + +2. Using File Explorer, navigate to the **C:\\Program Files\\Microsoft DaRT\\v10** folder. + +3. Copy the Toolsx64.cab file to the **C:\\Program Files\\Microsoft Deployment Toolkit\\Templates\\Distribution\\Tools\\x64** folder. + +4. Copy the Toolsx86.cab file to the **C:\\Program Files\\Microsoft Deployment Toolkit\\Templates\\Distribution\\Tools\\x86** folder. + +5. Using File Explorer, navigate to the **C:\\Setup** folder. + +6. Copy the **Branding** folder to **E:\\Sources\\OSD**. + +## Create a boot image for Configuration Manager using the MDT wizard + + +By using the MDT wizard to create the boot image in Configuration Manager, you gain additional options for adding components and features to the boot image. In this section, you create a boot image for Configuration Manager using the MDT wizard. + +1. Using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Boot Images**, and select **Create Boot Image using MDT**. + +2. On the **Package Source** page, in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\Boot\\Zero Touch WinPE x64** and click **Next**. + + >[!NOTE] + >The Zero Touch WinPE x64 folder does not yet exist. The folder will be created later by the wizard. + +3. On the **General Settings** page, assign the name **Zero Touch WinPE x64** and click **Next**. + +4. On the **Options** page, select the **x64** platform, and click **Next**. + +5. On the **Components** page, in addition to the default selected **Microsoft Data Access Components (MDAC/ADO)** support, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box. + + ![Add the DaRT component to the Configuration Manager boot image](../images/mdt-06-fig16.png "Add the DaRT component to the Configuration Manager boot image") + + Figure 15. Add the DaRT component to the Configuration Manager boot image. + +6. On the **Customization** page, select the **Use a custom background bitmap file** check box, and in the **UNC path:** text box, browse to **\\\\CM01\\Sources$\\OSD\\Branding\\ ContosoBackground.bmp**. Then click **Next** twice. + + >[!NOTE] + >It will take a few minutes to generate the boot image. + +7. Distribute the boot image to the CM01 distribution point by selecting the **Boot images** node, right-clicking the **Zero Touch WinPE x64** boot image, and selecting **Distribute Content**. + +8. In the Distribute Content Wizard, add the CM01 distribution point, and complete the wizard. + +9. Using Configuration Manager Trace, review the E:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Do not continue until you can see that the boot image is distributed. Look for the line that reads STATMSG: ID=2301. You also can view Content Status in the Configuration Manager Console by selecting **the Zero Touch WinPE x86** boot image. + + ![Content status for the Zero Touch WinPE x64 boot image](../images/fig16-contentstatus.png "Content status for the Zero Touch WinPE x64 boot image") + + Figure 16. Content status for the Zero Touch WinPE x64 boot image + +10. Using the Configuration Manager Console, right-click the **Zero Touch WinPE x64** boot image and select **Properties**. + +11. In the **Data Source** tab, select the **Deploy this boot image from the PXE-enabled distribution point** check box, and click **OK**. + +12. Using Configuration Manager Trace, review the E:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for this text: Expanding PS10000B to E:\\RemoteInstall\\SMSImages. + +13. Review the **E:\\RemoteInstall\\SMSImages** folder. You should see three folders containing boot images. Two are from the default boot images, and the third folder (PS10000B) is from your new boot image with DaRT. + +## Related topics + + +[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md) + +[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) + +[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md) + +[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md) + +[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md) + +[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md) + +[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md) + +[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md) + +[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) + +  + +  diff --git a/windows/deployment/planning/act-technical-reference.md b/windows/deployment/planning/act-technical-reference.md index b9181ca45d..abb5e94fdb 100644 --- a/windows/deployment/planning/act-technical-reference.md +++ b/windows/deployment/planning/act-technical-reference.md @@ -1,6 +1,6 @@ --- title: Application Compatibility Toolkit (ACT) Technical Reference (Windows 10) -description: The Microsoft® Application Compatibility Toolkit (ACT) helps you determine whether the applications, devices, and computers in your organization are compatible with versions of the Windows® operating system. +description: The Microsoft Application Compatibility Toolkit (ACT) helps you see if the apps and devices in your org are compatible with different versions of Windows. ms.assetid: d90d38b2-2718-4481-90eb-4480719627ba ms.reviewer: manager: laurawi diff --git a/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md b/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md index bc1991c752..aa63171e92 100644 --- a/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md +++ b/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md @@ -1,6 +1,6 @@ --- title: Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista (Windows 10) -description: You can fix some compatibility issues that are due to the changes made between Windows operating system versions. These issues can include User Account Control (UAC) restrictions. +description: Find compatibility fixes for all Windows operating systems that have been released from Windows Vista through Windows 10. ms.assetid: cd51c824-557f-462a-83bb-54b0771b7dff ms.reviewer: manager: laurawi diff --git a/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md b/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md index 955117dcd6..f0e3ef4473 100644 --- a/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md +++ b/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md @@ -1,6 +1,6 @@ --- title: Searching for Fixed Applications in Compatibility Administrator (Windows 10) -description: With the search functionality in Compatibility Administrator, you can locate specific executable (.exe) files with previously applied compatibility fixes, compatibility modes, or AppHelp messages. +description: Compatibility Administrator can locate specific executable (.exe) files with previously applied compatibility fixes, compatibility modes, or AppHelp messages. ms.assetid: 1051a2dc-0362-43a4-8ae8-07dae39b1cb8 ms.reviewer: manager: laurawi diff --git a/windows/deployment/planning/sua-users-guide.md b/windows/deployment/planning/sua-users-guide.md index e0adb30d1a..56143ee843 100644 --- a/windows/deployment/planning/sua-users-guide.md +++ b/windows/deployment/planning/sua-users-guide.md @@ -1,69 +1,70 @@ ---- -title: SUA User's Guide (Windows 10) -description: You can use Standard User Analyzer (SUA) to test your applications and monitor API calls to detect compatibility issues related to the User Account Control (UAC) feature in Windows. -ms.assetid: ea525c25-b557-4ed4-b042-3e4d0e543e10 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# SUA User's Guide - - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 - -You can use Standard User Analyzer (SUA) to test your applications and monitor API calls to detect compatibility issues related to the User Account Control (UAC) feature in Windows. - -You can use SUA in either of the following ways: - -- **Standard User Analyzer Wizard.** A wizard that guides you through a step-by-step process to locate and fix issues, without options for additional analysis. - -- **Standard User Analyzer Tool.** A full-function tool in which you can perform in-depth analysis and fix issues. - -## In this section - - - ---- - - - - - - - - - - - - - - - - -
TopicDescription

Using the SUA Wizard

The Standard User Analyzer (SUA) Wizard works much like the SUA tool to evaluate User Account Control (UAC) issues. However, the SUA Wizard does not offer detailed analysis, and it cannot disable virtualization or elevate your permissions.

Using the SUA Tool

By using the Standard User Analyzer (SUA) tool, you can test your applications and monitor API calls to detect compatibility issues with the User Account Control (UAC) feature.

- - - - - - - - +--- +title: SUA User's Guide (Windows 10) +description: Standard User Analyzer (SUA) can test your apps and monitor API calls to detect compatibility issues related to Windows' User Account Control (UAC) feature. +ms.assetid: ea525c25-b557-4ed4-b042-3e4d0e543e10 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# SUA User's Guide + + +**Applies to** + +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 +- Windows Server 2008 R2 + +You can use Standard User Analyzer (SUA) to test your applications and monitor API calls to detect compatibility issues related to the User Account Control (UAC) feature in Windows. + +You can use SUA in either of the following ways: + +- **Standard User Analyzer Wizard.** A wizard that guides you through a step-by-step process to locate and fix issues, without options for additional analysis. + +- **Standard User Analyzer Tool.** A full-function tool in which you can perform in-depth analysis and fix issues. + +## In this section + + + ++++ + + + + + + + + + + + + + + + + +
TopicDescription

Using the SUA Wizard

The Standard User Analyzer (SUA) Wizard works much like the SUA tool to evaluate User Account Control (UAC) issues. However, the SUA Wizard does not offer detailed analysis, and it cannot disable virtualization or elevate your permissions.

Using the SUA Tool

By using the Standard User Analyzer (SUA) tool, you can test your applications and monitor API calls to detect compatibility issues with the User Account Control (UAC) feature.

+ + + + + + + + diff --git a/windows/deployment/planning/testing-your-application-mitigation-packages.md b/windows/deployment/planning/testing-your-application-mitigation-packages.md index 6782e5861f..c3c759c319 100644 --- a/windows/deployment/planning/testing-your-application-mitigation-packages.md +++ b/windows/deployment/planning/testing-your-application-mitigation-packages.md @@ -1,6 +1,6 @@ --- title: Testing Your Application Mitigation Packages (Windows 10) -description: This topic provides details about testing your application-mitigation packages, including recommendations about how to report your information and how to resolve any outstanding issues. +description: Learn how to test your application-mitigation packages, including how to report your information and how to resolve any outstanding issues. ms.assetid: ae946f27-d377-4db9-b179-e8875d454ccf ms.reviewer: manager: laurawi diff --git a/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md b/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md index eb092034f3..649a832f90 100644 --- a/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md +++ b/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md @@ -1,113 +1,114 @@ ---- -title: Using the Sdbinst.exe Command-Line Tool (Windows 10) -description: You must deploy your customized database (.sdb) files to other computers in your organization before your compatibility fixes, compatibility modes, and AppHelp messages are applied. -ms.assetid: c1945425-3f8d-4de8-9d2d-59f801f07034 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Using the Sdbinst.exe Command-Line Tool - - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2016 -- Windows Server 2012 -- Windows Server 2008 R2 - -You must deploy your customized database (.sdb) files to other computers in your organization before your compatibility fixes, compatibility modes, and AppHelp messages are applied. You can deploy your customized database files in several ways, including by using a logon script, by using Group Policy, or by performing file copy operations. - -After you deploy and store the customized databases on each of your local computers, you must register the database files. Until you register the database files, the operating system is unable to identify the available compatibility fixes when starting an application. - -## Command-Line Options for Deploying Customized Database Files - -Sample output from the command `Sdbinst.exe /?` in an elevated CMD window: - -``` -Microsoft Windows [Version 10.0.14393] -(c) 2016 Microsoft Corporation. All rights reserved. - -C:\Windows\system32>Sdbinst.exe /? -Usage: Sdbinst.exe [-?] [-q] [-u] [-g] [-p] [-n[:WIN32|WIN64]] myfile.sdb | {guid} | "name" - - -? - print this help text. - -p - Allow SDBs containing patches. - -q - Quiet mode: prompts are auto-accepted. - -u - Uninstall. - -g {guid} - GUID of file (uninstall only). - -n "name" - Internal name of file (uninstall only). - -C:\Windows\system32>_ -``` - -The command-line options use the following conventions: - -Sdbinst.exe \[-?\] \[-p\] \[-q\] \[-u\] \[-g\] \[-u filepath\] \[-g *GUID*\] \[-n *"name"*\] - -The following table describes the available command-line options. - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
OptionDescription

-?

Displays the Help for the Sdbinst.exe tool.

-

For example,

-

sdbinst.exe -?

-p

Allows SDBs installation with Patches

-

For example,

-

sdbinst.exe -p C:\Windows\AppPatch\Myapp.sdb

-q

Performs a silent installation with no visible window, status, or warning information. Fatal errors appear only in Event Viewer (Eventvwr.exe).

-

For example,

-

sdbinst.exe -q

-u filepath

Performs an uninstallation of the specified database.

-

For example,

-

sdbinst.exe -u C:\example.sdb

-g GUID

Specifies the customized database to uninstall by a globally unique identifier (GUID).

-

For example,

-

sdbinst.exe -g 6586cd8f-edc9-4ea8-ad94-afabea7f62e3

-n "name"

Specifies the customized database to uninstall by file name.

-

For example,

-

sdbinst.exe -n "My_Database"

- -## Related topics -[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) +--- +title: Using the Sdbinst.exe Command-Line Tool (Windows 10) +description: Learn how to deploy customized database (.sdb) files using the Sdbinst.exe Command-Line Tool. Review a list of command line options. +ms.assetid: c1945425-3f8d-4de8-9d2d-59f801f07034 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Using the Sdbinst.exe Command-Line Tool + + +**Applies to** + +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2016 +- Windows Server 2012 +- Windows Server 2008 R2 + +You must deploy your customized database (.sdb) files to other computers in your organization before your compatibility fixes, compatibility modes, and AppHelp messages are applied. You can deploy your customized database files in several ways, including by using a logon script, by using Group Policy, or by performing file copy operations. + +After you deploy and store the customized databases on each of your local computers, you must register the database files. Until you register the database files, the operating system is unable to identify the available compatibility fixes when starting an application. + +## Command-Line Options for Deploying Customized Database Files + +Sample output from the command `Sdbinst.exe /?` in an elevated CMD window: + +``` +Microsoft Windows [Version 10.0.14393] +(c) 2016 Microsoft Corporation. All rights reserved. + +C:\Windows\system32>Sdbinst.exe /? +Usage: Sdbinst.exe [-?] [-q] [-u] [-g] [-p] [-n[:WIN32|WIN64]] myfile.sdb | {guid} | "name" + + -? - print this help text. + -p - Allow SDBs containing patches. + -q - Quiet mode: prompts are auto-accepted. + -u - Uninstall. + -g {guid} - GUID of file (uninstall only). + -n "name" - Internal name of file (uninstall only). + +C:\Windows\system32>_ +``` + +The command-line options use the following conventions: + +Sdbinst.exe \[-?\] \[-p\] \[-q\] \[-u\] \[-g\] \[-u filepath\] \[-g *GUID*\] \[-n *"name"*\] + +The following table describes the available command-line options. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
OptionDescription

-?

Displays the Help for the Sdbinst.exe tool.

+

For example,

+

sdbinst.exe -?

-p

Allows SDBs installation with Patches

+

For example,

+

sdbinst.exe -p C:\Windows\AppPatch\Myapp.sdb

-q

Performs a silent installation with no visible window, status, or warning information. Fatal errors appear only in Event Viewer (Eventvwr.exe).

+

For example,

+

sdbinst.exe -q

-u filepath

Performs an uninstallation of the specified database.

+

For example,

+

sdbinst.exe -u C:\example.sdb

-g GUID

Specifies the customized database to uninstall by a globally unique identifier (GUID).

+

For example,

+

sdbinst.exe -g 6586cd8f-edc9-4ea8-ad94-afabea7f62e3

-n "name"

Specifies the customized database to uninstall by file name.

+

For example,

+

sdbinst.exe -n "My_Database"

+ +## Related topics +[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) diff --git a/windows/deployment/planning/using-the-sua-wizard.md b/windows/deployment/planning/using-the-sua-wizard.md index 4070f56802..786d9d2fcf 100644 --- a/windows/deployment/planning/using-the-sua-wizard.md +++ b/windows/deployment/planning/using-the-sua-wizard.md @@ -1,90 +1,91 @@ ---- -title: Using the SUA Wizard (Windows 10) -description: The Standard User Analyzer (SUA) Wizard works much like the SUA tool to evaluate User Account Control (UAC) issues. However, the SUA Wizard does not offer detailed analysis, and it cannot disable virtualization or elevate your permissions. -ms.assetid: 29d07074-3de7-4ace-9a54-678af7255d6c -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Using the SUA Wizard - - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 - -The Standard User Analyzer (SUA) Wizard works much like the SUA tool to evaluate User Account Control (UAC) issues. However, the SUA Wizard does not offer detailed analysis, and it cannot disable virtualization or elevate your permissions. - -For information about the SUA tool, see [Using the SUA Tool](using-the-sua-tool.md). - -## Testing an Application by Using the SUA Wizard - - -You must install Application Verifier before you can use the SUA Wizard. If Application Verifier is not installed on the computer that is running the SUA Wizard, the SUA Wizard notifies you. You must also install the Microsoft® .NET Framework 3.5 or later before you can use the SUA Wizard. - -The following flowchart shows the process of using the SUA Wizard. - -![act sua wizard flowchart](images/dep-win8-l-act-suawizardflowchart.jpg) - -**To test an application by using the SUA Wizard** - -1. On the computer where the SUA Wizard is installed, log on by using a non-administrator account. - -2. Run the Standard User Analyzer Wizard. - -3. Click **Browse for Application**, browse to the folder that contains the application that you want to test, and then double-click the executable file for the application. - -4. Click **Launch**. - - If you are prompted, elevate your permissions. The SUA Wizard may require elevation of permissions to correctly diagnose the application. - - If a **Permission denied** dialog box appears, click **OK**. The application starts, despite the warning. - -5. In the application, exercise the functionality that you want to test. - -6. After you finish testing, exit the application. - - The SUA Wizard displays a message that asks whether the application ran without any issues. - -7. Click **No**. - - The SUA Wizard shows a list of potential remedies that you might use to fix the application. - -8. Select the fixes that you want to apply, and then click **Launch**. - - The application appears again, with the fixes applied. - -9. Test the application again, and after you finish testing, exit the application. - - The SUA Wizard displays a message that asks whether the application ran without any issues. - -10. If the application ran correctly, click **Yes**. - - The SUA Wizard closes the issue as resolved on the local computer. - - If the remedies do not fix the issue with the application, click **No** again, and the wizard may offer additional remedies. If the additional remedies do not fix the issue, the wizard informs you that there are no more remedies available. For information about how to run the SUA tool for additional investigation, see [Using the SUA Tool](using-the-sua-tool.md). - -## Related topics -[SUA User's Guide](sua-users-guide.md) - -  - -  - - - - - +--- +title: Using the SUA Wizard (Windows 10) +description: The Standard User Analyzer (SUA) Wizard, although it does not offer deep analysis, works much like the SUA tool to test for User Account Control (UAC) issues. +ms.assetid: 29d07074-3de7-4ace-9a54-678af7255d6c +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Using the SUA Wizard + + +**Applies to** + +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 +- Windows Server 2008 R2 + +The Standard User Analyzer (SUA) Wizard works much like the SUA tool to evaluate User Account Control (UAC) issues. However, the SUA Wizard does not offer detailed analysis, and it cannot disable virtualization or elevate your permissions. + +For information about the SUA tool, see [Using the SUA Tool](using-the-sua-tool.md). + +## Testing an Application by Using the SUA Wizard + + +You must install Application Verifier before you can use the SUA Wizard. If Application Verifier is not installed on the computer that is running the SUA Wizard, the SUA Wizard notifies you. You must also install the Microsoft® .NET Framework 3.5 or later before you can use the SUA Wizard. + +The following flowchart shows the process of using the SUA Wizard. + +![act sua wizard flowchart](images/dep-win8-l-act-suawizardflowchart.jpg) + +**To test an application by using the SUA Wizard** + +1. On the computer where the SUA Wizard is installed, log on by using a non-administrator account. + +2. Run the Standard User Analyzer Wizard. + +3. Click **Browse for Application**, browse to the folder that contains the application that you want to test, and then double-click the executable file for the application. + +4. Click **Launch**. + + If you are prompted, elevate your permissions. The SUA Wizard may require elevation of permissions to correctly diagnose the application. + + If a **Permission denied** dialog box appears, click **OK**. The application starts, despite the warning. + +5. In the application, exercise the functionality that you want to test. + +6. After you finish testing, exit the application. + + The SUA Wizard displays a message that asks whether the application ran without any issues. + +7. Click **No**. + + The SUA Wizard shows a list of potential remedies that you might use to fix the application. + +8. Select the fixes that you want to apply, and then click **Launch**. + + The application appears again, with the fixes applied. + +9. Test the application again, and after you finish testing, exit the application. + + The SUA Wizard displays a message that asks whether the application ran without any issues. + +10. If the application ran correctly, click **Yes**. + + The SUA Wizard closes the issue as resolved on the local computer. + + If the remedies do not fix the issue with the application, click **No** again, and the wizard may offer additional remedies. If the additional remedies do not fix the issue, the wizard informs you that there are no more remedies available. For information about how to run the SUA tool for additional investigation, see [Using the SUA Tool](using-the-sua-tool.md). + +## Related topics +[SUA User's Guide](sua-users-guide.md) + +  + +  + + + + + diff --git a/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md b/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md index 579f4b8bfa..67a11cd90f 100644 --- a/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md +++ b/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md @@ -1,6 +1,6 @@ --- title: Viewing the Events Screen in Compatibility Administrator (Windows 10) -description: The Events screen enables you to record and to view your activities in the Compatibility Administrator tool, provided that the screen is open while you perform the activities. +description: You can use the Events screen to record and view activities in the Compatibility Administrator tool. ms.assetid: f2b2ada4-1b7b-4558-989d-5b52b40454b3 ms.reviewer: manager: laurawi diff --git a/windows/deployment/planning/windows-10-infrastructure-requirements.md b/windows/deployment/planning/windows-10-infrastructure-requirements.md index 3b851ad2ca..46a5a0548c 100644 --- a/windows/deployment/planning/windows-10-infrastructure-requirements.md +++ b/windows/deployment/planning/windows-10-infrastructure-requirements.md @@ -1,6 +1,6 @@ --- title: Windows 10 infrastructure requirements (Windows 10) -description: There are specific infrastructure requirements to deploy and manage Windows 10 that should be in place prior to significant Windows 10 deployments within your organization. +description: Review the specific infrastructure requirements to deploy and manage Windows 10, prior to significant Windows 10 deployments within your organization. ms.assetid: B0FA27D9-A206-4E35-9AE6-74E70748BE64 ms.reviewer: manager: laurawi diff --git a/windows/deployment/planning/windows-to-go-overview.md b/windows/deployment/planning/windows-to-go-overview.md index dcab3997b1..23fefc02cd 100644 --- a/windows/deployment/planning/windows-to-go-overview.md +++ b/windows/deployment/planning/windows-to-go-overview.md @@ -92,9 +92,9 @@ As of the date of publication, the following are the USB drives currently certif > [!WARNING] > Using a USB drive that has not been certified is not supported. -- IronKey Workspace W700 ([http://www.ironkey.com/windows-to-go-drives/ironkey-workspace-w700.html](https://go.microsoft.com/fwlink/p/?LinkId=618714)) -- IronKey Workspace W500 ([http://www.ironkey.com/windows-to-go-drives/ironkey-workspace-w500.html](https://go.microsoft.com/fwlink/p/?LinkId=618717)) -- IronKey Workspace W300 ([http://www.ironkey.com/windows-to-go-drives/ironkey-workspace-w300.html](https://go.microsoft.com/fwlink/p/?LinkId=618718)) +- IronKey Workspace W700 ([http://www.ironkey.com/windows-to-go-drives/ironkey-workspace-w700.html](https://www.kingston.com/support/technical/products?model=dtws)) +- IronKey Workspace W500 ([http://www.ironkey.com/windows-to-go-drives/ironkey-workspace-w500.html](https://www.kingston.com/support/technical/products?model=dtws)) +- IronKey Workspace W300 ([http://www.ironkey.com/windows-to-go-drives/ironkey-workspace-w300.html](https://www.kingston.com/support/technical/products?model=dtws)) - Kingston DataTraveler Workspace for Windows To Go ([http://www.kingston.com/wtg/](https://go.microsoft.com/fwlink/p/?LinkId=618719)) - Spyrus Portable Workplace ([http://www.spyruswtg.com/](https://go.microsoft.com/fwlink/p/?LinkId=618720)) diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md index b22f954ccc..0c96d3ba90 100644 --- a/windows/deployment/update/waas-configure-wufb.md +++ b/windows/deployment/update/waas-configure-wufb.md @@ -125,9 +125,9 @@ Starting with Windows 10, version 1703, using Settings to control the pause beha ## Configure when devices receive Quality Updates -Quality Updates are typically published on the first Tuesday of every month, although they can be released at any time. You can define if, and for how long, you would like to defer receiving Quality Updates following their availability. You can defer receiving these Quality Updates for a period of up to 35 days from their release by setting the **DeferQualityUpdatesPeriodinDays** value. +Quality updates are typically published on the first Tuesday of every month, although they can be released at any time. You can define if, and for how long, you would like to defer receiving Quality updates following their availability. You can defer receiving these quality updates for a period of up to 30 days from their release by setting the **DeferQualityUpdatesPeriodinDays** value. -You can set your system to receive updates for other Microsoft products—known as Microsoft Updates (such as Microsoft Office, Visual Studio)—along with Windows Updates by setting the **AllowMUUpdateService** policy. When you do this, these Microsoft Updates will follow the same deferral and pause rules as all other Quality Updates. +You can set your system to receive updates for other Microsoft products—known as Microsoft updates (such as Microsoft Office, Visual Studio)—along with Windows updates by setting the **AllowMUUpdateService** policy. When you do this, these Microsoft updates will follow the same deferral and pause rules as all other quality updates. >[!IMPORTANT] >This policy defers both Feature and Quality Updates on Windows 10 Mobile Enterprise. @@ -146,7 +146,7 @@ You can set your system to receive updates for other Microsoft products—known ## Pause quality updates -You can also pause a system from receiving Quality Updates for a period of up to 35 days from when the value is set. After 35 days has passed, the pause setting will automatically expire and the device will scan Windows Update for applicable quality Updates. Following this scan, you can then pause quality Updates for the device again. +You can also pause a system from receiving quality updates for a period of up to 35 days from when the value is set. After 35 days have passed, the pause setting will automatically expire and the device will scan Windows Update for applicable quality updates. Following this scan, you can then pause quality updates for the device again. Starting with Windows 10, version 1703, when you configure a pause by using policy, you must set a start date for the pause to begin. The pause period is calculated by adding 35 days to this start date. @@ -201,9 +201,9 @@ The policy settings to **Select when Feature Updates are received** allows you t * Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/ Windows Update for Business** - *Select when Preview Builds and Feature Updates are received* * MDM: **Update/BranchReadinessLevel** -## Exclude drivers from Quality Updates +## Exclude drivers from quality updates -Starting with Windows 10, version 1607, you can selectively opt out of receiving driver update packages as part of your normal quality update cycle. This policy will not apply to updates to drivers provided with the operating system (which will be packaged within a security or critical update) or to Feature Updates, where drivers might be dynamically installed to ensure the Feature Update process can complete. +Starting with Windows 10, version 1607, you can selectively opt out of receiving driver update packages as part of your normal quality update cycle. This policy will not apply to updates to drivers provided with the operating system (which will be packaged within a security or critical update) or to feature updates, where drivers might be dynamically installed to ensure the feature update process can complete. **Policy settings to exclude drivers** diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md index ff07ad3cbe..812e47c937 100644 --- a/windows/deployment/update/waas-overview.md +++ b/windows/deployment/update/waas-overview.md @@ -174,7 +174,7 @@ With all these options, which an organization chooses depends on the resources, | Windows Update | Yes (manual) | No | Delivery Optimization | None| | Windows Update for Business | Yes | No | Delivery Optimization | Other Group Policy objects | | WSUS | Yes | Yes | BranchCache or Delivery Optimization | Upstream/downstream server scalability | -| Configuration Manager | Yes | Yes | BranchCache, Client Peer Cache | Distribution points, multiple deployment options | +| Configuration Manager | Yes | Yes | BranchCache, Client Peer Cache, or Delivery Optimization. For the latter, see [peer-to-peer content distribution](https://docs.microsoft.com/configmgr/sum/deploy-use/optimize-windows-10-update-delivery#peer-to-peer-content-distribution) and [Optimize Windows 10 Update Delivery](https://docs.microsoft.com/windows/deployment/update/waas-optimize-windows-10-updates) | Distribution points, multiple deployment options | >[!NOTE] >Due to [naming changes](#naming-changes), older terms like CB and CBB might still be displayed in some of our products, such as in Group Policy. If you encounter these terms, "CB" refers to the Semi-Annual Channel (Targeted)--which is no longer used--while "CBB" refers to the Semi-Annual Channel. diff --git a/windows/deployment/upgrade/log-files.md b/windows/deployment/upgrade/log-files.md index 71ebf32bab..a4c6a01688 100644 --- a/windows/deployment/upgrade/log-files.md +++ b/windows/deployment/upgrade/log-files.md @@ -35,7 +35,7 @@ The following table describes some log files and how to use them for troubleshoo
- + @@ -52,7 +52,7 @@ setupapi.dev.log
Event logs (*.evtx)
Log filePhase: LocationDescriptionWhen to use
Log filePhase: LocationDescriptionWhen to use
setupact.logDown-Level:
$Windows.~BT\Sources\Panther		Contains information about setup actions during the downlevel phase. All down-level failures and starting point for rollback investigations.
This is the most important log for diagnosing setup issues.
OOBE:
$Windows.~BT\Sources\Panther\UnattendGC		 $Windows.~BT\Sources\RollbackAdditional logs collected during rollback. -Setupmem.dmp: If OS bugchecks during upgrade, setup will attempt to extract a mini-dump.
+Setupmem.dmp: If OS bug checks during upgrade, setup will attempt to extract a mini-dump.
Setupapi: Device install issues - 0x30018
Event logs: Generic rollbacks (0xC1900101) or unexpected reboots.
diff --git a/windows/deployment/upgrade/resolution-procedures.md b/windows/deployment/upgrade/resolution-procedures.md index 7b336767e8..7168d9029e 100644 --- a/windows/deployment/upgrade/resolution-procedures.md +++ b/windows/deployment/upgrade/resolution-procedures.md @@ -194,7 +194,7 @@ Disconnect all peripheral devices that are connected to the system, except for t Check supplemental rollback logs for a setupmem.dmp file, or event logs for any unexpected reboots or errors.
Review the rollback log and determine the stop code. -
The rollback log is located in the C:$Windows.~BT\Sources\Panther folder. An example analysis is shown below. This example is not representative of all cases: +
The rollback log is located in the $Windows.~BT\Sources\Rollback folder. An example analysis is shown below. This example is not representative of all cases: 
 Info SP     Crash 0x0000007E detected
 Info SP       Module name           :
@@ -513,9 +513,9 @@ This error has more than one possible cause. Attempt [quick fixes](quick-fixes.m
 

-
+
+
@@ -647,7 +647,7 @@ For detailed information on how to run these steps check out Error Codes
+

 
 
Error code
-Cause
-Mitigation
+Error codeCauseMitigation
 

 
 
CauseMitigation
Error CodesCauseMitigation

 
0x80070003- 0x20007
 This is a failure during SafeOS phase driver installation.
 
diff --git a/windows/deployment/upgrade/upgrade-error-codes.md b/windows/deployment/upgrade/upgrade-error-codes.md
index 5bb2a95e0c..9f3b61be3a 100644
--- a/windows/deployment/upgrade/upgrade-error-codes.md
+++ b/windows/deployment/upgrade/upgrade-error-codes.md
@@ -91,7 +91,7 @@ The following tables provide the corresponding phase and operation for values of
 

 
 
-
+
-      
-      
-      
Extend code: phase
Extend code: phase
 
HexPhase
 
0SP_EXECUTION_UNKNOWN
 
1SP_EXECUTION_DOWNLEVEL
@@ -103,7 +103,7 @@ The following tables provide the corresponding phase and operation for values of
 
 
 
-
+
-      
-      
-      
-      
-      
Extend code: operation
Extend code: operation
 

 

 
HexOperation
diff --git a/windows/deployment/usmt/usmt-technical-reference.md b/windows/deployment/usmt/usmt-technical-reference.md
index 1ee21e76d4..74dbc40088 100644
--- a/windows/deployment/usmt/usmt-technical-reference.md
+++ b/windows/deployment/usmt/usmt-technical-reference.md
@@ -1,59 +1,60 @@
----
-title: User State Migration Tool (USMT) Technical Reference (Windows 10)
-description: The User State Migration Tool (USMT) is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals.
-ms.assetid: f90bf58b-5529-4520-a9f8-b6cb4e4d3add
-ms.reviewer: 
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# User State Migration Tool (USMT) Technical Reference
-The User State Migration Tool (USMT) is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals.
-
-Download the Windows ADK [from this website](https://go.microsoft.com/fwlink/p/?LinkID=526803).
-
-**USMT support for Microsoft Office**
->USMT in the Windows ADK for Windows 10, version 1511 (10.1.10586.0) supports migration of user settings for installations of Microsoft Office 2003, 2007, 2010, and 2013.

->USMT in the Windows ADK for Windows 10, version 1607 (10.1.14393.0) adds support for migration of user settings for installations of Microsoft Office 2016.
-
-USMT includes three command-line tools:
-
--   ScanState.exe

--   LoadState.exe

--   UsmtUtils.exe
-
-USMT also includes a set of three modifiable .xml files:
-
--   MigApp.xml

--   MigDocs.xml

--   MigUser.xml
-
-Additionally, you can create custom .xml files to support your migration needs. You can also create a Config.xml file to specify files or settings to exclude from the migration.
-
-USMT tools can be used on several versions of Windows operating systems, for more information, see [USMT Requirements](usmt-requirements.md). For more information about previous releases of the USMT tools, see [User State Migration Tool (USMT) 4.0 User’s Guide](https://go.microsoft.com/fwlink/p/?LinkId=246564).
-
-## In This Section
-|Topic |Description|
-|------|-----------|
-|[User State Migration Tool (USMT) Overview Topics](usmt-topics.md)|Describes what’s new in USMT, how to get started with USMT, and the benefits and limitations of using USMT.|
-|[User State Migration Tool (USMT) How-to topics](usmt-how-to.md)|Includes step-by-step instructions for using USMT, as well as how-to topics for conducting tasks in USMT.|
-|[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)|Provides answers to frequently asked questions and common issues in USMT, as well as a reference for return codes used in USMT.|
-|[User State Migration Toolkit (USMT) Reference](usmt-reference.md)|Includes reference information for migration planning, migration best practices, command-line syntax, using XML, and requirements for using USMT.|
-
-## Related topics
-- [Windows Assessment and Deployment Kit](https://msdn.microsoft.com/library/windows/hardware/dn247001.aspx)
-
- 
-
- 
-
-
-
-
-
+---
+title: User State Migration Tool (USMT) Technical Reference (Windows 10)
+description: The User State Migration Tool (USMT) provides a highly customizable user-profile migration experience for IT professionals.
+ms.assetid: f90bf58b-5529-4520-a9f8-b6cb4e4d3add
+ms.reviewer: 
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# User State Migration Tool (USMT) Technical Reference
+The User State Migration Tool (USMT) is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals.
+
+Download the Windows ADK [from this website](https://go.microsoft.com/fwlink/p/?LinkID=526803).
+
+**USMT support for Microsoft Office**
+>USMT in the Windows ADK for Windows 10, version 1511 (10.1.10586.0) supports migration of user settings for installations of Microsoft Office 2003, 2007, 2010, and 2013.

+>USMT in the Windows ADK for Windows 10, version 1607 (10.1.14393.0) adds support for migration of user settings for installations of Microsoft Office 2016.
+
+USMT includes three command-line tools:
+
+-   ScanState.exe

+-   LoadState.exe

+-   UsmtUtils.exe
+
+USMT also includes a set of three modifiable .xml files:
+
+-   MigApp.xml

+-   MigDocs.xml

+-   MigUser.xml
+
+Additionally, you can create custom .xml files to support your migration needs. You can also create a Config.xml file to specify files or settings to exclude from the migration.
+
+USMT tools can be used on several versions of Windows operating systems, for more information, see [USMT Requirements](usmt-requirements.md). For more information about previous releases of the USMT tools, see [User State Migration Tool (USMT) 4.0 User’s Guide](https://go.microsoft.com/fwlink/p/?LinkId=246564).
+
+## In This Section
+|Topic |Description|
+|------|-----------|
+|[User State Migration Tool (USMT) Overview Topics](usmt-topics.md)|Describes what’s new in USMT, how to get started with USMT, and the benefits and limitations of using USMT.|
+|[User State Migration Tool (USMT) How-to topics](usmt-how-to.md)|Includes step-by-step instructions for using USMT, as well as how-to topics for conducting tasks in USMT.|
+|[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)|Provides answers to frequently asked questions and common issues in USMT, as well as a reference for return codes used in USMT.|
+|[User State Migration Toolkit (USMT) Reference](usmt-reference.md)|Includes reference information for migration planning, migration best practices, command-line syntax, using XML, and requirements for using USMT.|
+
+## Related topics
+- [Windows Assessment and Deployment Kit](https://msdn.microsoft.com/library/windows/hardware/dn247001.aspx)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md b/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md
index 39f4344b23..07047dd903 100644
--- a/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md
+++ b/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md
@@ -1,79 +1,80 @@
----
-title: Use the Volume Activation Management Tool (Windows 10)
-description: The Volume Activation Management Tool (VAMT) provides several useful features, including the ability to perform VAMT proxy activation and to track and monitor several types of product keys.
-ms.assetid: b11f0aee-7b60-44d1-be40-c960fc6c4c47
-ms.reviewer: 
-manager: laurawi
-ms.author: greglin
-keywords: vamt, volume activation, activation, windows activation
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.date: 07/27/2017
-ms.topic: article
----
-
-# Use the Volume Activation Management Tool
-
-**Applies to**
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012 R2
--   Windows Server 2012
--   Windows Server 2008 R2
-
-**Looking for retail activation?**
--   [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
-
-The Volume Activation Management Tool (VAMT) provides several useful features, including the ability to perform VAMT proxy activation and to track and monitor several types of product keys.
-
-By using the VAMT, you can automate and centrally manage the volume, retail, and MAK activation process for Windows, Office, and select other Microsoft products. The VAMT can manage volume activation by using MAKs or KMS. It is a standard Microsoft Management Console snap-in, and it can be 
-installed on any computer running Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2.
-
-The VAMT is distributed as part of the Windows Assessment and Deployment Kit (Windows ADK), which is a free download available from Microsoft Download Center. For more information, see [Windows Assessment and Deployment Kit (Windows ADK) for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526740).
-
-In Windows Server 2012 R2, you can install the VAMT directly from Server Manager without downloading the Windows ADK by selecting the Volume Activation Services role or the Remote Server Administration Tools/Role Administration Tools/Volume Activation Tools feature.
-
-## Activating with the Volume Activation Management Tool
-
-You can use the VAMT to complete the activation process in products by using MAK and retail keys, and you can work with computers individually or in groups. The VAMT enables two activation scenarios:
--   **Online activation**. Online activation enables you to activate over the Internet any products that are installed with MAK, KMS host, or retail product keys. You can activate one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft.
--   **Proxy activation**. This activation method enables you to perform volume activation for products that are installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS host key, or retail product key to one or more client products and collects the installation ID from each client product. The VAMT host sends the installation IDs to Microsoft on behalf of the client products and obtains the corresponding confirmation IDs. The VAMT host then installs the confirmation IDs on the client products to complete their activation.
-    By using this method, only the VAMT host computer requires Internet access. Proxy activation by using the VAMT is beneficial for isolated network segments and for cases where your organization has a mix of retail, MAK, and KMS-based activations.
-
-## Tracking products and computers with the Volume Activation Management Tool
-
-The VAMT provides an overview of the activation and licensing status of computers across your network, as shown in Figure 18. Several prebuilt reports are also available to help you proactively manage licensing.
-
-![VAMT showing the licensing status of multiple computers](../images/volumeactivationforwindows81-18.jpg)
-
-**Figure 18**. The VAMT showing the licensing status of multiple computers
-
-## Tracking key usage with the Volume Activation Management Tool
-
-The VAMT makes it easier to track the various keys that are issued to your organization. You can enter each key into VAMT, and then the VAMT can use those keys for online or proxy activation of clients. The tool can also describe what type of key it is and to which product group it belongs. The VAMT is the most convenient way to quickly determine how many activations remain on a MAK. Figure 19 shows an example of key types and usage.
-
-![VAMT showing key types and usage](../images/volumeactivationforwindows81-19.jpg)
-
-**Figure 19**. The VAMT showing key types and usage
-
-## Other Volume Activation Management Tool features
-
-The VAMT stores information in a Microsoft SQL Server database for performance and flexibility, and it provides a single graphical user interface for managing activations and performing other activation-related tasks, such as:
--   **Adding and removing computers**. You can use the VAMT to discover computers in the local environment. The VAMT can discover computers by querying AD DS, workgroups, or individual computer names or IP addresses, or through a general LDAP query.
--   **Discovering products**. You can use the VAMT to discover Windows, Windows Server, Office, and select other products that are installed on the client computers.
--   **Managing activation data**. The VAMT stores activation data in a SQL Server database. The tool can export this data in XML format to other VAMT hosts or to an archive.
-
-For more information, see:
--   [Volume Activation Management Tool (VAMT) Overview](https://go.microsoft.com/fwlink/p/?LinkId=618266)
--   [VAMT Step-by-Step Scenarios](https://go.microsoft.com/fwlink/p/?LinkId=618267)
-
-## See also
--   [Volume Activation for Windows 10](volume-activation-windows-10.md)
- 
- 
+---
+title: Use the Volume Activation Management Tool (Windows 10)
+description: The Volume Activation Management Tool (VAMT) provides several useful features, including the ability to track and monitor several types of product keys.
+ms.assetid: b11f0aee-7b60-44d1-be40-c960fc6c4c47
+ms.reviewer: 
+manager: laurawi
+ms.author: greglin
+keywords: vamt, volume activation, activation, windows activation
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.localizationpriority: medium
+ms.date: 07/27/2017
+ms.topic: article
+---
+
+# Use the Volume Activation Management Tool
+
+**Applies to**
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012 R2
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+**Looking for retail activation?**
+-   [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
+
+The Volume Activation Management Tool (VAMT) provides several useful features, including the ability to perform VAMT proxy activation and to track and monitor several types of product keys.
+
+By using the VAMT, you can automate and centrally manage the volume, retail, and MAK activation process for Windows, Office, and select other Microsoft products. The VAMT can manage volume activation by using MAKs or KMS. It is a standard Microsoft Management Console snap-in, and it can be 
+installed on any computer running Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2.
+
+The VAMT is distributed as part of the Windows Assessment and Deployment Kit (Windows ADK), which is a free download available from Microsoft Download Center. For more information, see [Windows Assessment and Deployment Kit (Windows ADK) for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526740).
+
+In Windows Server 2012 R2, you can install the VAMT directly from Server Manager without downloading the Windows ADK by selecting the Volume Activation Services role or the Remote Server Administration Tools/Role Administration Tools/Volume Activation Tools feature.
+
+## Activating with the Volume Activation Management Tool
+
+You can use the VAMT to complete the activation process in products by using MAK and retail keys, and you can work with computers individually or in groups. The VAMT enables two activation scenarios:
+-   **Online activation**. Online activation enables you to activate over the Internet any products that are installed with MAK, KMS host, or retail product keys. You can activate one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft.
+-   **Proxy activation**. This activation method enables you to perform volume activation for products that are installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS host key, or retail product key to one or more client products and collects the installation ID from each client product. The VAMT host sends the installation IDs to Microsoft on behalf of the client products and obtains the corresponding confirmation IDs. The VAMT host then installs the confirmation IDs on the client products to complete their activation.
+    By using this method, only the VAMT host computer requires Internet access. Proxy activation by using the VAMT is beneficial for isolated network segments and for cases where your organization has a mix of retail, MAK, and KMS-based activations.
+
+## Tracking products and computers with the Volume Activation Management Tool
+
+The VAMT provides an overview of the activation and licensing status of computers across your network, as shown in Figure 18. Several prebuilt reports are also available to help you proactively manage licensing.
+
+![VAMT showing the licensing status of multiple computers](../images/volumeactivationforwindows81-18.jpg)
+
+**Figure 18**. The VAMT showing the licensing status of multiple computers
+
+## Tracking key usage with the Volume Activation Management Tool
+
+The VAMT makes it easier to track the various keys that are issued to your organization. You can enter each key into VAMT, and then the VAMT can use those keys for online or proxy activation of clients. The tool can also describe what type of key it is and to which product group it belongs. The VAMT is the most convenient way to quickly determine how many activations remain on a MAK. Figure 19 shows an example of key types and usage.
+
+![VAMT showing key types and usage](../images/volumeactivationforwindows81-19.jpg)
+
+**Figure 19**. The VAMT showing key types and usage
+
+## Other Volume Activation Management Tool features
+
+The VAMT stores information in a Microsoft SQL Server database for performance and flexibility, and it provides a single graphical user interface for managing activations and performing other activation-related tasks, such as:
+-   **Adding and removing computers**. You can use the VAMT to discover computers in the local environment. The VAMT can discover computers by querying AD DS, workgroups, or individual computer names or IP addresses, or through a general LDAP query.
+-   **Discovering products**. You can use the VAMT to discover Windows, Windows Server, Office, and select other products that are installed on the client computers.
+-   **Managing activation data**. The VAMT stores activation data in a SQL Server database. The tool can export this data in XML format to other VAMT hosts or to an archive.
+
+For more information, see:
+-   [Volume Activation Management Tool (VAMT) Overview](https://go.microsoft.com/fwlink/p/?LinkId=618266)
+-   [VAMT Step-by-Step Scenarios](https://go.microsoft.com/fwlink/p/?LinkId=618267)
+
+## See also
+-   [Volume Activation for Windows 10](volume-activation-windows-10.md)
+ 
+ 
diff --git a/windows/deployment/volume-activation/vamt-known-issues.md b/windows/deployment/volume-activation/vamt-known-issues.md
index 8022121cb3..2259c02d2f 100644
--- a/windows/deployment/volume-activation/vamt-known-issues.md
+++ b/windows/deployment/volume-activation/vamt-known-issues.md
@@ -20,39 +20,33 @@ ms.custom:
 
 # VAMT known issues
 
-The following list and the section that follows contain the current known issues regarding the Volume Activation Management Tool (VAMT), versions 3.0. and 3.1.
+The current known issues with the Volume Activation Management Tool (VAMT), versions 3.0. and 3.1, include:
 
 - VAMT Windows Management Infrastructure (WMI) remote operations might take longer to execute if the target computer is in a sleep or standby state.
-- When opening a Computer Information List (CIL file) that was saved by using a previous version of VAMT, the edition information is not shown for each product in the center pane. Users must update the product status again to obtain the edition information.
-- The remaining activation count can only be retrieved for MAKs.
+- When you open a Computer Information List (CIL) file that was saved by using a previous version of VAMT, the edition information is not shown for each product in the center pane. You must update the product status again to obtain the edition information.
+- The remaining activation count can only be retrieved for Multiple Activation Key (MAKs).
 
-## Can't add CSVLKs for Windows 10 activation to VAMT 3.1
+## Workarounds for adding CSVLKs for Windows 10 activation to VAMT 3.1
 
-When you try to add a Windows 10 Key Management Service (KMS) Host key (CSVLK) or a Windows Server 2012 R2 for Windows 10 CSVLK into VAMT 3.1 (version 10.0.10240.0), you receive the following error message:
-
-> The specified product key is invalid, or is unsupported by this version of VAMT. An update to support additional products may be available online.
+Another known issue is that when you try to add a Windows 10 Key Management Service (KMS) Host key (CSVLK) or a Windows Server 2012 R2 for Windows 10 CSVLK into VAMT 3.1 (version 10.0.10240.0), you receive the error message shown here.
 
 ![VAMT error message](./images/vamt-known-issue-message.png)
 
-This issue occurs because VAMT 3.1 does not contain the correct Pkconfig files to recognize this kind of key.
+This issue occurs because VAMT 3.1 does not contain the correct Pkconfig files to recognize this kind of key. To work around this issue, use one of the following methods.
 
-### Workaround
+### Method 1
 
-To work around this issue, use one of the following methods.
+Do not add the CSVLK to the VAMT 3.1 tool. Instead, use the **slmgr.vbs /ipk \<*CSVLK*>** command to install a CSVLK on a KMS host. In this command, \<*CSVLK*> represents the specific key that you want to install. For more information about how to use the Slmgr.vbs tool, see [Slmgr.vbs options for obtaining volume activation information](https://docs.microsoft.com/windows-server/get-started/activation-slmgr-vbs-options).
 
-**Method 1**
+### Method 2
 
-Do not add the CSVLK to the VAMT 3.1 tool. Instead, use the **slmgr.vbs /ipk \<*CSVLK*>** command-line tool to install a CSVLK on a KMS host. In this command, \<*CSVLK*> represents the specific key that you want to install. For more information about how to use the Slmgr.vbs tool, see [Slmgr.vbs options for obtaining volume activation information](https://docs.microsoft.com/windows-server/get-started/activation-slmgr-vbs-options).
-
-**Method 2**
-
-On the KMS host computer, follow these steps:
+On the KMS host computer, perform the following steps:
 
 1. Download the hotfix from [July 2016 update rollup for Windows 8.1 and Windows Server 2012 R2](https://support.microsoft.com/help/3172614/).
 
-1. In Windows Explorer, right-click **485392_intl_x64_zip**, and then extract the hotfix to **C:\KB3058168**.
+1. In Windows Explorer, right-click **485392_intl_x64_zip** and extract the hotfix to C:\KB3058168.
 
-1. To extract the contents of the update, open a Command Prompt window and run the following command:
+1. To extract the contents of the update, run the following command:
 
    ```cmd
    expand c:\KB3058168\Windows8.1-KB3058168-x64.msu -f:* C:\KB3058168\
@@ -64,6 +58,6 @@ On the KMS host computer, follow these steps:
    expand c:\KB3058168\Windows8.1-KB3058168-x64.cab -f:pkeyconfig-csvlk.xrm-ms c:\KB3058168
    ```
 
-1. In the "C:\KB3058168\x86_microsoft-windows-s..nent-sku-csvlk-pack_31bf3856ad364e35_6.3.9600.17815_none_bd26b4f34d049716\" folder, copy the **pkeyconfig-csvlk.xrm-ms** file. Paste this file to the "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\VAMT3\pkconfig" folder.
+1. In the C:\KB3058168\x86_microsoft-windows-s..nent-sku-csvlk-pack_31bf3856ad364e35_6.3.9600.17815_none_bd26b4f34d049716 folder, copy the pkeyconfig-csvlk.xrm-ms file. Paste this file into the C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\VAMT3\pkconfig folder.
 
 1. Restart VAMT.
diff --git a/windows/deployment/volume-activation/volume-activation-management-tool.md b/windows/deployment/volume-activation/volume-activation-management-tool.md
index b517ac9410..c73cbc4546 100644
--- a/windows/deployment/volume-activation/volume-activation-management-tool.md
+++ b/windows/deployment/volume-activation/volume-activation-management-tool.md
@@ -1,43 +1,44 @@
----
-title: Volume Activation Management Tool (VAMT) Technical Reference (Windows 10)
-description: The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process.
-ms.assetid: 1df0f795-f41c-473b-850c-e98af1ad2f2a
-ms.reviewer: 
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.date: 04/25/2017
-ms.topic: article
----
-
-# Volume Activation Management Tool (VAMT) Technical Reference
-
-The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process.
-VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in that requires the Microsoft Management Console (MMC) 3.0. VAMT can be installed on any computer that has one of the following Windows operating systems:
--   Windows® 7 or above
--   Windows Server 2008 R2 or above
-
-
-**Important**  
-VAMT is designed to manage volume activation for: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 (or obove), Microsoft Office 2010 (or above). 
-
-VAMT is only available in an EN-US (x86) package.
-
-## In this Section
-
-|Topic |Description |
-|------|------------|
-|[Introduction to VAMT](introduction-vamt.md) |Provides a description of VAMT and common usages. |
-|[Active Directory-Based Activation Overview](active-directory-based-activation-overview.md) |Describes Active Directory-Based Activation scenarios. |
-|[Install and Configure VAMT](install-configure-vamt.md) |Describes how to install VAMT and use it to configure client computers on your network. |
-|[Add and Manage Products](add-manage-products-vamt.md) |Describes how to add client computers into VAMT. |
-|[Manage Product Keys](manage-product-keys-vamt.md) |Describes how to add and remove a product key from VAMT. |
-|[Manage Activations](manage-activations-vamt.md) |Describes how to activate a client computer by using a variety of activation methods. |
-|[Manage VAMT Data](manage-vamt-data.md) |Describes how to save, import, export, and merge a Computer Information List (CILX) file using VAMT. |
-|[VAMT Step-by-Step Scenarios](vamt-step-by-step.md) |Provides step-by-step instructions for using VAMT in typical environments. |
-|[VAMT Known Issues](vamt-known-issues.md) |Lists known issues in VAMT. |
- 
+---
+title: Volume Activation Management Tool (VAMT) Technical Reference (Windows 10)
+description: The Volume Activation Management Tool (VAMT) enables network administrators to automate and centrally manage volume activation and retail activation.
+ms.assetid: 1df0f795-f41c-473b-850c-e98af1ad2f2a
+ms.reviewer: 
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.date: 04/25/2017
+ms.topic: article
+---
+
+# Volume Activation Management Tool (VAMT) Technical Reference
+
+The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process.
+VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in that requires the Microsoft Management Console (MMC) 3.0. VAMT can be installed on any computer that has one of the following Windows operating systems:
+-   Windows® 7 or above
+-   Windows Server 2008 R2 or above
+
+
+**Important**  
+VAMT is designed to manage volume activation for: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 (or later), Microsoft Office 2010 (or above). 
+
+VAMT is only available in an EN-US (x86) package.
+
+## In this Section
+
+|Topic |Description |
+|------|------------|
+|[Introduction to VAMT](introduction-vamt.md) |Provides a description of VAMT and common usages. |
+|[Active Directory-Based Activation Overview](active-directory-based-activation-overview.md) |Describes Active Directory-Based Activation scenarios. |
+|[Install and Configure VAMT](install-configure-vamt.md) |Describes how to install VAMT and use it to configure client computers on your network. |
+|[Add and Manage Products](add-manage-products-vamt.md) |Describes how to add client computers into VAMT. |
+|[Manage Product Keys](manage-product-keys-vamt.md) |Describes how to add and remove a product key from VAMT. |
+|[Manage Activations](manage-activations-vamt.md) |Describes how to activate a client computer by using a variety of activation methods. |
+|[Manage VAMT Data](manage-vamt-data.md) |Describes how to save, import, export, and merge a Computer Information List (CILX) file using VAMT. |
+|[VAMT Step-by-Step Scenarios](vamt-step-by-step.md) |Provides step-by-step instructions for using VAMT in typical environments. |
+|[VAMT Known Issues](vamt-known-issues.md) |Lists known issues in VAMT. |
+ 
diff --git a/windows/deployment/volume-activation/volume-activation-windows-10.md b/windows/deployment/volume-activation/volume-activation-windows-10.md
index f308f019a8..a820b9e25b 100644
--- a/windows/deployment/volume-activation/volume-activation-windows-10.md
+++ b/windows/deployment/volume-activation/volume-activation-windows-10.md
@@ -1,6 +1,6 @@
 ---
 title: Volume Activation for Windows 10
-description: This guide is designed to help organizations that are planning to use volume activation to deploy and activate Windows 10, including organizations that have used volume activation for earlier versions of Windows.
+description: Learn how to use volume activation to deploy & activate Windows 10. Includes details for orgs that have used volume activation for earlier versions of Windows.
 ms.assetid: 6e8cffae-7322-4fd3-882a-cde68187aef2
 ms.reviewer: 
 manager: laurawi
diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md
index 26151664de..ce54ecb1ff 100644
--- a/windows/deployment/windows-10-deployment-scenarios.md
+++ b/windows/deployment/windows-10-deployment-scenarios.md
@@ -1,275 +1,277 @@
----
-title: Windows 10 deployment scenarios (Windows 10)
-description: To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider.
-ms.assetid: 7A29D546-52CC-482C-8870-8123C7DC04B5
-ms.reviewer: 
-manager: laurawi
-ms.audience: itpro
author: greg-lindsay
-keywords: upgrade, in-place, configuration, deploy
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.date: 11/06/2018
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Windows 10 deployment scenarios
-
-**Applies to**
--   Windows 10
-
-To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the capabilities and limitations of each, is a key task.
-
-The following table summarizes various Windows 10 deployment scenarios. The scenarios are each assigned to one of three categories. 
-- Modern deployment methods are recommended unless you have a specific need to use a different procedure. These methods are supported with existing tools such as Microsoft Deployment Toolkit (MDT) and System Center Configuration Manager. These methods are discussed in detail on the [Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home).
-- Dynamic deployment methods enable you to configure applications and settings for specific use cases. 
-- Traditional deployment methods use existing tools to deploy operating system images.
 
-
-
-  
-     
-     
-     
-  
-    
-    
-    
-  
-  
-    
-    
-    
-  
-  
-    
-    
-    
-    
-  
-  
-    
-    
-    
-   
-  
-    
-    
-    
-  
-  
-    
-    
-    
-    
-  
-  
-    
-    
-    
-  
-  
-    
-    
-    
-  
-
CategoryScenarioDescriptionMore information
Modern
-
-[Windows Autopilot](#windows-autopilot) 
-      Customize the out-of-box-experience (OOBE) for your organization, and deploy a new system with apps and settings already configured.
-     
-Overview of Windows Autopilot
-    
 
-
-[In-place upgrade](#in-place-upgrade)
-
-  
-      Use Windows Setup to update your OS and migrate apps and settings. Rollback data is saved in Windows.old.
-     
-Perform an in-place upgrade to Windows 10 with MDT
Perform an in-place upgrade to Windows 10 using Configuration Manager
-    
 
-      Dynamic
-     
-
-[Subscription Activation](#windows-10-subscription-activation)
-     
-      Switch from Windows 10 Pro to Enterprise when a subscribed user signs in. 
-     
-Windows 10 Subscription Activation
-    
 
-
- [AAD / MDM](#dynamic-provisioning)
-     
-      The device is automatically joined to AAD and configured by MDM.
-     
-Azure Active Directory integration with MDM
-    
 
-
-   [Provisioning packages](#dynamic-provisioning)
-     
-      Using the Windows Imaging and Configuration Designer tool, create provisioning packages that can be applied to devices.
-     
-Configure devices without MDM
-    
 
-      Traditional
-    
-
-   [Bare metal](#new-computer)
-     
-      Deploy a new device, or wipe an existing device and deploy with a fresh image. 
-     
- Deploy a Windows 10 image using MDT
Install a new version of Windows on a new computer with System Center Configuration Manager
-    
 
-
-   [Refresh](#computer-refresh)
-     
-      Also called wipe and load. Redeploy a device by saving the user state, wiping the disk, then restoring the user state. 
-     
- Refresh a Windows 7 computer with Windows 10
Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager
-    
 
-
-  [Replace](#computer-replace)
-     
-      Replace an existing device with a new one by saving the user state on the old device and then restoring it to the new device.
-     
- Replace a Windows 7 computer with a Windows 10 computer
Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager
-    

-
-
 
-
-
->[!IMPORTANT]
->The Windows Autopilot and Subscription Activation scenarios require that the beginning OS be Windows 10 version 1703, or later.

->Except for clean install scenarios such as traditional bare metal and Windows Autopilot, all the methods described can optionally migrate apps and settings to the new OS. 
-
-## Modern deployment methods
-
-Modern deployment methods embrace both traditional on-prem and cloud services to deliver a simple, streamlined, cost effective deployment experience.
-
-### Windows Autopilot
-
-Windows Autopilot is a new suite of capabilities designed to simplify and modernize the deployment and management of new Windows 10 PCs. Windows Autopilot enables IT professionals to customize the Out of Box Experience (OOBE) for Windows 10 PCs and provide end users with a fully configured new Windows 10 device after just a few clicks. There are no images to deploy, no drivers to inject, and no infrastructure to manage. Users can go through the deployment process independently, without the need consult their IT administrator.
-
-For more information about Windows Autopilot, see [Overview of Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-10-auto-pilot) and [Modernizing Windows deployment with Windows Autopilot](https://blogs.technet.microsoft.com/windowsitpro/2017/06/29/modernizing-windows-deployment-with-windows-autopilot/).
-
-### In-place upgrade
-
-For existing computers running Windows 7, Windows 8, or Windows 8.1, the recommended path for organizations deploying Windows 10 leverages the Windows installation program (Setup.exe) to perform an in-place upgrade, which automatically preserves all data, settings, applications, and drivers from the existing operating system version. This requires the least IT effort, because there is no need for any complex deployment infrastructure.
-
-Although consumer PCs will be upgraded using Windows Update, organizations want more control over the process. This is accomplished by leveraging tools like System Center Configuration Manager or the Microsoft Deployment Toolkit to completely automate the upgrade process through simple task sequences.
-
-The in-place upgrade process is designed to be extremely reliable, with the ability to automatically roll back to the previous operating system if any issues are encountered during the deployment process, without any IT staff involvement. Rolling back manually can also be done by leveraging the automatically-created recovery information (stored in the Windows.old folder), in case any issues are encountered after the upgrade is finished. The upgrade process is also typically faster than traditional deployments, because applications do not need to be reinstalled as part of the process.
-
-Because existing applications are preserved through the process, the upgrade process uses the standard Windows installation media image (Install.wim); custom images are not needed and cannot be used because the upgrade process is unable to deal with conflicts between apps in the old and new operating system. (For example, Contoso Timecard 1.0 in Windows 7 and Contoso Timecard 3.0 in the Windows 10 image.)
-
-Scenarios that support in-place upgrade with some additional procedures include changing from BIOS to UEFI boot mode and upgrade of devices that use non-Microsoft disk encryption software.
-
-- **Legacy BIOS to UEFI booting**: To perform an in-place upgrade on a UEFI-capable system that currently boots using legacy BIOS, first perform the in-place upgrade to Windows 10, maintaining the legacy BIOS boot mode. Windows 10 does not require UEFI, so it will work fine to upgrade a system using legacy BIOS emulation. After the upgrade, if you wish to enable Windows 10 features that require UEFI (such as Secure Boot), you can convert the system disk to a format that supports UEFI boot using the [MBR2GPT](https://docs.microsoft.com/windows/deployment/mbr-to-gpt) tool. Note: [UEFI specification](http://www.uefi.org/specifications) requires GPT disk layout. After the disk has been converted, you must also configure the firmware to boot in UEFI mode.
-
--   **Non-Microsoft disk encryption software**: While devices encrypted with BitLocker can easily be upgraded, more work is necessary for non-Microsoft disk encryption tools. Some ISVs will provide instructions on how to integrate their software into the in-place upgrade process. Check with your ISV to see if they have instructions. The following articles provide details on how to provision encryption drivers for use during Windows Setup via the ReflectDrivers setting:
-    - [Windows Setup Automation Overview](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-automation-overview)
-    - [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options)
-
-There are some situations where you cannot use in-place upgrade; in these situations, you can use traditional deployment (wipe-and-load) instead. Examples of these situations include:
-
--   Changing from Windows 7, Windows 8, or Windows 8.1 x86 to Windows 10 x64. The upgrade process cannot change from a 32-bit operating system to a 64-bit operating system, because of possible complications with installed applications and drivers.
--   Windows To Go and Boot from VHD installations. The upgrade process is unable to upgrade these installations. Instead, new installations would need to be performed.
--   Updating existing images. While it might be tempting to try to upgrade existing Windows 7, Windows 8, or Windows 8.1 images to Windows 10 by installing the old image, upgrading it, and then recapturing the new Windows 10 image, this is not supported – preparing an upgraded OS for imaging (using Sysprep.exe) is not supported and will not work when it detects the upgraded OS.
--   Dual-boot and multi-boot systems. The upgrade process is designed for devices running a single OS; if using dual-boot or multi-boot systems with multiple operating systems (not leveraging virtual machines for the second and subsequent operating systems), additional care should be taken.
-
-
-## Dynamic provisioning
-
-For new PCs, organizations have historically replaced the version of Windows included on the device with their own custom Windows image, because this was often faster and easier than leveraging the preinstalled version. But this is an added expense due to the time and effort required. With the new dynamic provisioning capabilities and tools provided with Windows 10, it is now possible to avoid this.
-
-The goal of dynamic provisioning is to take a new PC out of the box, turn it on, and transform it into a productive organization device, with minimal time and effort. The types of transformations that are available include:
-
-### Windows 10 Subscription Activation
-
-Windows 10 Subscription Activation is a modern deployment method that enables you to change the SKU from Pro to Enterprise with no keys and no reboots. For more information about Subscription Activation, see [Windows 10 Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation).
-
-
-### Azure Active Directory (AAD) join with automatic mobile device management (MDM) enrollment
-
-In this scenario, the organization member just needs to provide their work or school user ID and password; the device can then be automatically joined to Azure Active Directory and enrolled in a mobile device management (MDM) solution with no additional user interaction. Once done, the MDM solution can finish configuring the device as needed. For more information, see [Azure Active Directory integration with MDM](https://docs.microsoft.com/windows/client-management/mdm/azure-active-directory-integration-with-mdm).
-
-### Provisioning package configuration
-
-Using the [Windows Imaging and Configuration Designer (ICD)](https://go.microsoft.com/fwlink/p/?LinkId=619358), IT administrators can create a self-contained package that contains all of the configuration, settings, and apps that need to be applied to a machine. These packages can then be deployed to new PCs through a variety of means, typically by IT professionals. For more information, see [Configure devices without MDM](/windows/configuration/configure-devices-without-mdm).
-
-These scenarios can be used to enable “choose your own device” (CYOD) programs where the organization’s users can pick their own PC and not be restricted to a small list of approved or certified models (programs that are difficult to implement using traditional deployment scenarios).
-
-While the initial Windows 10 release includes a variety of provisioning settings and deployment mechanisms, these will continue to be enhanced and extended based on feedback from organizations. As with all Windows features, organizations can submit suggestions for additional features through the Windows Feedback app or through their Microsoft Support contacts.
-
-## Traditional deployment: 
-
-New versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md), Windows Deployment Services, the [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md), and [System Center Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md).
-
-With the release of Windows 10, all of these tools are being updated to fully support Windows 10. Although newer scenarios such as in-place upgrade and dynamic provisioning may reduce the need for traditional deployment capabilities in some organizations, these traditional methods remain important and will continue to be available to organizations that need them.
-
-The traditional deployment scenario can be divided into different sub-scenarios. These are explained in detail in the following sections, but the following provides a brief summary:
-
--   **New computer.** A bare-metal deployment of a new machine.
-
--   **Computer refresh.** A reinstall of the same machine (with user-state migration and an optional full Windows Imaging (WIM) image backup).
-
--   **Computer replace.** A replacement of the old machine with a new machine (with user-state migration and an optional full WIM image backup).
-
-### New computer
-
-Also called a "bare metal" deployment. This scenario occurs when you have a blank machine you need to deploy, or an existing machine you want to wipe and redeploy without needing to preserve any existing data. The setup starts from a boot media, using CD, USB, ISO, or Pre-Boot Execution Environment (PXE). You can also generate a full offline media that includes all the files needed for a client deployment, allowing you to deploy without having to connect to a central deployment share. The target can be a physical computer, a virtual machine, or a Virtual Hard Disk (VHD) running on a physical computer (boot from VHD).
-
-The deployment process for the new machine scenario is as follows:
-
-1.  Start the setup from boot media (CD, USB, ISO, or PXE).
-
-2.  Wipe the hard disk clean and create new volume(s).
-
-3.  Install the operating system image.
-
-4.  Install other applications (as part of the task sequence).
-
-After taking these steps, the computer is ready for use.
-
-### Computer refresh
-
-A refresh is sometimes called wipe-and-load. The process is normally initiated in the running operating system. User data and settings are backed up and restored later as part of the deployment process. The target can be the same as for the new computer scenario.
-
-The deployment process for the wipe-and-load scenario is as follows:
-
-1.  Start the setup on a running operating system.
-
-2.  Save the user state locally.
-
-3.  Wipe the hard disk clean (except for the folder containing the backup).
-
-4.  Install the operating system image.
-
-5.  Install other applications.
-
-6.  Restore the user state.
-
-After taking these steps, the machine is ready for use.
-
-### Computer replace
-
-A computer replace is similar to the refresh scenario. However, since we are replacing the machine, we divide this scenario into two main tasks: backup of the old client and bare-metal deployment of the new client. As with the refresh scenario, user data and settings are backed up and restored.
-
-The deployment process for the replace scenario is as follows:
-
-1.  Save the user state (data and settings) on the server through a backup job on the running operating system.
-
-2.  Deploy the new computer as a bare-metal deployment.
-
-    **Note**
In some situations, you can use the replace scenario even if the target is the same machine. For example, you can use replace if you want to modify the disk layout from the master boot record (MBR) to the GUID partition table (GPT), which will allow you to take advantage of the Unified Extensible Firmware Interface (UEFI) functionality. You can also use replace if the disk needs to be repartitioned since user data needs to be transferred off the disk.
-
-## Related topics
-
-- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
-- [Upgrade to Windows 10 with System Center Configuration Manager](upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md)
-- [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=620230)
-- [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
-- [Windows setup technical reference](https://go.microsoft.com/fwlink/p/?LinkId=619357)
-- [Windows Imaging and Configuration Designer](https://go.microsoft.com/fwlink/p/?LinkId=619358)
-- [UEFI firmware](https://go.microsoft.com/fwlink/p/?LinkId=619359)
+---
+title: Windows 10 deployment scenarios (Windows 10)
+description: Understand the different ways Windows 10 operating system can be deployed in your organization. Explore several Windows 10 deployment scenarios.
+ms.assetid: 7A29D546-52CC-482C-8870-8123C7DC04B5
+ms.reviewer: 
+manager: laurawi
+ms.audience: itpro
+author: greg-lindsay
+keywords: upgrade, in-place, configuration, deploy
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+ms.date: 11/06/2018
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Windows 10 deployment scenarios
+
+**Applies to**
+-   Windows 10
+
+To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the capabilities and limitations of each, is a key task.
+
+The following table summarizes various Windows 10 deployment scenarios. The scenarios are each assigned to one of three categories. 
+- Modern deployment methods are recommended unless you have a specific need to use a different procedure. These methods are supported with existing tools such as Microsoft Deployment Toolkit (MDT) and System Center Configuration Manager. These methods are discussed in detail on the [Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home).
+- Dynamic deployment methods enable you to configure applications and settings for specific use cases. 
+- Traditional deployment methods use existing tools to deploy operating system images.
 
+
+
+  
+     
+     
+     
+  
+    
+    
+    
+  
+  
+    
+    
+    
+  
+  
+    
+    
+    
+    
+  
+  
+    
+    
+    
+   
+  
+    
+    
+    
+  
+  
+    
+    
+    
+    
+  
+  
+    
+    
+    
+  
+  
+    
+    
+    
+  
+
CategoryScenarioDescriptionMore information
Modern
+
+[Windows Autopilot](#windows-autopilot) 
+      Customize the out-of-box-experience (OOBE) for your organization, and deploy a new system with apps and settings already configured.
+     
+Overview of Windows Autopilot
+    
 
+
+[In-place upgrade](#in-place-upgrade)
+
+  
+      Use Windows Setup to update your OS and migrate apps and settings. Rollback data is saved in Windows.old.
+     
+Perform an in-place upgrade to Windows 10 with MDT
Perform an in-place upgrade to Windows 10 using Configuration Manager
+    
 
+      Dynamic
+     
+
+[Subscription Activation](#windows-10-subscription-activation)
+     
+      Switch from Windows 10 Pro to Enterprise when a subscribed user signs in. 
+     
+Windows 10 Subscription Activation
+    
 
+
+ [AAD / MDM](#dynamic-provisioning)
+     
+      The device is automatically joined to AAD and configured by MDM.
+     
+Azure Active Directory integration with MDM
+    
 
+
+   [Provisioning packages](#dynamic-provisioning)
+     
+      Using the Windows Imaging and Configuration Designer tool, create provisioning packages that can be applied to devices.
+     
+Configure devices without MDM
+    
 
+      Traditional
+    
+
+   [Bare metal](#new-computer)
+     
+      Deploy a new device, or wipe an existing device and deploy with a fresh image. 
+     
+ Deploy a Windows 10 image using MDT
Install a new version of Windows on a new computer with System Center Configuration Manager
+    
 
+
+   [Refresh](#computer-refresh)
+     
+      Also called wipe and load. Redeploy a device by saving the user state, wiping the disk, then restoring the user state. 
+     
+ Refresh a Windows 7 computer with Windows 10
Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager
+    
 
+
+  [Replace](#computer-replace)
+     
+      Replace an existing device with a new one by saving the user state on the old device and then restoring it to the new device.
+     
+ Replace a Windows 7 computer with a Windows 10 computer
Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager
+    

+
+
 
+
+
+>[!IMPORTANT]
+>The Windows Autopilot and Subscription Activation scenarios require that the beginning OS be Windows 10 version 1703, or later.

+>Except for clean install scenarios such as traditional bare metal and Windows Autopilot, all the methods described can optionally migrate apps and settings to the new OS. 
+
+## Modern deployment methods
+
+Modern deployment methods embrace both traditional on-prem and cloud services to deliver a simple, streamlined, cost effective deployment experience.
+
+### Windows Autopilot
+
+Windows Autopilot is a new suite of capabilities designed to simplify and modernize the deployment and management of new Windows 10 PCs. Windows Autopilot enables IT professionals to customize the Out of Box Experience (OOBE) for Windows 10 PCs and provide end users with a fully configured new Windows 10 device after just a few clicks. There are no images to deploy, no drivers to inject, and no infrastructure to manage. Users can go through the deployment process independently, without the need consult their IT administrator.
+
+For more information about Windows Autopilot, see [Overview of Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-10-auto-pilot) and [Modernizing Windows deployment with Windows Autopilot](https://blogs.technet.microsoft.com/windowsitpro/2017/06/29/modernizing-windows-deployment-with-windows-autopilot/).
+
+### In-place upgrade
+
+For existing computers running Windows 7, Windows 8, or Windows 8.1, the recommended path for organizations deploying Windows 10 leverages the Windows installation program (Setup.exe) to perform an in-place upgrade, which automatically preserves all data, settings, applications, and drivers from the existing operating system version. This requires the least IT effort, because there is no need for any complex deployment infrastructure.
+
+Although consumer PCs will be upgraded using Windows Update, organizations want more control over the process. This is accomplished by leveraging tools like System Center Configuration Manager or the Microsoft Deployment Toolkit to completely automate the upgrade process through simple task sequences.
+
+The in-place upgrade process is designed to be extremely reliable, with the ability to automatically roll back to the previous operating system if any issues are encountered during the deployment process, without any IT staff involvement. Rolling back manually can also be done by leveraging the automatically-created recovery information (stored in the Windows.old folder), in case any issues are encountered after the upgrade is finished. The upgrade process is also typically faster than traditional deployments, because applications do not need to be reinstalled as part of the process.
+
+Because existing applications are preserved through the process, the upgrade process uses the standard Windows installation media image (Install.wim); custom images are not needed and cannot be used because the upgrade process is unable to deal with conflicts between apps in the old and new operating system. (For example, Contoso Timecard 1.0 in Windows 7 and Contoso Timecard 3.0 in the Windows 10 image.)
+
+Scenarios that support in-place upgrade with some additional procedures include changing from BIOS to UEFI boot mode and upgrade of devices that use non-Microsoft disk encryption software.
+
+- **Legacy BIOS to UEFI booting**: To perform an in-place upgrade on a UEFI-capable system that currently boots using legacy BIOS, first perform the in-place upgrade to Windows 10, maintaining the legacy BIOS boot mode. Windows 10 does not require UEFI, so it will work fine to upgrade a system using legacy BIOS emulation. After the upgrade, if you wish to enable Windows 10 features that require UEFI (such as Secure Boot), you can convert the system disk to a format that supports UEFI boot using the [MBR2GPT](https://docs.microsoft.com/windows/deployment/mbr-to-gpt) tool. Note: [UEFI specification](http://www.uefi.org/specifications) requires GPT disk layout. After the disk has been converted, you must also configure the firmware to boot in UEFI mode.
+
+-   **Non-Microsoft disk encryption software**: While devices encrypted with BitLocker can easily be upgraded, more work is necessary for non-Microsoft disk encryption tools. Some ISVs will provide instructions on how to integrate their software into the in-place upgrade process. Check with your ISV to see if they have instructions. The following articles provide details on how to provision encryption drivers for use during Windows Setup via the ReflectDrivers setting:
+    - [Windows Setup Automation Overview](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-automation-overview)
+    - [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options)
+
+There are some situations where you cannot use in-place upgrade; in these situations, you can use traditional deployment (wipe-and-load) instead. Examples of these situations include:
+
+-   Changing from Windows 7, Windows 8, or Windows 8.1 x86 to Windows 10 x64. The upgrade process cannot change from a 32-bit operating system to a 64-bit operating system, because of possible complications with installed applications and drivers.
+-   Windows To Go and Boot from VHD installations. The upgrade process is unable to upgrade these installations. Instead, new installations would need to be performed.
+-   Updating existing images. While it might be tempting to try to upgrade existing Windows 7, Windows 8, or Windows 8.1 images to Windows 10 by installing the old image, upgrading it, and then recapturing the new Windows 10 image, this is not supported – preparing an upgraded OS for imaging (using Sysprep.exe) is not supported and will not work when it detects the upgraded OS.
+-   Dual-boot and multi-boot systems. The upgrade process is designed for devices running a single OS; if using dual-boot or multi-boot systems with multiple operating systems (not leveraging virtual machines for the second and subsequent operating systems), additional care should be taken.
+
+
+## Dynamic provisioning
+
+For new PCs, organizations have historically replaced the version of Windows included on the device with their own custom Windows image, because this was often faster and easier than leveraging the preinstalled version. But this is an added expense due to the time and effort required. With the new dynamic provisioning capabilities and tools provided with Windows 10, it is now possible to avoid this.
+
+The goal of dynamic provisioning is to take a new PC out of the box, turn it on, and transform it into a productive organization device, with minimal time and effort. The types of transformations that are available include:
+
+### Windows 10 Subscription Activation
+
+Windows 10 Subscription Activation is a modern deployment method that enables you to change the SKU from Pro to Enterprise with no keys and no reboots. For more information about Subscription Activation, see [Windows 10 Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation).
+
+
+### Azure Active Directory (AAD) join with automatic mobile device management (MDM) enrollment
+
+In this scenario, the organization member just needs to provide their work or school user ID and password; the device can then be automatically joined to Azure Active Directory and enrolled in a mobile device management (MDM) solution with no additional user interaction. Once done, the MDM solution can finish configuring the device as needed. For more information, see [Azure Active Directory integration with MDM](https://docs.microsoft.com/windows/client-management/mdm/azure-active-directory-integration-with-mdm).
+
+### Provisioning package configuration
+
+Using the [Windows Imaging and Configuration Designer (ICD)](https://go.microsoft.com/fwlink/p/?LinkId=619358), IT administrators can create a self-contained package that contains all of the configuration, settings, and apps that need to be applied to a machine. These packages can then be deployed to new PCs through a variety of means, typically by IT professionals. For more information, see [Configure devices without MDM](/windows/configuration/configure-devices-without-mdm).
+
+These scenarios can be used to enable “choose your own device” (CYOD) programs where the organization’s users can pick their own PC and not be restricted to a small list of approved or certified models (programs that are difficult to implement using traditional deployment scenarios).
+
+While the initial Windows 10 release includes a variety of provisioning settings and deployment mechanisms, these will continue to be enhanced and extended based on feedback from organizations. As with all Windows features, organizations can submit suggestions for additional features through the Windows Feedback app or through their Microsoft Support contacts.
+
+## Traditional deployment: 
+
+New versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md), Windows Deployment Services, the [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md), and [System Center Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md).
+
+With the release of Windows 10, all of these tools are being updated to fully support Windows 10. Although newer scenarios such as in-place upgrade and dynamic provisioning may reduce the need for traditional deployment capabilities in some organizations, these traditional methods remain important and will continue to be available to organizations that need them.
+
+The traditional deployment scenario can be divided into different sub-scenarios. These are explained in detail in the following sections, but the following provides a brief summary:
+
+-   **New computer.** A bare-metal deployment of a new machine.
+
+-   **Computer refresh.** A reinstall of the same machine (with user-state migration and an optional full Windows Imaging (WIM) image backup).
+
+-   **Computer replace.** A replacement of the old machine with a new machine (with user-state migration and an optional full WIM image backup).
+
+### New computer
+
+Also called a "bare metal" deployment. This scenario occurs when you have a blank machine you need to deploy, or an existing machine you want to wipe and redeploy without needing to preserve any existing data. The setup starts from a boot media, using CD, USB, ISO, or Pre-Boot Execution Environment (PXE). You can also generate a full offline media that includes all the files needed for a client deployment, allowing you to deploy without having to connect to a central deployment share. The target can be a physical computer, a virtual machine, or a Virtual Hard Disk (VHD) running on a physical computer (boot from VHD).
+
+The deployment process for the new machine scenario is as follows:
+
+1.  Start the setup from boot media (CD, USB, ISO, or PXE).
+
+2.  Wipe the hard disk clean and create new volume(s).
+
+3.  Install the operating system image.
+
+4.  Install other applications (as part of the task sequence).
+
+After taking these steps, the computer is ready for use.
+
+### Computer refresh
+
+A refresh is sometimes called wipe-and-load. The process is normally initiated in the running operating system. User data and settings are backed up and restored later as part of the deployment process. The target can be the same as for the new computer scenario.
+
+The deployment process for the wipe-and-load scenario is as follows:
+
+1.  Start the setup on a running operating system.
+
+2.  Save the user state locally.
+
+3.  Wipe the hard disk clean (except for the folder containing the backup).
+
+4.  Install the operating system image.
+
+5.  Install other applications.
+
+6.  Restore the user state.
+
+After taking these steps, the machine is ready for use.
+
+### Computer replace
+
+A computer replace is similar to the refresh scenario. However, since we are replacing the machine, we divide this scenario into two main tasks: backup of the old client and bare-metal deployment of the new client. As with the refresh scenario, user data and settings are backed up and restored.
+
+The deployment process for the replace scenario is as follows:
+
+1.  Save the user state (data and settings) on the server through a backup job on the running operating system.
+
+2.  Deploy the new computer as a bare-metal deployment.
+
+    **Note**
In some situations, you can use the replace scenario even if the target is the same machine. For example, you can use replace if you want to modify the disk layout from the master boot record (MBR) to the GUID partition table (GPT), which will allow you to take advantage of the Unified Extensible Firmware Interface (UEFI) functionality. You can also use replace if the disk needs to be repartitioned since user data needs to be transferred off the disk.
+
+## Related topics
+
+- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
+- [Upgrade to Windows 10 with System Center Configuration Manager](upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md)
+- [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=620230)
+- [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
+- [Windows setup technical reference](https://go.microsoft.com/fwlink/p/?LinkId=619357)
+- [Windows Imaging and Configuration Designer](https://go.microsoft.com/fwlink/p/?LinkId=619358)
+- [UEFI firmware](https://go.microsoft.com/fwlink/p/?LinkId=619359)
diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md
index 7a4fb81ed7..fb9fdbecee 100644
--- a/windows/deployment/windows-10-poc.md
+++ b/windows/deployment/windows-10-poc.md
@@ -1,1106 +1,1109 @@
----
-title: Configure a test lab to deploy Windows 10
-ms.reviewer: 
-manager: laurawi
-ms.audience: itpro
author: greg-lindsay
-description: Concepts and procedures for deploying Windows 10 in a proof of concept lab environment.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: deploy
-keywords: deployment, automate, tools, configure, mdt, sccm
-ms.localizationpriority: medium
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Step by step guide: Configure a test lab to deploy Windows 10
-
-**Applies to**
-
--   Windows 10
-
-This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, see the following Windows 10 PoC deployment guides:
-
-- [Step by step: Deploy Windows 10 in a test lab using MDT](windows-10-poc-mdt.md)

-- [Step by step: Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md)

-
-The PoC deployment guides are intended to provide a demonstration of Windows 10 deployment tools and processes for IT professionals that are not familiar with these tools, and those that are interested in setting up a proof of concept environment. The instructions in this guide should not be used in a production setting, and are not meant to replace the instructions found in production deployment guidance.
-
-Approximately 3 hours are required to configure the PoC environment. You will need a Hyper-V capable computer running Windows 8.1 or later with at least 16GB of RAM. Detailed [requirements](#hardware-and-software-requirements) are provided below. You will also need to have a [Microsoft account](https://www.microsoft.com/account) to use for downloading evaluation software.
-
-Windows PowerShell commands are provided to set up the PoC environment quickly. You do not need to be an expert in Windows PowerShell to complete the steps in the guide, however you are required to customize some commands to your environment.
-
-> Instructions to "type" Windows PowerShell commands provided in this guide can be followed literally by typing the commands, but the preferred method is to copy and paste these commands.
-> 
-> A Windows PowerShell window can be used to run all commands in this guide. However, when commands are specified for a command prompt, you must either type CMD at the Windows PowerShell prompt to enter the command prompt, or preface the command with "cmd /c", or if desired you can escape special characters in the command using the back-tick character (`). In most cases, the simplest thing is to type cmd and enter a command prompt, type the necessary commands, then type "exit" to return to Windows PowerShell.
-
-Hyper-V is installed, configured and used extensively in this guide. If you are not familiar with Hyper-V, review the [terminology](#appendix-b-terminology-used-in-this-guide) used in this guide before starting.
-
-## In this guide
-
-This guide contains instructions for three general procedures: Install Hyper-V, configure Hyper-V, and configure VMs. If you already have a computer running Hyper-V, you can use this computer and skip the first procedure. In this case, your virtual switch settings must be modified to match those used in this guide, or the steps in this guide can be modified to use your existing Hyper-V settings.
-
-After completing the instructions in this guide, you will have a PoC environment that enables you to test Windows 10 deployment procedures by following instructions in companion guides that are written to use the PoC environment. Links are provided to download trial versions of Windows Server 2012, Windows 10 Enterprise, and all deployment tools necessary to complete the lab.
-
-Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed.
-
-

-
-

-
-
-
-
TopicDescriptionTime
Hardware and software requirementsPrerequisites to complete this guide.Informational
-
Lab setupA description and diagram of the PoC environment.Informational
-
Configure the PoC environmentParent topic for procedures.Informational
-
Verify support and install Hyper-VVerify that installation of Hyper-V is supported, and install the Hyper-V server role.10 minutes
-
Download VHD and ISO filesDownload evaluation versions of Windows Server 2012 R2 and Windows 10 and prepare these files to be used on the Hyper-V host.30 minutes
-
Convert PC to VMConvert a physical computer on your network to a VM hosted in Hyper-V.30 minutes
-
Resize VHDIncrease the storage capacity for one of the Windows Server VMs.5 minutes
-
Configure Hyper-VCreate virtual switches, determine available RAM for virtual machines, and add virtual machines.15 minutes
-
Configure service and user accountsStart virtual machines and configure all services and settings.60 minutes
-
Configure VMsStart virtual machines and configure all services and settings.60 minutes
-
Appendix A: Verify the configurationVerify and troubleshoot network connectivity and services in the PoC environment.30 minutes
-
Appendix B: Terminology in this guideTerms used in this guide.Informational
-

-

-
-## Hardware and software requirements
-
-One computer that meets the hardware and software specifications below is required to complete the guide; A second computer is recommended to validate the upgrade process.
-
-- **Computer 1**: the computer you will use to run Hyper-V and host virtual machines. This computer should have 16 GB or more of installed RAM and a multi-core processor.
-- **Computer 2**: a client computer from your corporate network. It is shadow-copied to create a VM that can be added to the PoC environment, enabling you to test a mirror image of a computer on your network. If you do not have a computer to use for this simulation, you can download an evaluation VHD and use it to represent this computer. Subsequent guides use this computer to simulate Windows 10 replace and refresh scenarios, so the VM is required even if you cannot create this VM using computer 2.
-
-Harware requirements are displayed below:
-
-

-
-
-    
-        
-        
-        
-    
-    
-        
-        
-        
-    
-    
-        
-        
-        
-    
-    
-        
-        
-        
-    
-    
-        
-        
-        
-    
-    
-        
-        
-        
-    
-    
-        
-        
-        
-    
-    
-        
-        
-        
-    
-    
-        
-        
-        
-    
-    
-        
-        
-        
-    
-
Computer 1 (required)Computer 2 (recommended)
RoleHyper-V hostClient computer
DescriptionThis computer will run Hyper-V, the Hyper-V management tools, and the Hyper-V Windows PowerShell module.This computer is a Windows 7 or Windows 8/8.1 client on your corporate network that will be converted to a VM to demonstrate the upgrade process.
OSWindows 8.1/10 or Windows Server 2012/2012 R2/2016*Windows 7 or a later
EditionEnterprise, Professional, or EducationAny
Architecture64-bitAny
Note: Retaining applications and settings requires that architecture (32 or 64-bit) is the same before and after the upgrade.
RAM8 GB RAM (16 GB recommended) to test Windows 10 deployment with MDT.
-        
16 GB RAM to test Windows 10 deployment with System Center Configuration Manager.		Any
Disk200 GB available hard disk space, any format.Any size, MBR formatted.
CPUSLAT-Capable CPUAny
NetworkInternet connectionAny

-
-
-\*The Hyper-V server role can also be installed on a computer running Windows Server 2008 R2. However, the Windows PowerShell module for Hyper-V is not available on Windows Server 2008 R2, therefore you cannot use many of the steps provided in this guide to configure Hyper-V. To manage Hyper-V on Windows Server 2008 R2, you can use Hyper-V WMI, or you can use the Hyper-V Manager console. Providing all steps in this guide as Hyper-V WMI or as 2008 R2 Hyper-V Manager procedures is beyond the scope of the guide.
-

-
The Hyper-V role cannot be installed on Windows 7 or earlier versions of Windows.
-
-

-
-## Lab setup
-
-The lab architecture is summarized in the following diagram:
-
-![PoC](images/poc.png)
-
-- Computer 1 is configured to host four VMs on a private, PoC network.
-    - Two VMs are running Windows Server 2012 R2 with required network services and tools installed.
-    - Two VMs are client systems: One VM is intended to mirror a host on your corporate network (computer 2) and one VM is running Windows 10 Enterprise to demonstrate the hardware replacement scenario.
-
->If you have an existing Hyper-V host, you can use this host and skip the Hyper-V installation section in this guide.
-
-The two Windows Server VMs can be combined into a single VM to conserve RAM and disk space if required. However, instructions in this guide assume two server systems are used. Using two servers enables Active Directory Domain Services and DHCP to be installed on a server that is not directly connected to the corporate network. This mitigates the risk of clients on the corporate network receiving DHCP leases from the PoC network (i.e. "rogue" DHCP), and limits NETBIOS service broadcasts.
-
-## Configure the PoC environment
-
->**Hint**: Before you begin, ensure that Windows PowerShell is pinned to the taskbar for easy access. If the Hyper-V host is running Windows Server then Windows PowerShell is automatically pinned to the taskbar. To pin Windows PowerShell to the taskbar on Windows 8.1 or Windows 10: Click **Start**, type **power**, right click **Windows PowerShell**, and then click **Pin to taskbar**. After Windows PowerShell is pinned to the taskbar, you can open an elevated Windows PowerShell prompt by right-clicking the icon on the taskbar and then clicking **Run as Administrator**.
-
-### Procedures in this section
-
-[Verify support and install Hyper-V](#verify-support-and-install-hyper-v)

-[Download VHD and ISO files](#download-vhd-and-iso-files)

-[Convert PC to VM](#convert-pc-to-vm)

-[Resize VHD](#resize-vhd)

-[Configure Hyper-V](#configure-hyper-v)

-[Configure VMs](#configure-vms)

-
-### Verify support and install Hyper-V
-
-Starting with Windows 8, the host computer’s microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](https://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information.
-
-1. To verify your computer supports SLAT, open an administrator command prompt,  type **systeminfo**, press ENTER, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example:
-
-    
-    C:\>systeminfo
-
-    ...
-    Hyper-V Requirements:      VM Monitor Mode Extensions: Yes
-                               Virtualization Enabled In Firmware: Yes
-                               Second Level Address Translation: Yes
-                               Data Execution Prevention Available: Yes
-    

-
-    In this example, the computer supports SLAT and Hyper-V.
-
-    If one or more requirements are evaluated as **No** then the computer does not support installing Hyper-V.  However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the **Virtualization Enabled In Firmware** setting from **No** to **Yes**. The location of this setting will depend on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings.
-
-    You can also identify Hyper-V support using [tools](https://blogs.msdn.microsoft.com/taylorb/2008/06/19/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v/) provided by the processor manufacturer, the [msinfo32](https://technet.microsoft.com/library/cc731397.aspx) tool, or you can download the [coreinfo](https://technet.microsoft.com/sysinternals/cc835722) utility and run it, as shown in the following example:
-
-    
-    C:\>coreinfo -v
-
-    Coreinfo v3.31 - Dump information on system CPU and memory topology
-    Copyright (C) 2008-2014 Mark Russinovich
-    Sysinternals - www.sysinternals.com
-
-    Intel(R) Core(TM) i7-2600 CPU @ 3.40GHz
-    Intel64 Family 6 Model 42 Stepping 7, GenuineIntel
-    Microcode signature: 0000001B
-    HYPERVISOR      -       Hypervisor is present
-    VMX             *       Supports Intel hardware-assisted virtualization
-    EPT             *       Supports Intel extended page tables (SLAT)
-    

-
-    Note: A 64-bit operating system is required to run Hyper-V.
-
-2. The Hyper-V feature is not installed by default. To install it, open an elevated Windows PowerShell window and type the following command:
-
-    
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V –All

-
-    This command works on all operating systems that support Hyper-V, but on Windows Server operating systems you must type an additional command to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. This command will also install Hyper-V if it isn't already installed, so if desired you can just type the following command on Windows Server 2012 or 2016 instead of using the Enable-WindowsOptionalFeature command:
-
-    
Install-WindowsFeature -Name Hyper-V -IncludeManagementTools

-
-    When you are prompted to restart the computer, choose **Yes**. The computer might restart more than once. After installation is complete, you can open Hyper-V Manager by typing **virtmgmt.msc** at an elevated command prompt.
-
-    >Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below:
-
-    ![hyper-v feature](images/hyper-v-feature.png)
-
-    ![hyper-v](images/svr_mgr2.png)
-
-    
If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under Role Administration Tools\Hyper-V Management Tools.
-
-### Download VHD and ISO files
-
-When you have completed installation of Hyper-V on the host computer, begin configuration of Hyper-V by downloading VHD and ISO files to the Hyper-V host. These files will be used to create the VMs used in the lab. Before you can download VHD and ISO files, you will need to register and sign in to the [TechNet Evaluation Center](https://www.microsoft.com/evalcenter/) using your Microsoft account.
-
-1. Create a directory on your Hyper-V host named **C:\VHD** and download a single [Windows Server 2012 R2 VHD](https://www.microsoft.com/evalcenter/evaluate-windows-server-2012-r2) from the TechNet Evaluation Center to the **C:\VHD** directory.
-
-    **Important**: This guide assumes that VHDs are stored in the **C:\VHD** directory on the Hyper-V host. If you use a different directory to store VHDs, you must adjust steps in this guide appropriately.
-
-    After completing registration you will be able to download the 7.47 GB Windows Server 2012 R2 evaluation VHD. An example of the download offering is shown below.
-
-    
-    
-    
 VHD 

-
-2. Download the file to the **C:\VHD** directory. When the download is complete, rename the VHD file that you downloaded to **2012R2-poc-1.vhd**. This is done to make the filename simple to recognize and type.
-3. Copy the VHD to a second file also in the **C:\VHD** directory and name this VHD **2012R2-poc-2.vhd**.
-4. Download the [Windows 10 Enterprise ISO](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) from the TechNet Evaluation Center to the **C:\VHD** directory on your Hyper-V host.
-
-    >During registration, you must specify the type, version, and language of installation media to download. In this example, a Windows 10 Enterprise, 64 bit, English ISO is chosen. You can choose a different version if desired. **Note: The evaluation version of Windows 10 does not support in-place upgrade**.
-
-5. Rename the ISO file that you downloaded to **w10-enterprise.iso**. Again, this is done so that the filename is simple to type and recognize. After completing registration you will be able to download the 3.63 GB Windows 10 Enterprise evaluation ISO.
-
-After completing these steps, you will have three files in the **C:\VHD** directory: **2012R2-poc-1.vhd**, **2012R2-poc-2.vhd**, **w10-enterprise.iso**.
-
-The following displays the procedures described in this section, both before and after downloading files:
-
-
-C:>mkdir VHD
-C:>cd VHD
-C:\VHD>ren 9600*.vhd 2012R2-poc-1.vhd
-C:\VHD>copy 2012R2-poc-1.vhd 2012R2-poc-2.vhd
-   1 file(s) copied.
-C:\VHD ren *.iso w10-enterprise.iso
-C:\VHD>dir /B
-2012R2-poc-1.vhd
-2012R2-poc-2.vhd
-w10-enterprise.iso
-

-
-### Convert PC to VM
-
->Important: Do not attempt to use the VM resulting from the following procedure as a reference image. Also, to avoid conflicts with existing clients, do not start the VM outside the PoC network.
-
-

-If you do not have a PC available to convert to VM, perform the following steps to download an evaluation VM:
-

-
    
-
  1. Open the Download virtual machines page.
-
  2. Under Virtual machine, choose IE11 on Win7.
-
  3. Under Select platform choose HyperV (Windows).
-
  4. Click Download .zip. The download is 3.31 GB.
-
  5. Extract the zip file. Three directories are created.
-
  6. Open the Virtual Hard Disks directory and then copy IE11 - Win7.vhd to the C:\VHD directory.
-
  7. Rename IE11 - Win7.vhd to w7.vhd (do not rename the file to w7.vhdx).
-
  8. In step 5 of the Configure Hyper-V section, replace the VHD file name w7.vhdx with w7.vhd.
-

-

-
-If you have a PC available to convert to VM (computer 2):
-
-1. Sign in on computer 2 using an account with Administrator privileges.
-
->Important: the account used in this step must have local administrator privileges. You can use a local computer account, or a domain account with administrative rights if domain policy allows the use of cached credentials. After converting the computer to a VM, you must be able to sign in on this VM with administrator rights while the VM is disconnected from the corporate network.
-
-2. [Determine the VM generation and partition type](#determine-the-vm-generation-and-partition-type) that is required.
-3. Based on the VM generation and partition type, perform one of the following procedures: [Prepare a generation 1 VM](#prepare-a-generation-1-vm), [Prepare a generation 2 VM](#prepare-a-generation-2-vm), or [prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk).
-
-#### Determine the VM generation and partition type
-
-When creating a VM in Hyper-V, you must specify either generation 1 or generation 2. The following table describes requirements for these two types of VMs.
-
-

-
-
-    
-        
-        
-        
-        
-    
-    
-        
-        
-        
-        
-    
-    
-        
-        
-        
-        
-    
-
ArchitectureOperating systemPartition style
Generation 132-bit or 64-bitWindows 7 or laterMBR
Generation 264-bitWindows 8 or laterMBR or GPT

-
-

-
-If the PC is running a 32-bit OS or the OS is Windows 7, it must be converted to a generation 1 VM. Otherwise, it can be converted to a generation 2 VM.
-
-- To determine the OS and architecture of a PC, type **systeminfo** at a command prompt and review the output next to **OS Name** and **System Type**.
-- To determine the partition style, open a Windows PowerShell prompt on the PC and type the following command:
-
-
-Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
-

-
-If the **Type** column does not indicate GPT, then the disk partition format is MBR ("Installable File System" = MBR). In the following example, the disk is GPT:
-
-
-PS C:> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
-
-SystemName                           Caption                                 Type
-----------                           -------                                 ----
-USER-PC1                             Disk #0, Partition #0                   GPT: System
-USER-PC1                             Disk #0, Partition #1                   GPT: Basic Data
-

-
-On a computer running Windows 8 or later, you can also type **Get-Disk** at a Windows PowerShell prompt to discover the partition style. The default output of this cmdlet displays the partition style for all attached disks. Both commands are displayed below. In this example, the client computer is running Windows 8.1 and uses a GPT style partition format:
-
-
-PS C:> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
-
-SystemName                            Caption                               Type
-----------                            -------                               ----
-PC-X1                                 Disk #0, Partition #0                 GPT: Unknown
-PC-X1                                 Disk #0, Partition #1                 GPT: System
-PC-X1                                 Disk #0, Partition #2                 GPT: Basic Data
-PC-X1                                 Disk #0, Partition #3                 GPT: Basic Data
-PC-X1                                 Disk #0, Partition #4                 GPT: Basic Data
-
-PS C:> Get-Disk
-
-Number Friendly Name                  OperationalStatus                     Total Size Partition Style
------- -------------                  -----------------                     ---------- ---------------
-0      INTEL SSDSCMMW240A3L           Online                                223.57 GB GPT
-

-
-
-
-**Choosing a VM generation**
-
-The following table displays the Hyper-V VM generation to choose based on the OS, architecture, and partition style. Links to procedures to create the corresponding VMs are included.
-
-

-
-
-    
-        
-        
-        
-        
-        
-    
-    
-        
-        
-        
-        
-        
-    
-    
-        
-        
-        
-    
-    
-        
-        
-        
-        
-    
-    
-        
-        
-        
-    
-    
-        
-        
-        
-        
-        
-    
-    
-        
-        
-        
-    
-    
-        
-        
-        
-        
-    
-    
-        
-        
-        
-    
-
OSPartition styleArchitectureVM generationProcedure
Windows 7MBR321Prepare a generation 1 VM
641Prepare a generation 1 VM
GPT32N/AN/A
641Prepare a generation 1 VM from a GPT disk
Windows 8 or laterMBR321Prepare a generation 1 VM
641, 2Prepare a generation 1 VM
GPT321Prepare a generation 1 VM from a GPT disk
642Prepare a generation 2 VM

-
-

-
-Notes:

-
    
-
  • If the PC is running Windows 7, it can only be converted and hosted in Hyper-V as a generation 1 VM. This Hyper-V requirement means that if the Windows 7 PC is also using a GPT partition style, the OS disk can be shadow copied, but a new system partition must be created. In this case, see Prepare a generation 1 VM from a GPT disk.
-
  • If the PC is running Windows 8 or later and uses the GPT partition style, you can capture the disk image and create a generation 2 VM. To do this, you must temporarily mount the EFI system partition which is accomplished using the mountvol command. In this case, see Prepare a generation 2 VM.
-
  • If the PC is using an MBR partition style, you can convert the disk to VHD and use it to create a generation 1 VM. If you use the Disk2VHD tool described in this guide, it is not necessary to mount the MBR system partition, but it is still necessary to capture it. In this case, see Prepare a generation 1 VM.
-

-
-#### Prepare a generation 1 VM
-
-1. Download the [Disk2vhd utility](https://technet.microsoft.com/library/ee656415.aspx), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert.
-
-    >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive.
-
-2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface.
-3. Select the checkboxes next to the **C:\\** and the **system reserved** (BIOS/MBR) volumes. The system volume is not assigned a drive letter, but will be displayed in the Disk2VHD tool with a volume label similar to **\\?\Volume{**. See the following example. **Important**: You must include the system volume in order to create a bootable VHD. If this volume is not displayed in the disk2vhd tool, then the computer is likely to be using the GPT partition style. For more information, see [Determine VM generation](#determine-vm-generation).
-4. Specify a location to save the resulting VHD or VHDX file (F:\VHD\w7.vhdx in the following example) and click **Create**. See the following example:
-
-    ![disk2vhd](images/disk2vhd.png)
-
-    >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive.
-
-5. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (w7.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory:
-
-    
-    C:\vhd>dir /B
-    2012R2-poc-1.vhd
-    2012R2-poc-2.vhd
-    w10-enterprise.iso
-    w7.VHDX
-    

-
-#### Prepare a generation 2 VM
-
-1. Download the [Disk2vhd utility](https://technet.microsoft.com/library/ee656415.aspx), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert.
-
-    >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive.
-
-2. On the computer you wish to convert, open an elevated command prompt and type the following command:
-
-    
mountvol s: /s

-
-    This command temporarily assigns a drive letter of S to the system volume and mounts it. If the letter S is already assigned to a different volume on the computer, then choose one that is available (ex: mountvol z: /s).
-
-3. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface.
-4. Select the checkboxes next to the **C:\\** and the **S:\\** volumes, and clear the **Use Volume Shadow Copy checkbox**. Volume shadow copy will not work if the EFI system partition is selected.
-
-    **Important**: You must include the EFI system partition in order to create a bootable VHD. The Windows RE tools partition (shown below) is not required, but it can also be converted if desired.
-
-5. Specify a location to save the resulting VHD or VHDX file (F:\VHD\PC1.vhdx in the following example) and click **Create**. See the following example:
-
-    ![disk2vhd](images/disk2vhd-gen2.png)
-
-    >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive.
-
-6. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (PC1.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory:
-
-    
-    C:\vhd>dir /B
-    2012R2-poc-1.vhd
-    2012R2-poc-2.vhd
-    w10-enterprise.iso
-    PC1.VHDX
-    

-
-#### Prepare a generation 1 VM from a GPT disk
-
-1. Download the [Disk2vhd utility](https://technet.microsoft.com/library/ee656415.aspx), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert.
-
-    >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive.
-
-2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface.
-3. Select the checkbox next to the **C:\\** volume and clear the checkbox next to **Use Vhdx**. Note: the system volume is not copied in this scenario, it will be added later.
-4. Specify a location to save the resulting VHD file (F:\VHD\w7.vhd in the following example) and click **Create**. See the following example:
-
-    ![disk2vhd](images/disk2vhd4.png)
-
-    >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive.
-
-5. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHD file (w7.vhd) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory:
-
-    
-    C:\vhd>dir /B
-    2012R2-poc-1.vhd
-    2012R2-poc-2.vhd
-    w10-enterprise.iso
-    w7.VHD
-    

-
-    >In its current state, the w7.VHD file is not bootable. The VHD will be used to create a bootable VM later in the [Configure Hyper-V](#configure-hyper-v) section.
-
-### Resize VHD
-
-

-Enhanced session mode
-
-**Important**: Before proceeding, verify that you can take advantage of [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) when completing instructions in this guide. Enhanced session mode enables you to copy and paste the commands from the Hyper-V host to VMs, between VMs, and between RDP sessions. After copying some text, you can paste into a Windows PowerShell window by simply right-clicking. Before right-clicking, do not left click other locations as this can empty the clipboard. You can also copy and paste files directly from one computer to another by right-clicking and selecting copy on one computer, then right-clicking and selecting paste on another computer.
-
-To ensure that enhanced session mode is enabled on the Hyper-V host, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
-
-
Set-VMhost -EnableEnhancedSessionMode $TRUE

-
->If enhanced session mode was not previously enabled, close any existing virtual machine connections and re-open them to enable access to enhanced session mode. As mentioned previously: instructions to "type" commands provided in this guide can be typed, but the preferred method is to copy and paste these commands. Most of the commands to this point in the guide have been brief, but many commands in sections below are longer and more complex.
-
-

-
-The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to 100GB to support installing imaging tools and storing OS images.
-
-1. To add available space for the partition, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
-
-    
-    Resize-VHD –Path c:\VHD\2012R2-poc-2.vhd –SizeBytes 100GB
-    $x = (Mount-VHD –Path c:\VHD\2012R2-poc-2.vhd -passthru | Get-Disk | Get-Partition | Get-Volume).DriveLetter
-    Resize-Partition -DriveLetter $x -Size (Get-PartitionSupportedSize -DriveLetter $x).SizeMax
-    

-
-2. Verify that the mounted VHD drive is resized to 100 GB, and then dismount the drive:
-
-    
-    Get-Volume -DriveLetter $x
-    Dismount-VHD –Path c:\VHD\2012R2-poc-2.vhd

-
-### Configure Hyper-V
-
-1. Open an elevated Windows PowerShell window and type the following command to create two virtual switches named "poc-internal" and "poc-external":
-
-    >If the Hyper-V host already has an external virtual switch bound to a physical NIC, do not attempt to add a second external virtual switch. Attempting to add a second external switch will result in an error indicating that the NIC is **already bound to the Microsoft Virtual Switch protocol.** In this case, choose one of the following options:

-       A) Remove the existing external virtual switch, then add the poc-external switch

-       B) Rename the existing external switch to "poc-external"

-       C) Replace each instance of "poc-external" used in this guide with the name of your existing external virtual switch

-    If you choose B) or C), then do not run the second command below.
-
-    
-    New-VMSwitch -Name poc-internal -SwitchType Internal -Notes "PoC Network"
-    New-VMSwitch -Name poc-external -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name -Notes "PoC External"
-    

-
-    **Note**: The second command above will temporarily interrupt network connectivity on the Hyper-V host.
-
-    >Since an external virtual switch is associated to a physical network adapter on the Hyper-V host, this adapter must be specified when adding the virtual switch. The previous commands automate this by filtering for active non-virtual ethernet adapters using the Get-NetAdapter cmdlet ($_.Status -eq "Up" -and !$_.Virtual). If your Hyper-V host is dual-homed with multiple active ethernet adapters, this automation will not work, and the second command above will fail. In this case, you must edit the command used to add the "poc-external" virtual switch by inserting the appropriate NetAdapterName. The NetAdapterName value corresponds to the name of the network interface you wish to use. For example, if the network interface you use on the Hyper-V host to connect to the Internet is named "Ethernet 2" then type the following command to create an external virtual switch: New-VMSwitch -Name poc-external -NetAdapterName "Ethernet 2" -Notes "PoC External"
-
-2. At the elevated Windows PowerShell prompt, type the following command to determine the megabytes of RAM that are currently available on the Hyper-V host:
-
-    
-    (Get-VMHostNumaNode).MemoryAvailable
-    

-
-    This command will display the megabytes of RAM available for VMs. On a Hyper-V host computer with 16 GB of physical RAM installed, 10,000 MB of RAM or greater should be available if the computer is not also running other applications. On a computer with 8 GB of physical RAM installed, at least 4000 MB should be available. If the computer has less RAM available than this, try closing applications to free up more memory.
-
-3. Determine the available memory for VMs by dividing the available RAM by 4.  For example:
-
-    
-    (Get-VMHostNumaNode).MemoryAvailable/4
-    2775.5
-    

-
-    In this example, VMs can use a maximum of 2700 MB of RAM each, to run four VMs simultaneously.
-
-4. At the elevated Windows PowerShell prompt, type the following command to create two new VMs. Other VMs will be added later.
-    >**Important**: Replace the value of 2700MB for $maxRAM in the first command below with the RAM value that you calculated in the previous step.
-
-    
-    $maxRAM = 2700MB
-    New-VM -Name "DC1" -VHDPath c:\vhd\2012R2-poc-1.vhd -SwitchName poc-internal
-    Set-VMMemory -VMName "DC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
-    Enable-VMIntegrationService -Name "Guest Service Interface" -VMName DC1
-    New-VM -Name "SRV1" -VHDPath c:\vhd\2012R2-poc-2.vhd -SwitchName poc-internal
-    Add-VMNetworkAdapter -VMName "SRV1" -SwitchName "poc-external"
-    Set-VMMemory -VMName "SRV1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 80
-    Enable-VMIntegrationService -Name "Guest Service Interface" -VMName SRV1
-    

-
-    **Note**: The RAM values assigned to VMs in this step are not permanent, and can be easily increased or decreased later if needed to address performance issues.
-
-5. Using the same elevated Windows PowerShell prompt that was used in the previous step, type one of the following sets of commands, depending on the type of VM that was prepared in the [Determine VM generation](#determine-vm-generation) section, either generation 1, generation 2, or generation 1 with GPT.
-
-    To create a generation 1 VM (using c:\vhd\w7.vhdx):
-
-    
-    New-VM -Name "PC1" -VHDPath c:\vhd\w7.vhdx -SwitchName poc-internal
-    Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
-    Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1
-    

-
-    To create a generation 2 VM (using c:\vhd\PC1.vhdx):
-
-    
-    New-VM -Name "PC1" -Generation 2 -VHDPath c:\vhd\PC1.vhdx -SwitchName poc-internal
-    Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
-    Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1
-    

-
-    To create a generation 1 VM from a GPT disk (using c:\vhd\w7.vhd):
-
-    >Note: The following procedure is more complex because it includes steps to convert the OS partition from GPT to MBR format. Steps are included to create a temporary VHD and attach it to the VM, the OS image is saved to this drive, the OS drive is then reformatted to MBR, the OS image restored, and the temporary drive is removed.
-
-    First, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to create a temporary VHD that will be used to save the OS image. Do not forget to include a pipe (|) at the end of the first five commands:
-
-    
-    New-VHD -Path c:\vhd\d.vhd -SizeBytes 1TB |
-    Mount-VHD -Passthru |
-    Get-Disk -Number {$_.DiskNumber} |
-    Initialize-Disk -PartitionStyle MBR -PassThru |
-    New-Partition -UseMaximumSize |
-    Format-Volume -Confirm:$false -FileSystem NTFS -force
-    Dismount-VHD -Path c:\vhd\d.vhd
-    

-
-    Next, create the PC1 VM with two attached VHDs, and boot to DVD ($maxram must be defined previously using the same Windows PowerShell promt):
-
-    
-    New-VM -Name "PC1" -VHDPath c:\vhd\w7.vhd -SwitchName poc-internal
-    Add-VMHardDiskDrive -VMName PC1 -Path c:\vhd\d.vhd
-    Set-VMDvdDrive -VMName PC1 -Path c:\vhd\w10-enterprise.iso
-    Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
-    Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1
-    Start-VM PC1
-    vmconnect localhost PC1
-    

-
-    The VM will automatically boot into Windows Setup. In the PC1 window:
-
-   1. Click **Next**.
-   2. Click **Repair your computer**.
-   3. Click **Troubleshoot**.
-   4. Click **Command Prompt**.
-   5. Type the following command to save an image of the OS drive:
-
-      
-      dism /Capture-Image /ImageFile:D:\c.wim /CaptureDir:C:\ /Name:Drive-C
-      

-
-   6. Wait for the OS image to complete saving, and then type the following commands to convert the C: drive to MBR:
-
-      
-      diskpart
-      select disk 0
-      clean
-      convert MBR
-      create partition primary size=100
-      format fs=ntfs quick
-      active
-      create partition primary
-      format fs=ntfs quick label=OS
-      assign letter=c
-      exit
-      

-
-   7. Type the following commands to restore the OS image and boot files:
-
-      
-      dism /Apply-Image /ImageFile:D:\c.wim /Index:1 /ApplyDir:C:\
-      bcdboot c:\windows
-      exit
-      

-
-   8. Click **Continue** and verify the VM boots successfully (do not boot from DVD).
-   9. Click **Ctrl+Alt+Del**, and then in the bottom right corner, click **Shut down**.
-   10. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to remove the temporary disks and drives from PC1:
-
-       
-       Remove-VMHardDiskDrive -VMName PC1 -ControllerType IDE -ControllerNumber 0 -ControllerLocation 1
-       Set-VMDvdDrive -VMName PC1 -Path $null
-       

-
-### Configure VMs
-
-1. At an elevated Windows PowerShell prompt on the Hyper-V host, start the first Windows Server VM and connect to it by typing the following commands:
-
-    
-    Start-VM DC1
-    vmconnect localhost DC1
-    

-
-2. Click **Next** to accept the default settings, read the license terms and click **I accept**, provide an administrator password of pass@word1, and click **Finish**.
-3. Click **Ctrl+Alt+Del** in the upper left corner of the virtual machine connection window, and then sign in to DC1 using the Administrator account.
-4. Right-click **Start**, point to **Shut down or sign out**, and click **Sign out**. The VM connection will reset and a new connection dialog box will appear enabling you to choose a custom display configuration. Select a desktop size, click **Connect** and sign in again with the local Administrator account. Note: Signing in this way ensures that [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) is enabled. It is only necessary to do this the first time you sign in to a new VM.
-5. If DC1 is configured as described in this guide, it will currently be assigned an APIPA address, have a randomly generated hostname, and a single network adapter named "Ethernet." Open an elevated Windows PowerShell prompt on DC1 and type or paste the following commands to provide a new hostname and configure a static IP address and gateway:
-
-    
-    Rename-Computer DC1
-    New-NetIPAddress –InterfaceAlias Ethernet –IPAddress 192.168.0.1 –PrefixLength 24 -DefaultGateway 192.168.0.2
-    Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2
-    

-
-   > The default gateway at 192.168.0.2 will be configured later in this guide.
-   > 
-   > Note: A list of available tasks for an app will be populated the first time you run it on the taskbar. Because these tasks aren't available until the App has been run, you will not see the **Run as Administrator** task until you have left-clicked Windows PowerShell for the first time. In this newly created VM, you will need to left-click Windows PowerShell one time, and then you can right-click and choose Run as Administrator to open an elevated Windows PowerShell prompt.
-
-6. Install the Active Directory Domain Services role by typing the following command at an elevated Windows PowerShell prompt:
-
-    
-    Install-WindowsFeature -Name AD-Domain-Services -IncludeAllSubFeature -IncludeManagementTools
-    

-
-7. Before promoting DC1 to a Domain Controller, you must reboot so that the name change in step 3 above takes effect. To restart the computer, type the following command at an elevated Windows PowerShell prompt:
-
-    
-    Restart-Computer
-    

-
-8. When DC1 has rebooted, sign in again and open an elevated Windows PowerShell prompt. Now you can promote the server to be a domain controller. The directory services restore mode password must be entered as a secure string. Type the following commands at the elevated Windows PowerShell prompt:
-
-    
-    $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
-    Install-ADDSForest -DomainName contoso.com -InstallDns -SafeModeAdministratorPassword $pass -Force
-    

-
-    Ignore any warnings that are displayed. The computer will automatically reboot upon completion.
-
-9. When the reboot has completed, reconnect to DC1, sign in using the CONTOSO\Administrator account, open an elevated Windows PowerShell prompt, and use the following commands to add a reverse lookup zone for the PoC network, add the DHCP Server role, authorize DHCP in Active Directory, and suppress the post-DHCP-install alert:
-
-    
-    Add-DnsServerPrimaryZone -NetworkID "192.168.0.0/24" -ReplicationScope Forest
-    Add-WindowsFeature -Name DHCP -IncludeManagementTools
-    netsh dhcp add securitygroups
-    Restart-Service DHCPServer
-    Add-DhcpServerInDC  dc1.contoso.com  192.168.0.1
-    Set-ItemProperty –Path registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerManager\Roles\12 –Name ConfigurationState –Value 2
-    

-
-10. Next, add a DHCP scope and set option values:
-
-    
-    Add-DhcpServerv4Scope -Name "PoC Scope" -StartRange 192.168.0.100 -EndRange 192.168.0.199 -SubnetMask 255.255.255.0 -Description "Windows 10 PoC" -State Active
-    Set-DhcpServerv4OptionValue -ScopeId 192.168.0.0 -DnsDomain contoso.com -Router 192.168.0.2 -DnsServer 192.168.0.1,192.168.0.2 -Force
-    

-
-    >The -Force option is necessary when adding scope options to skip validation of 192.168.0.2 as a DNS server because we have not configured it yet. The scope should immediately begin issuing leases on the PoC network. The first DHCP lease that will be issued is to vEthernet interface on the Hyper-V host, which is a member of the internal network. You can verify this by using the command: Get-DhcpServerv4Lease -ScopeId 192.168.0.0.
-
-11. The DNS server role will also be installed on the member server, SRV1, at 192.168.0.2 so that we can forward DNS queries from DC1 to SRV1 to resolve Internet names without having to configure a forwarder outside the PoC network. Since the IP address of SRV1 already exists on DC1's network adapter, it will be automatically added during the DCPROMO process. To verify this server-level DNS forwarder on DC1, type the following command at an elevated Windows PowerShell prompt on DC1:
-
-    
-    Get-DnsServerForwarder
-    

-
-    The following output should be displayed:
-
-    
-    UseRootHint        : True
-    Timeout(s)         : 3
-    EnableReordering   : True
-    IPAddress          : 192.168.0.2
-    ReorderedIPAddress : 192.168.0.2
-    

-
-    If this output is not displayed, you can use the following command to add SRV1 as a forwarder:
-
-    
-    Add-DnsServerForwarder -IPAddress 192.168.0.2
-    

-
-    **Configure service and user accounts**
-
-    Windows 10 deployment with MDT and System Center Configuration Manager requires specific accounts to perform some actions. Service accounts will be created to use for these tasks. A user account is also added in the contoso.com domain that can be used for testing purposes. In the test lab environment, passwords are set to never expire.
-
-    >To keep this test lab relatively simple, we will not create a custom OU structure and set permissions. Required permissions are enabled by adding accounts to the Domain Admins group. To configure these settings in a production environment, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-    On DC1, open an elevated Windows PowerShell prompt and type the following commands:
-
-    
-    New-ADUser -Name User1 -UserPrincipalName user1 -Description "User account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
-    New-ADUser -Name MDT_BA -UserPrincipalName MDT_BA -Description "MDT Build Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
-    New-ADUser -Name CM_JD -UserPrincipalName CM_JD -Description "Configuration Manager Join Domain Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
-    New-ADUser -Name CM_NAA -UserPrincipalName CM_NAA -Description "Configuration Manager Network Access Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
-    Add-ADGroupMember "Domain Admins" MDT_BA,CM_JD,CM_NAA
-    Set-ADUser -Identity user1 -PasswordNeverExpires $true
-    Set-ADUser -Identity administrator -PasswordNeverExpires $true
-    Set-ADUser -Identity MDT_BA -PasswordNeverExpires $true
-    Set-ADUser -Identity CM_JD -PasswordNeverExpires $true
-    Set-ADUser -Identity CM_NAA -PasswordNeverExpires $true
-    

-
-12. Minimize the DC1 VM window but **do not stop** the VM.
-
-    Next, the client VM will be started and joined to the contoso.com domain. This is done before adding a gateway to the PoC network so that there is no danger of duplicate DNS registrations for the physical client and its cloned VM in the corporate domain.
-
-13. If the PC1 VM is not started yet, using an elevated Windows PowerShell prompt on the Hyper-V host, start the client VM (PC1), and connect to it:
-
-    
-    Start-VM PC1
-    vmconnect localhost PC1
-    

-
-14. Sign in to PC1 using an account that has local administrator rights.
-
-    >PC1 will be disconnected from its current domain, so you cannot use a domain account to sign on unless these credentials are cached and the use of cached credentials is permitted by Group Policy. If cached credentials are available and permitted, you can use these credentials to sign in. Otherwise, use an existing local administrator account.
-
-15. After signing in, the operating system detects that it is running in a new environment. New drivers will be automatically installed, including the network adapter driver. The network adapter driver must be updated before you can proceed, so that you will be able to join the contoso.com domain. Depending on the resources allocated to PC1, installing the network adapter driver might take a few minutes. You can monitor device driver installation by clicking **Show hidden icons** in the notification area.
-
-    ![PoC](images/installing-drivers.png)
-
-    >If the client was configured with a static address, you must change this to a dynamic one so that it can obtain a DHCP lease.
-
-16. When the new network adapter driver has completed installation, you will receive an alert to set a network location for the contoso.com network. Select **Work network** and then click **Close**. When you receive an alert that a restart is required, click **Restart Later**.
-
-17. Open an elevated Windows PowerShell prompt on PC1 and verify that the client VM has received a DHCP lease and can communicate with the consoto.com domain controller.
-
-    To open Windows PowerShell on Windows 7, click **Start**, and search for "**power**." Right-click **Windows PowerShell** and then click **Pin to Taskbar** so that it is simpler to use Windows Powershell during this lab. Click **Windows PowerShell** on the taskbar, and then type **ipconfig** at the prompt to see the client's current IP address. Also type **ping dc1.contoso.com** and **nltest /dsgetdc:contoso.com** to verify that it can reach the domain controller. See the following examples of a successful network connection:
-
-    ```
-    ipconfig
-
-    Windows IP Configuration
-
-    Ethernet adapter Local Area Connection 3:
-        Connection-specific DNS Suffix  . : contoso.com
-        Link-local IPv6 Address . . . . . : fe80::64c2:4d2a:7403:6e02%18
-        Ipv4 Address. . . . . . . . . . . : 192.168.0.101
-        Subnet Mask . . . . . . . . . . . : 255.255.255.0
-        Default Gateway . . . . . . . . . : 192.168.0.2
-
-    ping dc1.contoso.com
-
-    Pinging dc1.contoso.com [192.168.0.1] with 32 bytes of data:
-    Reply from 192.168.0.1: bytes=32 time<1ms TTL=128
-    Reply from 192.168.0.1: bytes=32 time<1ms TTL=128
-    Reply from 192.168.0.1: bytes=32 time<1ms TTL=128
-    Reply from 192.168.0.1: bytes=32 time<1ms TTL=128
-
-    nltest /dsgetdc:contoso.com
-               DC: \\DC1
-          Address: \\192.168.0.1
-         Dom Guid: fdbd0643-d664-411b-aea0-fe343d7670a8
-         Dom Name: CONTOSO
-      Forest Name: contoso.com
-     Dc Site Name: Default-First-Site-Name
-    Our Site Name: Default-First-Site-Name
-            Flags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_FOREST CLOSE_SITE FULL_SECRET WS 0xC000
-    ```
-
-    >If PC1 is running Windows 7, enhanced session mode might not be available, which means that you cannot copy and paste commands from the Hyper-V host to a Windows PowerShell prompt on PC1. However, it is possible to use integration services to copy a file from the Hyper-V host to a VM. The next procedure demonstrates this. If the Copy-VMFile command fails, then type the commands below at an elevated Windows PowerShell prompt on PC1 instead of saving them to a script to run remotely. If PC1 is running Windows 8 or a later operating system, you can use enhanced session mode to copy and paste these commands instead of typing them.
-
-18. Minimize the PC1 window and switch to the Hyper-V host computer. Open an elevated Windows PowerShell ISE window on the Hyper-V host (right-click Windows PowerShell and then click **Run ISE as Administrator**) and type the following commands in the (upper) script editor pane:
-
-    
-    (Get-WmiObject Win32_ComputerSystem).UnjoinDomainOrWorkgroup($null,$null,0)
-    $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
-    $user = "contoso\administrator"
-    $cred = New-Object System.Management.Automation.PSCredential($user,$pass)
-    Add-Computer -DomainName contoso.com -Credential $cred
-    Restart-Computer
-    

-
-    >If you do not see the script pane, click **View** and verify **Show Script Pane Top** is enabled. Click **File** and then click **New**.
-
-    See the following example:
-
-    ![ISE](images/ISE.png)
-
-19. Click **File**, click **Save As**, and save the commands as **c:\VHD\pc1.ps1** on the Hyper-V host.
-20. In the (lower) terminal input window, type the following commands to enable Guest Service Interface on PC1 and then use this service to copy the script to PC1:
-
-    
-    Enable-VMIntegrationService -VMName PC1 -Name "Guest Service Interface"
-    Copy-VMFile "PC1" –SourcePath "C:\VHD\pc1.ps1"  –DestinationPath "C:\pc1.ps1" –CreateFullPath –FileSource Host
-    

-
-    >In order for this command to work properly, PC1 must be running the vmicguestinterface (Hyper-V Guest Service Interface) service. If this service is not enabled in this step, then the copy-VMFile command will fail. In this case, you can try updating integration services on the VM by mounting the Hyper-V Integration Services Setup (vmguest.iso), which is located in C:\Windows\System32 on Windows Server 2012 and 2012 R2 operating systems that are running the Hyper-V role service.
-
-    If the copy-vmfile command does not work and you cannot properly enable or upgrade integration services on PC1, then create the file c:\pc1.ps1 on the VM by typing the commands into this file manually. The copy-vmfile command is only used in this procedure as a demonstration of automation methods that can be used in a Hyper-V environment when enhanced session mode is not available. After typing the script file manually, be sure to save the file as a Windows PowerShell script file with the .ps1 extension and not as a text (.txt) file.
-
-21. On PC1, type the following commands at an elevated Windows PowerShell prompt:
-
-    
-    Get-Content c:\pc1.ps1 | powershell.exe -noprofile -
-    

-
-    >The commands in this script might take a few moments to complete. If an error is displayed, check that you typed the command correctly, paying close attention to spaces. PC1 is removed from its domain in this step while not connected to the corporate network so as to ensure the computer object in the corporate domain is unaffected. PC1 is also not renamed to "PC1" in system properties so that it maintains some of its mirrored identity. However, if desired you can also rename the computer.
-
-22. Upon completion of the script, PC1 will automatically restart. When it has restarted, sign in to the contoso.com domain using the **Switch User** option, with the **user1** account you created in step 11 of this section.
-    >**Important**: The settings that will be used later to migrate user data specifically select only accounts that belong to the CONTOSO domain. However, this can be changed to migrate all user accounts, or only other specified accounts. If you wish to test migration of user data and settings with accounts other than those in the CONTOSO domain, you must specify these accounts or domains when you configure the value of **ScanStateArgs** in the MDT test lab guide. This value is specifically called out when you get to that step. If you wish to only migrate CONTOSO accounts, then you can log in with the user1 account or the administrator account at this time and modify some of the files and settings for later use in migration testing.
-23. Minimize the PC1 window but do not turn it off while the second Windows Server 2012 R2 VM (SRV1) is configured. This verifies that the Hyper-V host has enough resources to run all VMs simultaneously. Next, SRV1 will be started, joined to the contoso.com domain, and configured with RRAS and DNS services.
-24. On the Hyper-V host computer, at an elevated Windows PowerShell prompt, type the following commands:
-
-    
-    Start-VM SRV1
-    vmconnect localhost SRV1
-    

-
-25. Accept the default settings, read license terms and accept them, provide an administrator password of pass@word1, and click **Finish**. When you are prompted about finding PCs, devices, and content on the network, click **Yes**.
-26. Sign in to SRV1 using the local administrator account. In the same way that was done on DC1, sign out of SRV1 and then sign in again to enable enhanced session mode. This will enable you to copy and paste Windows PowerShell commands from the Hyper-V host to the VM.
-27. Open an elevated Windows PowerShell prompt on SRV1 and type the following commands:
-
-    
-    Rename-Computer SRV1
-    New-NetIPAddress –InterfaceAlias Ethernet –IPAddress 192.168.0.2 –PrefixLength 24
-    Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2
-    Restart-Computer
-    

-
-    >[!IMPORTANT]
-    >Verify that you are configuring the correct interface in this step. The commands in this step assume that the poc-internal interface on SRV1 is named "Ethernet."  If you are unsure how to check the interface, see step #30 below for instructions and tips on how to verify and modify the interface name.
-
-28. Wait for the computer to restart, sign in again, then type the following commands at an elevated Windows PowerShell prompt:
-
-    
-    $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
-    $user = "contoso\administrator"
-    $cred = New-Object System.Management.Automation.PSCredential($user,$pass)
-    Add-Computer -DomainName contoso.com -Credential $cred
-    Restart-Computer
-    

-
-29. Sign in to the contoso.com domain on SRV1 using the domain administrator account (enter contoso\administrator as the user), open an elevated Windows PowerShell prompt, and type the following commands:
-
-    
-    Install-WindowsFeature -Name DNS -IncludeManagementTools
-    Install-WindowsFeature -Name WDS -IncludeManagementTools
-    Install-WindowsFeature -Name Routing -IncludeManagementTools
-    

-
-30. Before configuring the routing service that was just installed, verify that network interfaces were added to SRV1 in the right order, resulting in an interface alias of "Ethernet" for the private interface, and an interface alias of "Ethernet 2" for the public interface. Also verify that the external interface has a valid external DHCP IP address lease.
-
-    To view a list of interfaces, associated interface aliases, and IP addresses on SRV1, type the following Windows PowerShell command. Example output of the command is also shown below:
-
-    
-    Get-NetAdapter | ? status -eq ‘up’ | Get-NetIPAddress -AddressFamily IPv4 | ft IPAddress, InterfaceAlias
-
-    IPAddress                                                                  InterfaceAlias
-    ---------                                                                  --------------
-    10.137.130.118                                                             Ethernet 2
-    192.168.0.2                                                                Ethernet
-    

-
-    In this example, the poc-internal network interface at 192.168.0.2 is associated with the "Ethernet" interface and the Internet-facing poc-external interface is associated with the "Ethernet 2" interface. If your interfaces are different, you must adjust the commands provided in the next step appropriately to configure routing services. Also note that if the "Ethernet 2" interface has an IP address in the 192.168.0.100-105 range then it likely is getting a DHCP lease from DC1 instead of your corporate network. If this is the case, you can try removing and re-adding the second network interface from the SRV1 VM through its Hyper-V settings.
-
-    >[!TIP]
-    >Sometimes a computer will have hidden, disconnected interfaces that prevent you from naming a network adapter. When you attempt to rename an adapter, you will receive an error that the adapter name already exists. These disconnected devices can be viewed in device manager by clicking **View** and then clicking **Show hidden devices**. The disconnected device can then be uninstalled, enabling you to reuse the adapter name.
-
-
-31. To configure SRV1 with routing capability for the PoC network, type or paste the following commands at an elevated Windows PowerShell prompt on SRV1:
-
-    
-    Install-RemoteAccess -VpnType Vpn
-    cmd /c netsh routing ip nat install
-    cmd /c netsh routing ip nat add interface name="Ethernet 2" mode=FULL
-    cmd /c netsh routing ip nat add interface name="Ethernet" mode=PRIVATE
-    cmd /c netsh routing ip nat add interface name="Internal" mode=PRIVATE
-    

-
-32. The DNS service on SRV1 also needs to resolve hosts in the contoso.com domain. This can be accomplished with a conditional forwarder. Open an elevated Windows PowerShell prompt on SRV1 and type the following command:
-
-    
-    Add-DnsServerConditionalForwarderZone -Name contoso.com -MasterServers 192.168.0.1
-    

-
-33. In most cases, this completes configuration of the PoC network. However, if your corporate network has a firewall that filters queries from local DNS servers, you will also need to configure a server-level DNS forwarder on SRV1 to resolve Internet names. To test whether or not DNS is working without this forwarder, try to reach a name on the Internet from DC1 or PC1, which are only using DNS services on the PoC network. You can test DNS with the ping command, for example:
-
-    
-    ping www.microsoft.com
-    

-
-    If you see "Ping request could not find host www.microsoft.com" on PC1 and DC1, but not on SRV1, then you will need to configure a server-level DNS forwarder on SRV1. To do this, open an elevated Windows PowerShell prompt on SRV1 and type the following command.
-
-    **Note**: This command also assumes that "Ethernet 2" is the external-facing network adapter on SRV1. If the external adapter has a different name, replace "Ethernet 2" in the command below with that name:
-
-    
-    Add-DnsServerForwarder -IPAddress (Get-DnsClientServerAddress -InterfaceAlias "Ethernet 2").ServerAddresses
-    

-
-34. If DNS and routing are both working correctly, you will see the following on DC1 and PC1 (the IP address might be different, but that is OK):
-
-    
-    PS C:\> ping www.microsoft.com
-
-    Pinging e2847.dspb.akamaiedge.net [23.222.146.170] with 32 bytes of data:
-    Reply from 23.222.146.170: bytes=32 time=3ms TTL=51
-    Reply from 23.222.146.170: bytes=32 time=2ms TTL=51
-    Reply from 23.222.146.170: bytes=32 time=2ms TTL=51
-    Reply from 23.222.146.170: bytes=32 time=1ms TTL=51
-
-    Ping statistics for 23.222.146.170:
-        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
-    Approximate round trip times in milli-seconds:
-        Minimum = 1ms, Maximum = 3ms, Average = 2ms
-    

-
-35. Verify that all three VMs can reach each other, and the Internet. See [Appendix A: Verify the configuration](#appendix-a-verify-the-configuration) for more information.
-36. Lastly, because the client computer has different hardware after copying it to a VM, its Windows activation will be invalidated and you might receive a message that you must activate Windows in 3 days.  To extend this period to 30 days, type the following commands at an elevated Windows PowerShell prompt on PC1:
-
-    
-    runas /noprofile /env /user:administrator@contoso.com "cmd /c slmgr -rearm"
-    Restart-Computer
-    

-
-This completes configuration of the starting PoC environment. Additional services and tools are installed in subsequent guides.
-
-## Appendix A: Verify the configuration
-
-Use the following procedures to verify that the PoC environment is configured properly and working as expected.
-
-1. On DC1, open an elevated Windows PowerShell prompt and type the following commands:
-
-    
-    Get-Service NTDS,DNS,DHCP
-    DCDiag -a
-    Get-DnsServerResourceRecord -ZoneName contoso.com -RRType A
-    Get-DnsServerForwarder
-    Resolve-DnsName -Server dc1.contoso.com -Name www.microsoft.com
-    Get-DhcpServerInDC
-    Get-DhcpServerv4Statistics
-    ipconfig /all
-    

-
-    **Get-Service** displays a status of "Running" for all three services.

-    **DCDiag** displays "passed test" for all tests.

-    **Get-DnsServerResourceRecord** displays the correct DNS address records for DC1, SRV1, and the computername of PC1. Additional address records for the zone apex (@), DomainDnsZones, and ForestDnsZones will also be registered.

-    **Get-DnsServerForwarder** displays a single forwarder of 192.168.0.2.

-    **Resolve-DnsName** displays public IP address results for www.microsoft.com.

-    **Get-DhcpServerInDC** displays 192.168.0.1, dc1.contoso.com.

-    **Get-DhcpServerv4Statistics** displays 1 scope with 2 addresses in use (these belong to PC1 and the Hyper-V host).

-    **ipconfig** displays a primary DNS suffix and suffix search list of contoso.com, IP address of 192.168.0.1, subnet mask of 255.255.255.0, default gateway of 192.168.0.2, and DNS server addresses of 192.168.0.1 and 192.168.0.2.
-
-2. On SRV1, open an elevated Windows PowerShell prompt and type the following commands:
-
-    
-    Get-Service DNS,RemoteAccess
-    Get-DnsServerForwarder
-    Resolve-DnsName -Server dc1.contoso.com -Name www.microsoft.com
-    ipconfig /all
-    netsh int ipv4 show address
-    

-
-    **Get-Service** displays a status of "Running" for both services.

-    **Get-DnsServerForwarder** either displays no forwarders, or displays a list of forwarders you are required to use so that SRV1 can resolve Internet names.

-    **Resolve-DnsName** displays public IP address results for www.microsoft.com.

-    **ipconfig** displays a primary DNS suffix of contoso.com. The suffix search list contains contoso.com and your corporate domain. Two ethernet adapters are shown: Ethernet adapter "Ethernet" has an IP addresses of 192.168.0.2, subnet mask of 255.255.255.0, no default gateway, and DNS server addresses of 192.168.0.1 and 192.168.0.2. Ethernet adapter "Ethernet 2" has an IP address, subnet mask, and default gateway configured by DHCP on your corporate network.

-    **netsh** displays three interfaces on the computer: interface "Ethernet 2" with DHCP enabled = Yes and IP address assigned by your corporate network, interface "Ethernet" with DHCP enabled = No and IP address of 192.168.0.2, and interface "Loopback Pseudo-Interface 1" with IP address of 127.0.0.1.
-
-3. On PC1, open an elevated Windows PowerShell prompt and type the following commands:
-
-    
-    whoami
-    hostname
-    nslookup www.microsoft.com
-    ping -n 1 dc1.contoso.com
-    tracert www.microsoft.com
-    

-
-    **whoami** displays the current user context, for example in an elevated Windows PowerShell prompt, contoso\administrator is displayed.

-    **hostname** displays the name of the local computer, for example W7PC-001.

-    **nslookup** displays the DNS server used for the query, and the results of the query. For example, server dc1.contoso.com, address 192.168.0.1, Name e2847.dspb.akamaiedge.net.

-    **ping** displays if the source can resolve the target name, and whether or not the target responds to ICMP. If it cannot be resolved, "..could not find host" will be diplayed and if the target is found and also responds to ICMP, you will see "Reply from" and the IP address of the target.

-    **tracert** displays the path to reach the destination, for example srv1.contoso.com [192.168.0.2] followed by a list of hosts and IP addresses corresponding to subsequent routing nodes between the source and the destination.
-
-
-## Appendix B: Terminology used in this guide
-
-
 
-
-

-
-
-
TermDefinition
-
GPTGUID partition table (GPT) is an updated hard-disk formatting scheme that enables the use of newer hardware. GPT is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions.
-
Hyper-VHyper-V is a server role introduced with Windows Server 2008 that lets you create a virtualized computing environment. Hyper-V can also be installed as a Windows feature on Windows client operating systems, starting with Windows 8.
-
Hyper-V hostThe computer where Hyper-V is installed.
-
Hyper-V ManagerThe user-interface console used to view and configure Hyper-V.
-
MBRMaster Boot Record (MBR) is a legacy hard-disk formatting scheme that limits support for newer hardware. MBR is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions. MBR is in the process of being replaced by the GPT partition format.
-
Proof of concept (PoC)Confirmation that a process or idea works as intended. A PoC is carried out in a test environment to learn about and verify a process.
-
Shadow copyA copy or "snapshot" of a computer at a point in time, created by the Volume Shadow Copy Service (VSS), typically for backup purposes.
-
Virtual machine (VM)A VM is a virtual computer with its own operating system, running on the Hyper-V host.
-
Virtual switchA virtual network connection used to connect VMs to each other and to physical network adapters on the Hyper-V host.
-
VM snapshotA point in time image of a VM that includes its disk, memory and device state. It can be used to return a virtual machine to a former state corresponding to the time the snapshot was taken.
-

-
-

-
-## Related Topics
-
-
-[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
- 
-
- 
-
-
-
-
-
+---
+title: Configure a test lab to deploy Windows 10
+ms.reviewer: 
+manager: laurawi
+ms.audience: itpro
+author: greg-lindsay
+description: Concepts and procedures for deploying Windows 10 in a proof of concept lab environment.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+keywords: deployment, automate, tools, configure, mdt, sccm
+ms.localizationpriority: medium
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Step by step guide: Configure a test lab to deploy Windows 10
+
+**Applies to**
+
+-   Windows 10
+
+This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, see the following Windows 10 PoC deployment guides:
+
+- [Step by step: Deploy Windows 10 in a test lab using MDT](windows-10-poc-mdt.md)

+- [Step by step: Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md)

+
+The PoC deployment guides are intended to provide a demonstration of Windows 10 deployment tools and processes for IT professionals that are not familiar with these tools, and those that are interested in setting up a proof of concept environment. The instructions in this guide should not be used in a production setting, and are not meant to replace the instructions found in production deployment guidance.
+
+Approximately 3 hours are required to configure the PoC environment. You will need a Hyper-V capable computer running Windows 8.1 or later with at least 16GB of RAM. Detailed [requirements](#hardware-and-software-requirements) are provided below. You will also need to have a [Microsoft account](https://www.microsoft.com/account) to use for downloading evaluation software.
+
+Windows PowerShell commands are provided to set up the PoC environment quickly. You do not need to be an expert in Windows PowerShell to complete the steps in the guide, however you are required to customize some commands to your environment.
+
+> Instructions to "type" Windows PowerShell commands provided in this guide can be followed literally by typing the commands, but the preferred method is to copy and paste these commands.
+> 
+> A Windows PowerShell window can be used to run all commands in this guide. However, when commands are specified for a command prompt, you must either type CMD at the Windows PowerShell prompt to enter the command prompt, or preface the command with "cmd /c", or if desired you can escape special characters in the command using the back-tick character (`). In most cases, the simplest thing is to type cmd and enter a command prompt, type the necessary commands, then type "exit" to return to Windows PowerShell.
+
+Hyper-V is installed, configured and used extensively in this guide. If you are not familiar with Hyper-V, review the [terminology](#appendix-b-terminology-used-in-this-guide) used in this guide before starting.
+
+## In this guide
+
+This guide contains instructions for three general procedures: Install Hyper-V, configure Hyper-V, and configure VMs. If you already have a computer running Hyper-V, you can use this computer and skip the first procedure. In this case, your virtual switch settings must be modified to match those used in this guide, or the steps in this guide can be modified to use your existing Hyper-V settings.
+
+After completing the instructions in this guide, you will have a PoC environment that enables you to test Windows 10 deployment procedures by following instructions in companion guides that are written to use the PoC environment. Links are provided to download trial versions of Windows Server 2012, Windows 10 Enterprise, and all deployment tools necessary to complete the lab.
+
+Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed.
+
+

+
+

+
+
+
+
TopicDescriptionTime
Hardware and software requirementsPrerequisites to complete this guide.Informational
+
Lab setupA description and diagram of the PoC environment.Informational
+
Configure the PoC environmentParent topic for procedures.Informational
+
Verify support and install Hyper-VVerify that installation of Hyper-V is supported, and install the Hyper-V server role.10 minutes
+
Download VHD and ISO filesDownload evaluation versions of Windows Server 2012 R2 and Windows 10 and prepare these files to be used on the Hyper-V host.30 minutes
+
Convert PC to VMConvert a physical computer on your network to a VM hosted in Hyper-V.30 minutes
+
Resize VHDIncrease the storage capacity for one of the Windows Server VMs.5 minutes
+
Configure Hyper-VCreate virtual switches, determine available RAM for virtual machines, and add virtual machines.15 minutes
+
Configure service and user accountsStart virtual machines and configure all services and settings.60 minutes
+
Configure VMsStart virtual machines and configure all services and settings.60 minutes
+
Appendix A: Verify the configurationVerify and troubleshoot network connectivity and services in the PoC environment.30 minutes
+
Appendix B: Terminology in this guideTerms used in this guide.Informational
+

+

+
+## Hardware and software requirements
+
+One computer that meets the hardware and software specifications below is required to complete the guide; A second computer is recommended to validate the upgrade process.
+
+- **Computer 1**: the computer you will use to run Hyper-V and host virtual machines. This computer should have 16 GB or more of installed RAM and a multi-core processor.
+- **Computer 2**: a client computer from your corporate network. It is shadow-copied to create a VM that can be added to the PoC environment, enabling you to test a mirror image of a computer on your network. If you do not have a computer to use for this simulation, you can download an evaluation VHD and use it to represent this computer. Subsequent guides use this computer to simulate Windows 10 replace and refresh scenarios, so the VM is required even if you cannot create this VM using computer 2.
+
+Hardware requirements are displayed below:
+
+

+
+
+    
+        
+        
+        
+    
+    
+        
+        
+        
+    
+    
+        
+        
+        
+    
+    
+        
+        
+        
+    
+    
+        
+        
+        
+    
+    
+        
+        
+        
+    
+    
+        
+        
+        
+    
+    
+        
+        
+        
+    
+    
+        
+        
+        
+    
+    
+        
+        
+        
+    
+
Computer 1 (required)Computer 2 (recommended)
RoleHyper-V hostClient computer
DescriptionThis computer will run Hyper-V, the Hyper-V management tools, and the Hyper-V Windows PowerShell module.This computer is a Windows 7 or Windows 8/8.1 client on your corporate network that will be converted to a VM to demonstrate the upgrade process.
OSWindows 8.1/10 or Windows Server 2012/2012 R2/2016*Windows 7 or a later
EditionEnterprise, Professional, or EducationAny
Architecture64-bitAny
Note: Retaining applications and settings requires that architecture (32 or 64-bit) is the same before and after the upgrade.
RAM8 GB RAM (16 GB recommended) to test Windows 10 deployment with MDT.
+        
16 GB RAM to test Windows 10 deployment with System Center Configuration Manager.		Any
Disk200 GB available hard disk space, any format.Any size, MBR formatted.
CPUSLAT-Capable CPUAny
NetworkInternet connectionAny

+
+
+\*The Hyper-V server role can also be installed on a computer running Windows Server 2008 R2. However, the Windows PowerShell module for Hyper-V is not available on Windows Server 2008 R2, therefore you cannot use many of the steps provided in this guide to configure Hyper-V. To manage Hyper-V on Windows Server 2008 R2, you can use Hyper-V WMI, or you can use the Hyper-V Manager console. Providing all steps in this guide as Hyper-V WMI or as 2008 R2 Hyper-V Manager procedures is beyond the scope of the guide.
+

+
The Hyper-V role cannot be installed on Windows 7 or earlier versions of Windows.
+
+

+
+## Lab setup
+
+The lab architecture is summarized in the following diagram:
+
+![PoC](images/poc.png)
+
+- Computer 1 is configured to host four VMs on a private, PoC network.
+    - Two VMs are running Windows Server 2012 R2 with required network services and tools installed.
+    - Two VMs are client systems: One VM is intended to mirror a host on your corporate network (computer 2) and one VM is running Windows 10 Enterprise to demonstrate the hardware replacement scenario.
+
+>If you have an existing Hyper-V host, you can use this host and skip the Hyper-V installation section in this guide.
+
+The two Windows Server VMs can be combined into a single VM to conserve RAM and disk space if required. However, instructions in this guide assume two server systems are used. Using two servers enables Active Directory Domain Services and DHCP to be installed on a server that is not directly connected to the corporate network. This mitigates the risk of clients on the corporate network receiving DHCP leases from the PoC network (i.e. "rogue" DHCP), and limits NETBIOS service broadcasts.
+
+## Configure the PoC environment
+
+>**Hint**: Before you begin, ensure that Windows PowerShell is pinned to the taskbar for easy access. If the Hyper-V host is running Windows Server then Windows PowerShell is automatically pinned to the taskbar. To pin Windows PowerShell to the taskbar on Windows 8.1 or Windows 10: Click **Start**, type **power**, right click **Windows PowerShell**, and then click **Pin to taskbar**. After Windows PowerShell is pinned to the taskbar, you can open an elevated Windows PowerShell prompt by right-clicking the icon on the taskbar and then clicking **Run as Administrator**.
+
+### Procedures in this section
+
+[Verify support and install Hyper-V](#verify-support-and-install-hyper-v)

+[Download VHD and ISO files](#download-vhd-and-iso-files)

+[Convert PC to VM](#convert-pc-to-vm)

+[Resize VHD](#resize-vhd)

+[Configure Hyper-V](#configure-hyper-v)

+[Configure VMs](#configure-vms)

+
+### Verify support and install Hyper-V
+
+Starting with Windows 8, the host computer’s microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](https://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information.
+
+1. To verify your computer supports SLAT, open an administrator command prompt,  type **systeminfo**, press ENTER, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example:
+
+    
+    C:\>systeminfo
+
+    ...
+    Hyper-V Requirements:      VM Monitor Mode Extensions: Yes
+                               Virtualization Enabled In Firmware: Yes
+                               Second Level Address Translation: Yes
+                               Data Execution Prevention Available: Yes
+    

+
+    In this example, the computer supports SLAT and Hyper-V.
+
+    If one or more requirements are evaluated as **No** then the computer does not support installing Hyper-V.  However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the **Virtualization Enabled In Firmware** setting from **No** to **Yes**. The location of this setting will depend on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings.
+
+    You can also identify Hyper-V support using [tools](https://blogs.msdn.microsoft.com/taylorb/2008/06/19/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v/) provided by the processor manufacturer, the [msinfo32](https://technet.microsoft.com/library/cc731397.aspx) tool, or you can download the [coreinfo](https://technet.microsoft.com/sysinternals/cc835722) utility and run it, as shown in the following example:
+
+    
+    C:\>coreinfo -v
+
+    Coreinfo v3.31 - Dump information on system CPU and memory topology
+    Copyright (C) 2008-2014 Mark Russinovich
+    Sysinternals - www.sysinternals.com
+
+    Intel(R) Core(TM) i7-2600 CPU @ 3.40GHz
+    Intel64 Family 6 Model 42 Stepping 7, GenuineIntel
+    Microcode signature: 0000001B
+    HYPERVISOR      -       Hypervisor is present
+    VMX             *       Supports Intel hardware-assisted virtualization
+    EPT             *       Supports Intel extended page tables (SLAT)
+    

+
+    Note: A 64-bit operating system is required to run Hyper-V.
+
+2. The Hyper-V feature is not installed by default. To install it, open an elevated Windows PowerShell window and type the following command:
+
+    
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V –All

+
+    This command works on all operating systems that support Hyper-V, but on Windows Server operating systems you must type an additional command to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. This command will also install Hyper-V if it isn't already installed, so if desired you can just type the following command on Windows Server 2012 or 2016 instead of using the Enable-WindowsOptionalFeature command:
+
+    
Install-WindowsFeature -Name Hyper-V -IncludeManagementTools

+
+    When you are prompted to restart the computer, choose **Yes**. The computer might restart more than once. After installation is complete, you can open Hyper-V Manager by typing **virtmgmt.msc** at an elevated command prompt.
+
+    >Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below:
+
+    ![hyper-v feature](images/hyper-v-feature.png)
+
+    ![hyper-v](images/svr_mgr2.png)
+
+    
If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under Role Administration Tools\Hyper-V Management Tools.
+
+### Download VHD and ISO files
+
+When you have completed installation of Hyper-V on the host computer, begin configuration of Hyper-V by downloading VHD and ISO files to the Hyper-V host. These files will be used to create the VMs used in the lab. Before you can download VHD and ISO files, you will need to register and sign in to the [TechNet Evaluation Center](https://www.microsoft.com/evalcenter/) using your Microsoft account.
+
+1. Create a directory on your Hyper-V host named **C:\VHD** and download a single [Windows Server 2012 R2 VHD](https://www.microsoft.com/evalcenter/evaluate-windows-server-2012-r2) from the TechNet Evaluation Center to the **C:\VHD** directory.
+
+    **Important**: This guide assumes that VHDs are stored in the **C:\VHD** directory on the Hyper-V host. If you use a different directory to store VHDs, you must adjust steps in this guide appropriately.
+
+    After completing registration you will be able to download the 7.47 GB Windows Server 2012 R2 evaluation VHD. An example of the download offering is shown below.
+
+    
+    
+    
 VHD 

+
+2. Download the file to the **C:\VHD** directory. When the download is complete, rename the VHD file that you downloaded to **2012R2-poc-1.vhd**. This is done to make the filename simple to recognize and type.
+3. Copy the VHD to a second file also in the **C:\VHD** directory and name this VHD **2012R2-poc-2.vhd**.
+4. Download the [Windows 10 Enterprise ISO](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) from the TechNet Evaluation Center to the **C:\VHD** directory on your Hyper-V host.
+
+    >During registration, you must specify the type, version, and language of installation media to download. In this example, a Windows 10 Enterprise, 64 bit, English ISO is chosen. You can choose a different version if desired. **Note: The evaluation version of Windows 10 does not support in-place upgrade**.
+
+5. Rename the ISO file that you downloaded to **w10-enterprise.iso**. Again, this is done so that the filename is simple to type and recognize. After completing registration you will be able to download the 3.63 GB Windows 10 Enterprise evaluation ISO.
+
+After completing these steps, you will have three files in the **C:\VHD** directory: **2012R2-poc-1.vhd**, **2012R2-poc-2.vhd**, **w10-enterprise.iso**.
+
+The following displays the procedures described in this section, both before and after downloading files:
+
+
+C:>mkdir VHD
+C:>cd VHD
+C:\VHD>ren 9600*.vhd 2012R2-poc-1.vhd
+C:\VHD>copy 2012R2-poc-1.vhd 2012R2-poc-2.vhd
+   1 file(s) copied.
+C:\VHD ren *.iso w10-enterprise.iso
+C:\VHD>dir /B
+2012R2-poc-1.vhd
+2012R2-poc-2.vhd
+w10-enterprise.iso
+

+
+### Convert PC to VM
+
+>Important: Do not attempt to use the VM resulting from the following procedure as a reference image. Also, to avoid conflicts with existing clients, do not start the VM outside the PoC network.
+
+

+If you do not have a PC available to convert to VM, perform the following steps to download an evaluation VM:
+

+
    
+
  1. Open the Download virtual machines page.
+
  2. Under Virtual machine, choose IE11 on Win7.
+
  3. Under Select platform choose HyperV (Windows).
+
  4. Click Download .zip. The download is 3.31 GB.
+
  5. Extract the zip file. Three directories are created.
+
  6. Open the Virtual Hard Disks directory and then copy IE11 - Win7.vhd to the C:\VHD directory.
+
  7. Rename IE11 - Win7.vhd to w7.vhd (do not rename the file to w7.vhdx).
+
  8. In step 5 of the Configure Hyper-V section, replace the VHD file name w7.vhdx with w7.vhd.
+

+

+
+If you have a PC available to convert to VM (computer 2):
+
+1. Sign in on computer 2 using an account with Administrator privileges.
+
+>Important: the account used in this step must have local administrator privileges. You can use a local computer account, or a domain account with administrative rights if domain policy allows the use of cached credentials. After converting the computer to a VM, you must be able to sign in on this VM with administrator rights while the VM is disconnected from the corporate network.
+
+2. [Determine the VM generation and partition type](#determine-the-vm-generation-and-partition-type) that is required.
+3. Based on the VM generation and partition type, perform one of the following procedures: [Prepare a generation 1 VM](#prepare-a-generation-1-vm), [Prepare a generation 2 VM](#prepare-a-generation-2-vm), or [prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk).
+
+#### Determine the VM generation and partition type
+
+When creating a VM in Hyper-V, you must specify either generation 1 or generation 2. The following table describes requirements for these two types of VMs.
+
+

+
+
+    
+        
+        
+        
+        
+    
+    
+        
+        
+        
+        
+    
+    
+        
+        
+        
+        
+    
+
ArchitectureOperating systemPartition style
Generation 132-bit or 64-bitWindows 7 or laterMBR
Generation 264-bitWindows 8 or laterMBR or GPT

+
+

+
+If the PC is running a 32-bit OS or the OS is Windows 7, it must be converted to a generation 1 VM. Otherwise, it can be converted to a generation 2 VM.
+
+- To determine the OS and architecture of a PC, type **systeminfo** at a command prompt and review the output next to **OS Name** and **System Type**.
+- To determine the partition style, open a Windows PowerShell prompt on the PC and type the following command:
+
+
+Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
+

+
+If the **Type** column does not indicate GPT, then the disk partition format is MBR ("Installable File System" = MBR). In the following example, the disk is GPT:
+
+
+PS C:> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
+
+SystemName                           Caption                                 Type
+----------                           -------                                 ----
+USER-PC1                             Disk #0, Partition #0                   GPT: System
+USER-PC1                             Disk #0, Partition #1                   GPT: Basic Data
+

+
+On a computer running Windows 8 or later, you can also type **Get-Disk** at a Windows PowerShell prompt to discover the partition style. The default output of this cmdlet displays the partition style for all attached disks. Both commands are displayed below. In this example, the client computer is running Windows 8.1 and uses a GPT style partition format:
+
+
+PS C:> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
+
+SystemName                            Caption                               Type
+----------                            -------                               ----
+PC-X1                                 Disk #0, Partition #0                 GPT: Unknown
+PC-X1                                 Disk #0, Partition #1                 GPT: System
+PC-X1                                 Disk #0, Partition #2                 GPT: Basic Data
+PC-X1                                 Disk #0, Partition #3                 GPT: Basic Data
+PC-X1                                 Disk #0, Partition #4                 GPT: Basic Data
+
+PS C:> Get-Disk
+
+Number Friendly Name                  OperationalStatus                     Total Size Partition Style
+------ -------------                  -----------------                     ---------- ---------------
+0      INTEL SSDSCMMW240A3L           Online                                223.57 GB GPT
+

+
+
+
+**Choosing a VM generation**
+
+The following table displays the Hyper-V VM generation to choose based on the OS, architecture, and partition style. Links to procedures to create the corresponding VMs are included.
+
+

+
+
+    
+        
+        
+        
+        
+        
+    
+    
+        
+        
+        
+        
+        
+    
+    
+        
+        
+        
+    
+    
+        
+        
+        
+        
+    
+    
+        
+        
+        
+    
+    
+        
+        
+        
+        
+        
+    
+    
+        
+        
+        
+    
+    
+        
+        
+        
+        
+    
+    
+        
+        
+        
+    
+
OSPartition styleArchitectureVM generationProcedure
Windows 7MBR321Prepare a generation 1 VM
641Prepare a generation 1 VM
GPT32N/AN/A
641Prepare a generation 1 VM from a GPT disk
Windows 8 or laterMBR321Prepare a generation 1 VM
641, 2Prepare a generation 1 VM
GPT321Prepare a generation 1 VM from a GPT disk
642Prepare a generation 2 VM

+
+

+
+Notes:

+
    
+
  • If the PC is running Windows 7, it can only be converted and hosted in Hyper-V as a generation 1 VM. This Hyper-V requirement means that if the Windows 7 PC is also using a GPT partition style, the OS disk can be shadow copied, but a new system partition must be created. In this case, see Prepare a generation 1 VM from a GPT disk.
+
  • If the PC is running Windows 8 or later and uses the GPT partition style, you can capture the disk image and create a generation 2 VM. To do this, you must temporarily mount the EFI system partition which is accomplished using the mountvol command. In this case, see Prepare a generation 2 VM.
+
  • If the PC is using an MBR partition style, you can convert the disk to VHD and use it to create a generation 1 VM. If you use the Disk2VHD tool described in this guide, it is not necessary to mount the MBR system partition, but it is still necessary to capture it. In this case, see Prepare a generation 1 VM.
+

+
+#### Prepare a generation 1 VM
+
+1. Download the [Disk2vhd utility](https://technet.microsoft.com/library/ee656415.aspx), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert.
+
+    >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive.
+
+2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface.
+3. Select the checkboxes next to the **C:\\** and the **system reserved** (BIOS/MBR) volumes. The system volume is not assigned a drive letter, but will be displayed in the Disk2VHD tool with a volume label similar to **\\?\Volume{**. See the following example. **Important**: You must include the system volume in order to create a bootable VHD. If this volume is not displayed in the disk2vhd tool, then the computer is likely to be using the GPT partition style. For more information, see [Determine VM generation](#determine-vm-generation).
+4. Specify a location to save the resulting VHD or VHDX file (F:\VHD\w7.vhdx in the following example) and click **Create**. See the following example:
+
+    ![disk2vhd](images/disk2vhd.png)
+
+    >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive.
+
+5. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (w7.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory:
+
+    
+    C:\vhd>dir /B
+    2012R2-poc-1.vhd
+    2012R2-poc-2.vhd
+    w10-enterprise.iso
+    w7.VHDX
+    

+
+#### Prepare a generation 2 VM
+
+1. Download the [Disk2vhd utility](https://technet.microsoft.com/library/ee656415.aspx), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert.
+
+    >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive.
+
+2. On the computer you wish to convert, open an elevated command prompt and type the following command:
+
+    
mountvol s: /s

+
+    This command temporarily assigns a drive letter of S to the system volume and mounts it. If the letter S is already assigned to a different volume on the computer, then choose one that is available (ex: mountvol z: /s).
+
+3. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface.
+4. Select the checkboxes next to the **C:\\** and the **S:\\** volumes, and clear the **Use Volume Shadow Copy checkbox**. Volume shadow copy will not work if the EFI system partition is selected.
+
+    **Important**: You must include the EFI system partition in order to create a bootable VHD. The Windows RE tools partition (shown below) is not required, but it can also be converted if desired.
+
+5. Specify a location to save the resulting VHD or VHDX file (F:\VHD\PC1.vhdx in the following example) and click **Create**. See the following example:
+
+    ![disk2vhd](images/disk2vhd-gen2.png)
+
+    >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive.
+
+6. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (PC1.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory:
+
+    
+    C:\vhd>dir /B
+    2012R2-poc-1.vhd
+    2012R2-poc-2.vhd
+    w10-enterprise.iso
+    PC1.VHDX
+    

+
+#### Prepare a generation 1 VM from a GPT disk
+
+1. Download the [Disk2vhd utility](https://technet.microsoft.com/library/ee656415.aspx), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert.
+
+    >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive.
+
+2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface.
+3. Select the checkbox next to the **C:\\** volume and clear the checkbox next to **Use Vhdx**. Note: the system volume is not copied in this scenario, it will be added later.
+4. Specify a location to save the resulting VHD file (F:\VHD\w7.vhd in the following example) and click **Create**. See the following example:
+
+    ![disk2vhd](images/disk2vhd4.png)
+
+    >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive.
+
+5. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHD file (w7.vhd) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory:
+
+    
+    C:\vhd>dir /B
+    2012R2-poc-1.vhd
+    2012R2-poc-2.vhd
+    w10-enterprise.iso
+    w7.VHD
+    

+
+    >In its current state, the w7.VHD file is not bootable. The VHD will be used to create a bootable VM later in the [Configure Hyper-V](#configure-hyper-v) section.
+
+### Resize VHD
+
+

+Enhanced session mode
+
+**Important**: Before proceeding, verify that you can take advantage of [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) when completing instructions in this guide. Enhanced session mode enables you to copy and paste the commands from the Hyper-V host to VMs, between VMs, and between RDP sessions. After copying some text, you can paste into a Windows PowerShell window by simply right-clicking. Before right-clicking, do not left click other locations as this can empty the clipboard. You can also copy and paste files directly from one computer to another by right-clicking and selecting copy on one computer, then right-clicking and selecting paste on another computer.
+
+To ensure that enhanced session mode is enabled on the Hyper-V host, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
+
+
Set-VMhost -EnableEnhancedSessionMode $TRUE

+
+>If enhanced session mode was not previously enabled, close any existing virtual machine connections and re-open them to enable access to enhanced session mode. As mentioned previously: instructions to "type" commands provided in this guide can be typed, but the preferred method is to copy and paste these commands. Most of the commands to this point in the guide have been brief, but many commands in sections below are longer and more complex.
+
+

+
+The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to 100GB to support installing imaging tools and storing OS images.
+
+1. To add available space for the partition, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
+
+    
+    Resize-VHD –Path c:\VHD\2012R2-poc-2.vhd –SizeBytes 100GB
+    $x = (Mount-VHD –Path c:\VHD\2012R2-poc-2.vhd -passthru | Get-Disk | Get-Partition | Get-Volume).DriveLetter
+    Resize-Partition -DriveLetter $x -Size (Get-PartitionSupportedSize -DriveLetter $x).SizeMax
+    

+
+2. Verify that the mounted VHD drive is resized to 100 GB, and then dismount the drive:
+
+    
+    Get-Volume -DriveLetter $x
+    Dismount-VHD –Path c:\VHD\2012R2-poc-2.vhd

+
+### Configure Hyper-V
+
+1. Open an elevated Windows PowerShell window and type the following command to create two virtual switches named "poc-internal" and "poc-external":
+
+    >If the Hyper-V host already has an external virtual switch bound to a physical NIC, do not attempt to add a second external virtual switch. Attempting to add a second external switch will result in an error indicating that the NIC is **already bound to the Microsoft Virtual Switch protocol.** In this case, choose one of the following options:

+       A) Remove the existing external virtual switch, then add the poc-external switch

+       B) Rename the existing external switch to "poc-external"

+       C) Replace each instance of "poc-external" used in this guide with the name of your existing external virtual switch

+    If you choose B) or C), then do not run the second command below.
+
+    
+    New-VMSwitch -Name poc-internal -SwitchType Internal -Notes "PoC Network"
+    New-VMSwitch -Name poc-external -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name -Notes "PoC External"
+    

+
+    **Note**: The second command above will temporarily interrupt network connectivity on the Hyper-V host.
+
+    >Since an external virtual switch is associated to a physical network adapter on the Hyper-V host, this adapter must be specified when adding the virtual switch. The previous commands automate this by filtering for active non-virtual ethernet adapters using the Get-NetAdapter cmdlet ($_.Status -eq "Up" -and !$_.Virtual). If your Hyper-V host is dual-homed with multiple active ethernet adapters, this automation will not work, and the second command above will fail. In this case, you must edit the command used to add the "poc-external" virtual switch by inserting the appropriate NetAdapterName. The NetAdapterName value corresponds to the name of the network interface you wish to use. For example, if the network interface you use on the Hyper-V host to connect to the Internet is named "Ethernet 2" then type the following command to create an external virtual switch: New-VMSwitch -Name poc-external -NetAdapterName "Ethernet 2" -Notes "PoC External"
+
+2. At the elevated Windows PowerShell prompt, type the following command to determine the megabytes of RAM that are currently available on the Hyper-V host:
+
+    
+    (Get-VMHostNumaNode).MemoryAvailable
+    

+
+    This command will display the megabytes of RAM available for VMs. On a Hyper-V host computer with 16 GB of physical RAM installed, 10,000 MB of RAM or greater should be available if the computer is not also running other applications. On a computer with 8 GB of physical RAM installed, at least 4000 MB should be available. If the computer has less RAM available than this, try closing applications to free up more memory.
+
+3. Determine the available memory for VMs by dividing the available RAM by 4.  For example:
+
+    
+    (Get-VMHostNumaNode).MemoryAvailable/4
+    2775.5
+    

+
+    In this example, VMs can use a maximum of 2700 MB of RAM each, to run four VMs simultaneously.
+
+4. At the elevated Windows PowerShell prompt, type the following command to create two new VMs. Other VMs will be added later.
+    >**Important**: Replace the value of 2700MB for $maxRAM in the first command below with the RAM value that you calculated in the previous step.
+
+    
+    $maxRAM = 2700MB
+    New-VM -Name "DC1" -VHDPath c:\vhd\2012R2-poc-1.vhd -SwitchName poc-internal
+    Set-VMMemory -VMName "DC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
+    Enable-VMIntegrationService -Name "Guest Service Interface" -VMName DC1
+    New-VM -Name "SRV1" -VHDPath c:\vhd\2012R2-poc-2.vhd -SwitchName poc-internal
+    Add-VMNetworkAdapter -VMName "SRV1" -SwitchName "poc-external"
+    Set-VMMemory -VMName "SRV1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 80
+    Enable-VMIntegrationService -Name "Guest Service Interface" -VMName SRV1
+    

+
+    **Note**: The RAM values assigned to VMs in this step are not permanent, and can be easily increased or decreased later if needed to address performance issues.
+
+5. Using the same elevated Windows PowerShell prompt that was used in the previous step, type one of the following sets of commands, depending on the type of VM that was prepared in the [Determine VM generation](#determine-vm-generation) section, either generation 1, generation 2, or generation 1 with GPT.
+
+    To create a generation 1 VM (using c:\vhd\w7.vhdx):
+
+    
+    New-VM -Name "PC1" -VHDPath c:\vhd\w7.vhdx -SwitchName poc-internal
+    Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
+    Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1
+    

+
+    To create a generation 2 VM (using c:\vhd\PC1.vhdx):
+
+    
+    New-VM -Name "PC1" -Generation 2 -VHDPath c:\vhd\PC1.vhdx -SwitchName poc-internal
+    Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
+    Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1
+    

+
+    To create a generation 1 VM from a GPT disk (using c:\vhd\w7.vhd):
+
+    >Note: The following procedure is more complex because it includes steps to convert the OS partition from GPT to MBR format. Steps are included to create a temporary VHD and attach it to the VM, the OS image is saved to this drive, the OS drive is then reformatted to MBR, the OS image restored, and the temporary drive is removed.
+
+    First, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to create a temporary VHD that will be used to save the OS image. Do not forget to include a pipe (|) at the end of the first five commands:
+
+    
+    New-VHD -Path c:\vhd\d.vhd -SizeBytes 1TB |
+    Mount-VHD -Passthru |
+    Get-Disk -Number {$_.DiskNumber} |
+    Initialize-Disk -PartitionStyle MBR -PassThru |
+    New-Partition -UseMaximumSize |
+    Format-Volume -Confirm:$false -FileSystem NTFS -force
+    Dismount-VHD -Path c:\vhd\d.vhd
+    

+
+    Next, create the PC1 VM with two attached VHDs, and boot to DVD ($maxram must be defined previously using the same Windows PowerShell prompt):
+
+    
+    New-VM -Name "PC1" -VHDPath c:\vhd\w7.vhd -SwitchName poc-internal
+    Add-VMHardDiskDrive -VMName PC1 -Path c:\vhd\d.vhd
+    Set-VMDvdDrive -VMName PC1 -Path c:\vhd\w10-enterprise.iso
+    Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
+    Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1
+    Start-VM PC1
+    vmconnect localhost PC1
+    

+
+    The VM will automatically boot into Windows Setup. In the PC1 window:
+
+   1. Click **Next**.
+   2. Click **Repair your computer**.
+   3. Click **Troubleshoot**.
+   4. Click **Command Prompt**.
+   5. Type the following command to save an image of the OS drive:
+
+      
+      dism /Capture-Image /ImageFile:D:\c.wim /CaptureDir:C:\ /Name:Drive-C
+      

+
+   6. Wait for the OS image to complete saving, and then type the following commands to convert the C: drive to MBR:
+
+      
+      diskpart
+      select disk 0
+      clean
+      convert MBR
+      create partition primary size=100
+      format fs=ntfs quick
+      active
+      create partition primary
+      format fs=ntfs quick label=OS
+      assign letter=c
+      exit
+      

+
+   7. Type the following commands to restore the OS image and boot files:
+
+      
+      dism /Apply-Image /ImageFile:D:\c.wim /Index:1 /ApplyDir:C:\
+      bcdboot c:\windows
+      exit
+      

+
+   8. Click **Continue** and verify the VM boots successfully (do not boot from DVD).
+   9. Click **Ctrl+Alt+Del**, and then in the bottom right corner, click **Shut down**.
+   10. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to remove the temporary disks and drives from PC1:
+
+       
+       Remove-VMHardDiskDrive -VMName PC1 -ControllerType IDE -ControllerNumber 0 -ControllerLocation 1
+       Set-VMDvdDrive -VMName PC1 -Path $null
+       

+
+### Configure VMs
+
+1. At an elevated Windows PowerShell prompt on the Hyper-V host, start the first Windows Server VM and connect to it by typing the following commands:
+
+    
+    Start-VM DC1
+    vmconnect localhost DC1
+    

+
+2. Click **Next** to accept the default settings, read the license terms and click **I accept**, provide an administrator password of pass@word1, and click **Finish**.
+3. Click **Ctrl+Alt+Del** in the upper left corner of the virtual machine connection window, and then sign in to DC1 using the Administrator account.
+4. Right-click **Start**, point to **Shut down or sign out**, and click **Sign out**. The VM connection will reset and a new connection dialog box will appear enabling you to choose a custom display configuration. Select a desktop size, click **Connect** and sign in again with the local Administrator account. Note: Signing in this way ensures that [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) is enabled. It is only necessary to do this the first time you sign in to a new VM.
+5. If DC1 is configured as described in this guide, it will currently be assigned an APIPA address, have a randomly generated hostname, and a single network adapter named "Ethernet." Open an elevated Windows PowerShell prompt on DC1 and type or paste the following commands to provide a new hostname and configure a static IP address and gateway:
+
+    
+    Rename-Computer DC1
+    New-NetIPAddress –InterfaceAlias Ethernet –IPAddress 192.168.0.1 –PrefixLength 24 -DefaultGateway 192.168.0.2
+    Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2
+    

+
+   > The default gateway at 192.168.0.2 will be configured later in this guide.
+   > 
+   > Note: A list of available tasks for an app will be populated the first time you run it on the taskbar. Because these tasks aren't available until the App has been run, you will not see the **Run as Administrator** task until you have left-clicked Windows PowerShell for the first time. In this newly created VM, you will need to left-click Windows PowerShell one time, and then you can right-click and choose Run as Administrator to open an elevated Windows PowerShell prompt.
+
+6. Install the Active Directory Domain Services role by typing the following command at an elevated Windows PowerShell prompt:
+
+    
+    Install-WindowsFeature -Name AD-Domain-Services -IncludeAllSubFeature -IncludeManagementTools
+    

+
+7. Before promoting DC1 to a Domain Controller, you must reboot so that the name change in step 3 above takes effect. To restart the computer, type the following command at an elevated Windows PowerShell prompt:
+
+    
+    Restart-Computer
+    

+
+8. When DC1 has rebooted, sign in again and open an elevated Windows PowerShell prompt. Now you can promote the server to be a domain controller. The directory services restore mode password must be entered as a secure string. Type the following commands at the elevated Windows PowerShell prompt:
+
+    
+    $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
+    Install-ADDSForest -DomainName contoso.com -InstallDns -SafeModeAdministratorPassword $pass -Force
+    

+
+    Ignore any warnings that are displayed. The computer will automatically reboot upon completion.
+
+9. When the reboot has completed, reconnect to DC1, sign in using the CONTOSO\Administrator account, open an elevated Windows PowerShell prompt, and use the following commands to add a reverse lookup zone for the PoC network, add the DHCP Server role, authorize DHCP in Active Directory, and suppress the post-DHCP-install alert:
+
+    
+    Add-DnsServerPrimaryZone -NetworkID "192.168.0.0/24" -ReplicationScope Forest
+    Add-WindowsFeature -Name DHCP -IncludeManagementTools
+    netsh dhcp add securitygroups
+    Restart-Service DHCPServer
+    Add-DhcpServerInDC  dc1.contoso.com  192.168.0.1
+    Set-ItemProperty –Path registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerManager\Roles\12 –Name ConfigurationState –Value 2
+    

+
+10. Next, add a DHCP scope and set option values:
+
+    
+    Add-DhcpServerv4Scope -Name "PoC Scope" -StartRange 192.168.0.100 -EndRange 192.168.0.199 -SubnetMask 255.255.255.0 -Description "Windows 10 PoC" -State Active
+    Set-DhcpServerv4OptionValue -ScopeId 192.168.0.0 -DnsDomain contoso.com -Router 192.168.0.2 -DnsServer 192.168.0.1,192.168.0.2 -Force
+    

+
+    >The -Force option is necessary when adding scope options to skip validation of 192.168.0.2 as a DNS server because we have not configured it yet. The scope should immediately begin issuing leases on the PoC network. The first DHCP lease that will be issued is to vEthernet interface on the Hyper-V host, which is a member of the internal network. You can verify this by using the command: Get-DhcpServerv4Lease -ScopeId 192.168.0.0.
+
+11. The DNS server role will also be installed on the member server, SRV1, at 192.168.0.2 so that we can forward DNS queries from DC1 to SRV1 to resolve Internet names without having to configure a forwarder outside the PoC network. Since the IP address of SRV1 already exists on DC1's network adapter, it will be automatically added during the DCPROMO process. To verify this server-level DNS forwarder on DC1, type the following command at an elevated Windows PowerShell prompt on DC1:
+
+    
+    Get-DnsServerForwarder
+    

+
+    The following output should be displayed:
+
+    
+    UseRootHint        : True
+    Timeout(s)         : 3
+    EnableReordering   : True
+    IPAddress          : 192.168.0.2
+    ReorderedIPAddress : 192.168.0.2
+    

+
+    If this output is not displayed, you can use the following command to add SRV1 as a forwarder:
+
+    
+    Add-DnsServerForwarder -IPAddress 192.168.0.2
+    

+
+    **Configure service and user accounts**
+
+    Windows 10 deployment with MDT and System Center Configuration Manager requires specific accounts to perform some actions. Service accounts will be created to use for these tasks. A user account is also added in the contoso.com domain that can be used for testing purposes. In the test lab environment, passwords are set to never expire.
+
+    >To keep this test lab relatively simple, we will not create a custom OU structure and set permissions. Required permissions are enabled by adding accounts to the Domain Admins group. To configure these settings in a production environment, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+
+    On DC1, open an elevated Windows PowerShell prompt and type the following commands:
+
+    
+    New-ADUser -Name User1 -UserPrincipalName user1 -Description "User account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
+    New-ADUser -Name MDT_BA -UserPrincipalName MDT_BA -Description "MDT Build Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
+    New-ADUser -Name CM_JD -UserPrincipalName CM_JD -Description "Configuration Manager Join Domain Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
+    New-ADUser -Name CM_NAA -UserPrincipalName CM_NAA -Description "Configuration Manager Network Access Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
+    Add-ADGroupMember "Domain Admins" MDT_BA,CM_JD,CM_NAA
+    Set-ADUser -Identity user1 -PasswordNeverExpires $true
+    Set-ADUser -Identity administrator -PasswordNeverExpires $true
+    Set-ADUser -Identity MDT_BA -PasswordNeverExpires $true
+    Set-ADUser -Identity CM_JD -PasswordNeverExpires $true
+    Set-ADUser -Identity CM_NAA -PasswordNeverExpires $true
+    

+
+12. Minimize the DC1 VM window but **do not stop** the VM.
+
+    Next, the client VM will be started and joined to the contoso.com domain. This is done before adding a gateway to the PoC network so that there is no danger of duplicate DNS registrations for the physical client and its cloned VM in the corporate domain.
+
+13. If the PC1 VM is not started yet, using an elevated Windows PowerShell prompt on the Hyper-V host, start the client VM (PC1), and connect to it:
+
+    
+    Start-VM PC1
+    vmconnect localhost PC1
+    

+
+14. Sign in to PC1 using an account that has local administrator rights.
+
+    >PC1 will be disconnected from its current domain, so you cannot use a domain account to sign on unless these credentials are cached and the use of cached credentials is permitted by Group Policy. If cached credentials are available and permitted, you can use these credentials to sign in. Otherwise, use an existing local administrator account.
+
+15. After signing in, the operating system detects that it is running in a new environment. New drivers will be automatically installed, including the network adapter driver. The network adapter driver must be updated before you can proceed, so that you will be able to join the contoso.com domain. Depending on the resources allocated to PC1, installing the network adapter driver might take a few minutes. You can monitor device driver installation by clicking **Show hidden icons** in the notification area.
+
+    ![PoC](images/installing-drivers.png)
+
+    >If the client was configured with a static address, you must change this to a dynamic one so that it can obtain a DHCP lease.
+
+16. When the new network adapter driver has completed installation, you will receive an alert to set a network location for the contoso.com network. Select **Work network** and then click **Close**. When you receive an alert that a restart is required, click **Restart Later**.
+
+17. Open an elevated Windows PowerShell prompt on PC1 and verify that the client VM has received a DHCP lease and can communicate with the consoto.com domain controller.
+
+    To open Windows PowerShell on Windows 7, click **Start**, and search for "**power**." Right-click **Windows PowerShell** and then click **Pin to Taskbar** so that it is simpler to use Windows PowerShell during this lab. Click **Windows PowerShell** on the taskbar, and then type **ipconfig** at the prompt to see the client's current IP address. Also type **ping dc1.contoso.com** and **nltest /dsgetdc:contoso.com** to verify that it can reach the domain controller. See the following examples of a successful network connection:
+
+    ```
+    ipconfig
+
+    Windows IP Configuration
+
+    Ethernet adapter Local Area Connection 3:
+        Connection-specific DNS Suffix  . : contoso.com
+        Link-local IPv6 Address . . . . . : fe80::64c2:4d2a:7403:6e02%18
+        Ipv4 Address. . . . . . . . . . . : 192.168.0.101
+        Subnet Mask . . . . . . . . . . . : 255.255.255.0
+        Default Gateway . . . . . . . . . : 192.168.0.2
+
+    ping dc1.contoso.com
+
+    Pinging dc1.contoso.com [192.168.0.1] with 32 bytes of data:
+    Reply from 192.168.0.1: bytes=32 time<1ms TTL=128
+    Reply from 192.168.0.1: bytes=32 time<1ms TTL=128
+    Reply from 192.168.0.1: bytes=32 time<1ms TTL=128
+    Reply from 192.168.0.1: bytes=32 time<1ms TTL=128
+
+    nltest /dsgetdc:contoso.com
+               DC: \\DC1
+          Address: \\192.168.0.1
+         Dom Guid: fdbd0643-d664-411b-aea0-fe343d7670a8
+         Dom Name: CONTOSO
+      Forest Name: contoso.com
+     Dc Site Name: Default-First-Site-Name
+    Our Site Name: Default-First-Site-Name
+            Flags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_FOREST CLOSE_SITE FULL_SECRET WS 0xC000
+    ```
+
+    >If PC1 is running Windows 7, enhanced session mode might not be available, which means that you cannot copy and paste commands from the Hyper-V host to a Windows PowerShell prompt on PC1. However, it is possible to use integration services to copy a file from the Hyper-V host to a VM. The next procedure demonstrates this. If the Copy-VMFile command fails, then type the commands below at an elevated Windows PowerShell prompt on PC1 instead of saving them to a script to run remotely. If PC1 is running Windows 8 or a later operating system, you can use enhanced session mode to copy and paste these commands instead of typing them.
+
+18. Minimize the PC1 window and switch to the Hyper-V host computer. Open an elevated Windows PowerShell ISE window on the Hyper-V host (right-click Windows PowerShell and then click **Run ISE as Administrator**) and type the following commands in the (upper) script editor pane:
+
+    
+    (Get-WmiObject Win32_ComputerSystem).UnjoinDomainOrWorkgroup($null,$null,0)
+    $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
+    $user = "contoso\administrator"
+    $cred = New-Object System.Management.Automation.PSCredential($user,$pass)
+    Add-Computer -DomainName contoso.com -Credential $cred
+    Restart-Computer
+    

+
+    >If you do not see the script pane, click **View** and verify **Show Script Pane Top** is enabled. Click **File** and then click **New**.
+
+    See the following example:
+
+    ![ISE](images/ISE.png)
+
+19. Click **File**, click **Save As**, and save the commands as **c:\VHD\pc1.ps1** on the Hyper-V host.
+20. In the (lower) terminal input window, type the following commands to enable Guest Service Interface on PC1 and then use this service to copy the script to PC1:
+
+    
+    Enable-VMIntegrationService -VMName PC1 -Name "Guest Service Interface"
+    Copy-VMFile "PC1" –SourcePath "C:\VHD\pc1.ps1"  –DestinationPath "C:\pc1.ps1" –CreateFullPath –FileSource Host
+    

+
+    >In order for this command to work properly, PC1 must be running the vmicguestinterface (Hyper-V Guest Service Interface) service. If this service is not enabled in this step, then the copy-VMFile command will fail. In this case, you can try updating integration services on the VM by mounting the Hyper-V Integration Services Setup (vmguest.iso), which is located in C:\Windows\System32 on Windows Server 2012 and 2012 R2 operating systems that are running the Hyper-V role service.
+
+    If the copy-vmfile command does not work and you cannot properly enable or upgrade integration services on PC1, then create the file c:\pc1.ps1 on the VM by typing the commands into this file manually. The copy-vmfile command is only used in this procedure as a demonstration of automation methods that can be used in a Hyper-V environment when enhanced session mode is not available. After typing the script file manually, be sure to save the file as a Windows PowerShell script file with the .ps1 extension and not as a text (.txt) file.
+
+21. On PC1, type the following commands at an elevated Windows PowerShell prompt:
+
+    
+    Get-Content c:\pc1.ps1 | powershell.exe -noprofile -
+    

+
+    >The commands in this script might take a few moments to complete. If an error is displayed, check that you typed the command correctly, paying close attention to spaces. PC1 is removed from its domain in this step while not connected to the corporate network so as to ensure the computer object in the corporate domain is unaffected. PC1 is also not renamed to "PC1" in system properties so that it maintains some of its mirrored identity. However, if desired you can also rename the computer.
+
+22. Upon completion of the script, PC1 will automatically restart. When it has restarted, sign in to the contoso.com domain using the **Switch User** option, with the **user1** account you created in step 11 of this section.
+    >**Important**: The settings that will be used later to migrate user data specifically select only accounts that belong to the CONTOSO domain. However, this can be changed to migrate all user accounts, or only other specified accounts. If you wish to test migration of user data and settings with accounts other than those in the CONTOSO domain, you must specify these accounts or domains when you configure the value of **ScanStateArgs** in the MDT test lab guide. This value is specifically called out when you get to that step. If you wish to only migrate CONTOSO accounts, then you can log in with the user1 account or the administrator account at this time and modify some of the files and settings for later use in migration testing.
+23. Minimize the PC1 window but do not turn it off while the second Windows Server 2012 R2 VM (SRV1) is configured. This verifies that the Hyper-V host has enough resources to run all VMs simultaneously. Next, SRV1 will be started, joined to the contoso.com domain, and configured with RRAS and DNS services.
+24. On the Hyper-V host computer, at an elevated Windows PowerShell prompt, type the following commands:
+
+    
+    Start-VM SRV1
+    vmconnect localhost SRV1
+    

+
+25. Accept the default settings, read license terms and accept them, provide an administrator password of pass@word1, and click **Finish**. When you are prompted about finding PCs, devices, and content on the network, click **Yes**.
+26. Sign in to SRV1 using the local administrator account. In the same way that was done on DC1, sign out of SRV1 and then sign in again to enable enhanced session mode. This will enable you to copy and paste Windows PowerShell commands from the Hyper-V host to the VM.
+27. Open an elevated Windows PowerShell prompt on SRV1 and type the following commands:
+
+    
+    Rename-Computer SRV1
+    New-NetIPAddress –InterfaceAlias Ethernet –IPAddress 192.168.0.2 –PrefixLength 24
+    Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2
+    Restart-Computer
+    

+
+    >[!IMPORTANT]
+    >Verify that you are configuring the correct interface in this step. The commands in this step assume that the poc-internal interface on SRV1 is named "Ethernet."  If you are unsure how to check the interface, see step #30 below for instructions and tips on how to verify and modify the interface name.
+
+28. Wait for the computer to restart, sign in again, then type the following commands at an elevated Windows PowerShell prompt:
+
+    
+    $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
+    $user = "contoso\administrator"
+    $cred = New-Object System.Management.Automation.PSCredential($user,$pass)
+    Add-Computer -DomainName contoso.com -Credential $cred
+    Restart-Computer
+    

+
+29. Sign in to the contoso.com domain on SRV1 using the domain administrator account (enter contoso\administrator as the user), open an elevated Windows PowerShell prompt, and type the following commands:
+
+    
+    Install-WindowsFeature -Name DNS -IncludeManagementTools
+    Install-WindowsFeature -Name WDS -IncludeManagementTools
+    Install-WindowsFeature -Name Routing -IncludeManagementTools
+    

+
+30. Before configuring the routing service that was just installed, verify that network interfaces were added to SRV1 in the right order, resulting in an interface alias of "Ethernet" for the private interface, and an interface alias of "Ethernet 2" for the public interface. Also verify that the external interface has a valid external DHCP IP address lease.
+
+    To view a list of interfaces, associated interface aliases, and IP addresses on SRV1, type the following Windows PowerShell command. Example output of the command is also shown below:
+
+    
+    Get-NetAdapter | ? status -eq ‘up’ | Get-NetIPAddress -AddressFamily IPv4 | ft IPAddress, InterfaceAlias
+
+    IPAddress                                                                  InterfaceAlias
+    ---------                                                                  --------------
+    10.137.130.118                                                             Ethernet 2
+    192.168.0.2                                                                Ethernet
+    

+
+    In this example, the poc-internal network interface at 192.168.0.2 is associated with the "Ethernet" interface and the Internet-facing poc-external interface is associated with the "Ethernet 2" interface. If your interfaces are different, you must adjust the commands provided in the next step appropriately to configure routing services. Also note that if the "Ethernet 2" interface has an IP address in the 192.168.0.100-105 range then it likely is getting a DHCP lease from DC1 instead of your corporate network. If this is the case, you can try removing and re-adding the second network interface from the SRV1 VM through its Hyper-V settings.
+
+    >[!TIP]
+    >Sometimes a computer will have hidden, disconnected interfaces that prevent you from naming a network adapter. When you attempt to rename an adapter, you will receive an error that the adapter name already exists. These disconnected devices can be viewed in device manager by clicking **View** and then clicking **Show hidden devices**. The disconnected device can then be uninstalled, enabling you to reuse the adapter name.
+
+
+31. To configure SRV1 with routing capability for the PoC network, type or paste the following commands at an elevated Windows PowerShell prompt on SRV1:
+
+    
+    Install-RemoteAccess -VpnType Vpn
+    cmd /c netsh routing ip nat install
+    cmd /c netsh routing ip nat add interface name="Ethernet 2" mode=FULL
+    cmd /c netsh routing ip nat add interface name="Ethernet" mode=PRIVATE
+    cmd /c netsh routing ip nat add interface name="Internal" mode=PRIVATE
+    

+
+32. The DNS service on SRV1 also needs to resolve hosts in the `contoso.com` domain. This can be accomplished with a conditional forwarder. Open an elevated Windows PowerShell prompt on SRV1 and type the following command:
+
+    
+    Add-DnsServerConditionalForwarderZone -Name contoso.com -MasterServers 192.168.0.1
+    

+
+33. In most cases, this completes configuration of the PoC network. However, if your corporate network has a firewall that filters queries from local DNS servers, you will also need to configure a server-level DNS forwarder on SRV1 to resolve Internet names. To test whether or not DNS is working without this forwarder, try to reach a name on the Internet from DC1 or PC1, which are only using DNS services on the PoC network. You can test DNS with the ping command, for example:
+
+    
+    ping www.microsoft.com
+    

+
+    If you see "Ping request could not find host `www.microsoft.com`" on PC1 and DC1, but not on SRV1, then you will need to configure a server-level DNS forwarder on SRV1. To do this, open an elevated Windows PowerShell prompt on SRV1 and type the following command.
+
+    **Note**: This command also assumes that "Ethernet 2" is the external-facing network adapter on SRV1. If the external adapter has a different name, replace "Ethernet 2" in the command below with that name:
+
+    
+    Add-DnsServerForwarder -IPAddress (Get-DnsClientServerAddress -InterfaceAlias "Ethernet 2").ServerAddresses
+    

+
+34. If DNS and routing are both working correctly, you will see the following on DC1 and PC1 (the IP address might be different, but that is OK):
+
+    
+    PS C:\> ping www.microsoft.com
+
+    Pinging e2847.dspb.akamaiedge.net [23.222.146.170] with 32 bytes of data:
+    Reply from 23.222.146.170: bytes=32 time=3ms TTL=51
+    Reply from 23.222.146.170: bytes=32 time=2ms TTL=51
+    Reply from 23.222.146.170: bytes=32 time=2ms TTL=51
+    Reply from 23.222.146.170: bytes=32 time=1ms TTL=51
+
+    Ping statistics for 23.222.146.170:
+        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
+    Approximate round trip times in milli-seconds:
+        Minimum = 1ms, Maximum = 3ms, Average = 2ms
+    

+
+35. Verify that all three VMs can reach each other, and the Internet. See [Appendix A: Verify the configuration](#appendix-a-verify-the-configuration) for more information.
+36. Lastly, because the client computer has different hardware after copying it to a VM, its Windows activation will be invalidated and you might receive a message that you must activate Windows in 3 days.  To extend this period to 30 days, type the following commands at an elevated Windows PowerShell prompt on PC1:
+
+    
+    runas /noprofile /env /user:administrator@contoso.com "cmd /c slmgr -rearm"
+    Restart-Computer
+    

+
+This completes configuration of the starting PoC environment. Additional services and tools are installed in subsequent guides.
+
+## Appendix A: Verify the configuration
+
+Use the following procedures to verify that the PoC environment is configured properly and working as expected.
+
+1. On DC1, open an elevated Windows PowerShell prompt and type the following commands:
+
+    
+    Get-Service NTDS,DNS,DHCP
+    DCDiag -a
+    Get-DnsServerResourceRecord -ZoneName contoso.com -RRType A
+    Get-DnsServerForwarder
+    Resolve-DnsName -Server dc1.contoso.com -Name www.microsoft.com
+    Get-DhcpServerInDC
+    Get-DhcpServerv4Statistics
+    ipconfig /all
+    

+
+    **Get-Service** displays a status of "Running" for all three services.

+    **DCDiag** displays "passed test" for all tests.

+    **Get-DnsServerResourceRecord** displays the correct DNS address records for DC1, SRV1, and the computername of PC1. Additional address records for the zone apex (@), DomainDnsZones, and ForestDnsZones will also be registered.

+    **Get-DnsServerForwarder** displays a single forwarder of 192.168.0.2.

+    **Resolve-DnsName** displays public IP address results for `www.microsoft.com`.

+    **Get-DhcpServerInDC** displays 192.168.0.1, `dc1.contoso.com`.

+    **Get-DhcpServerv4Statistics** displays 1 scope with 2 addresses in use (these belong to PC1 and the Hyper-V host).

+    **ipconfig** displays a primary DNS suffix and suffix search list of `contoso.com`, IP address of 192.168.0.1, subnet mask of 255.255.255.0, default gateway of 192.168.0.2, and DNS server addresses of 192.168.0.1 and 192.168.0.2.
+
+2. On SRV1, open an elevated Windows PowerShell prompt and type the following commands:
+
+    
+    Get-Service DNS,RemoteAccess
+    Get-DnsServerForwarder
+    Resolve-DnsName -Server dc1.contoso.com -Name www.microsoft.com
+    ipconfig /all
+    netsh int ipv4 show address
+    

+
+    **Get-Service** displays a status of "Running" for both services.

+    **Get-DnsServerForwarder** either displays no forwarders, or displays a list of forwarders you are required to use so that SRV1 can resolve Internet names.

+    **Resolve-DnsName** displays public IP address results for `www.microsoft.com`.

+    **ipconfig** displays a primary DNS suffix of `contoso.com`. The suffix search list contains `contoso.com` and your corporate domain. Two ethernet adapters are shown: Ethernet adapter "Ethernet" has an IP addresses of 192.168.0.2, subnet mask of 255.255.255.0, no default gateway, and DNS server addresses of 192.168.0.1 and 192.168.0.2. Ethernet adapter "Ethernet 2" has an IP address, subnet mask, and default gateway configured by DHCP on your corporate network.

+    **netsh** displays three interfaces on the computer: interface "Ethernet 2" with DHCP enabled = Yes and IP address assigned by your corporate network, interface "Ethernet" with DHCP enabled = No and IP address of 192.168.0.2, and interface "Loopback Pseudo-Interface 1" with IP address of 127.0.0.1.
+
+3. On PC1, open an elevated Windows PowerShell prompt and type the following commands:
+
+    
+    whoami
+    hostname
+    nslookup www.microsoft.com
+    ping -n 1 dc1.contoso.com
+    tracert www.microsoft.com
+    

+
+    **whoami** displays the current user context, for example in an elevated Windows PowerShell prompt, contoso\administrator is displayed.

+    **hostname** displays the name of the local computer, for example W7PC-001.

+    **nslookup** displays the DNS server used for the query, and the results of the query. For example, server `dc1.contoso.com`, address 192.168.0.1, Name `e2847.dspb.akamaiedge.net`.

+    **ping** displays if the source can resolve the target name, and whether or not the target responds to ICMP. If it cannot be resolved, "..could not find host" will be displayed and if the target is found and also responds to ICMP, you will see "Reply from" and the IP address of the target.

+    **tracert** displays the path to reach the destination, for example `srv1.contoso.com` [192.168.0.2] followed by a list of hosts and IP addresses corresponding to subsequent routing nodes between the source and the destination.
+
+
+## Appendix B: Terminology used in this guide
+
+
 
+
+

+
+
+
Term
+Definition
+
GPTGUID partition table (GPT) is an updated hard-disk formatting scheme that enables the use of newer hardware. GPT is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions.
+
Hyper-VHyper-V is a server role introduced with Windows Server 2008 that lets you create a virtualized computing environment. Hyper-V can also be installed as a Windows feature on Windows client operating systems, starting with Windows 8.
+
Hyper-V hostThe computer where Hyper-V is installed.
+
Hyper-V ManagerThe user-interface console used to view and configure Hyper-V.
+
MBRMaster Boot Record (MBR) is a legacy hard-disk formatting scheme that limits support for newer hardware. MBR is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions. MBR is in the process of being replaced by the GPT partition format.
+
Proof of concept (PoC)Confirmation that a process or idea works as intended. A PoC is carried out in a test environment to learn about and verify a process.
+
Shadow copyA copy or "snapshot" of a computer at a point in time, created by the Volume Shadow Copy Service (VSS), typically for backup purposes.
+
Virtual machine (VM)A VM is a virtual computer with its own operating system, running on the Hyper-V host.
+
Virtual switchA virtual network connection used to connect VMs to each other and to physical network adapters on the Hyper-V host.
+
VM snapshotA point in time image of a VM that includes its disk, memory and device state. It can be used to return a virtual machine to a former state corresponding to the time the snapshot was taken.
+

+
+

+
+## Related Topics
+
+
+[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deployment/windows-autopilot/add-devices.md b/windows/deployment/windows-autopilot/add-devices.md
index 096ebe1151..4d7af27528 100644
--- a/windows/deployment/windows-autopilot/add-devices.md
+++ b/windows/deployment/windows-autopilot/add-devices.md
@@ -63,6 +63,9 @@ Note that the hardware hash also contains details about when it was generated, s
 
 Starting with System Center Configuration Manager current branch version 1802, the hardware hashes for existing Windows 10 version 1703 and higher devices are automatically collected by Configuration Manager. See the [What’s new in version 1802](https://docs.microsoft.com/sccm/core/plan-design/changes/whats-new-in-version-1802#report-on-windows-autopilot-device-information) documentation for more details.  The hash information can be extracted from Configuration Manager into a CSV file.
 
+> [!Note]
+> Before uploading the CSV file on Intune, please make sure that the first row contains the device serial number, Windows product ID, hardware hash, group tag, and assigned user. If there is header information on the top of CSV file, please delete that header information. See details at [Enroll Windows devices in Intune](https://docs.microsoft.com/intune/enrollment/enrollment-autopilot).
+
 ### Collecting the hardware ID from existing devices using PowerShell
 
 The hardware ID, or hardware hash, for an existing device is available through Windows Management Instrumentation (WMI), as long as that device is running Windows 10 version 1703 or later. To help gather this information, as well as the serial number of the device (useful to see at a glance the machine to which it belongs), a PowerShell script called [Get-WindowsAutoPilotInfo.ps1 has been published to the PowerShell Gallery website](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo).
@@ -101,13 +104,13 @@ Once the hardware IDs have been captured from existing devices, they can be uplo
 -   [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles).  You might already be using MSfB to manage your apps and settings.
 
 A summary of each platform's capabilities is provided below.
-
+

 
-
+
+
+
diff --git a/windows/deployment/windows-autopilot/existing-devices.md b/windows/deployment/windows-autopilot/existing-devices.md
index 9f4cdcfc25..a5c02be0ef 100644
--- a/windows/deployment/windows-autopilot/existing-devices.md
+++ b/windows/deployment/windows-autopilot/existing-devices.md
@@ -68,15 +68,16 @@ See the following examples.
     Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
     Install-Module AzureAD -Force
     Install-Module WindowsAutopilotIntune -Force
+    Install-Module Microsoft.Graph.Intune -Force
     ```
-
+    
 3. Enter the following lines and provide Intune administrative credentials
-   - In the following command, replace the example user principal name for Azure authentication (admin@M365x373186.onmicrosoft.com) with your user account. Be sure that the user account you specify has sufficient administrative rights.
+   - Be sure that the user account you specify has sufficient administrative rights.
 
      ```powershell
-     Connect-AutopilotIntune -user admin@M365x373186.onmicrosoft.com
+     Connect-MSGraph
      ```
-     The password for your account will be requested using a standard Azure AD form. Type your password and then click **Sign in**. 
+     The user and password for your account will be requested using a standard Azure AD form. Type your username and password and then click **Sign in**. 
      
See the following example:
 
      ![Azure AD authentication](images/pwd.png)
diff --git a/windows/deployment/windows-deployment-scenarios-and-tools.md b/windows/deployment/windows-deployment-scenarios-and-tools.md
index 72b8aaf445..8c74c372fe 100644
--- a/windows/deployment/windows-deployment-scenarios-and-tools.md
+++ b/windows/deployment/windows-deployment-scenarios-and-tools.md
@@ -1,6 +1,6 @@
 ---
 title: Windows 10 deployment scenarios and tools
-description: To successfully deploy the Windows 10 operating system and applications for your organization, it is essential that you know about the available tools to help with the process.
+description: Learn about the tools you can use to deploy Windows 10 and related applications to your organization. Explore deployment scenarios.
 ms.assetid: 0d6cee1f-14c4-4b69-b29a-43b0b327b877
 ms.reviewer: 
 manager: laurawi
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
index 555eb005b1..2119a4bb72 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
@@ -1,5 +1,5 @@
 ---
-description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level. Specific to Windows 10, version 1703.
+description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level.
 title: Windows 10, version 1703 basic diagnostic events and fields (Windows 10)
 keywords: privacy, telemetry
 ms.prod: w10
@@ -7,14 +7,14 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 localizationpriority: high
-author: dansimp
-ms.author: dansimp
+author: brianlic-msft
+ms.author: brianlic
 manager: dansimp
 ms.collection: M365-security-compliance
 ms.topic: article
 audience: ITPro
-ms.date: 04/19/2019
-ms.reviewer: 
+ms.date: 01/04/2020
+ms.reviewer:
 ---
 
 
@@ -33,8 +33,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th
 
 You can learn more about Windows functional and diagnostic data through these articles:
 
-
-- [Windows 10, version 1903 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md)
+- [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md)
 - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
 - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md)
 - [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md)
@@ -60,6 +59,7 @@ The following fields are available:
 - **DataSourceMatchingInfoPostUpgrade_RS3**  The total DataSourceMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
 - **DatasourceSystemBios_RS3**  The total DatasourceSystemBios objects targeting the next release of Windows on this device.
 - **DecisionApplicationFile_RS3**  The total DecisionApplicationFile objects targeting the next release of Windows on this device.
+- **DecisionDevicePnp_RS2**  The count of DataSourceMatchingInfoBlock objects present on this machine targeting the next release of Windows
 - **DecisionDevicePnp_RS3**  The total DecisionDevicePnp objects targeting the next release of Windows on this device.
 - **DecisionDriverPackage_RS3**  The total DecisionDriverPackage objects targeting the next release of Windows on this device.
 - **DecisionMatchingInfoBlock_RS3**  The total DecisionMatchingInfoBlock objects targeting the next release of Windows on this device.
@@ -77,7 +77,6 @@ The following fields are available:
 - **SystemWim**  The total number of objects of this type present on this device.
 - **SystemWindowsActivationStatus**  The count of DecisionSystemBios objects present on this machine targeting the next release of Windows
 - **SystemWlan**  The total number of objects of this type present on this device.
-- **Wmdrm_RS3**  The total Wmdrm objects targeting the next release of Windows on this device.
 
 
 ### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd
@@ -92,7 +91,7 @@ The following fields are available:
 - **HasCitData**  Indicates whether the file is present in CIT data.
 - **HasUpgradeExe**  Indicates whether the anti-virus app has an upgrade.exe file.
 - **IsAv**  Is the file an anti-virus reporting EXE?
-- **ResolveAttempted**  This will always be an empty string when sending telemetry.
+- **ResolveAttempted**  This will always be an empty string when sending diagnostic data.
 - **SdbEntries**  An array of fields that indicates the SDB entries that apply to this file.
 
 
@@ -190,7 +189,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd
 
-This event sends blocking data about any compatibility blocking entries hit on the system that are not directly related to specific applications or devices, to help keep Windows up-to-date.
+This event sends blocking data about any compatibility blocking entries on the system that are not directly related to specific applications or devices, to help keep Windows up to date.
 
 The following fields are available:
 
@@ -221,7 +220,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveAdd
 
-This event sends compatibility database information about non-blocking compatibility entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+This event sends compatibility database information about non-blocking compatibility entries on the system that are not keyed by either applications or devices, to help keep Windows up to date.
 
 The following fields are available:
 
@@ -252,7 +251,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd
 
-This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up to date.
 
 The following fields are available:
 
@@ -283,7 +282,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosAdd
 
-This event sends compatibility database information about the BIOS to help keep Windows up-to-date.
+This event sends compatibility database information about the BIOS to help keep Windows up to date.
 
 The following fields are available:
 
@@ -315,7 +314,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.DecisionApplicationFileAdd
 
-This event sends compatibility decision data about a file to help keep Windows up-to-date.
+This event sends compatibility decision data about a file to help keep Windows up to date.
 
 The following fields are available:
 
@@ -364,7 +363,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.DecisionDevicePnpAdd
 
-This event sends compatibility decision data about a PNP device to help keep Windows up to date.
+This event sends compatibility decision data about a Plug and Play (PNP) device to help keep Windows up to date.
 
 The following fields are available:
 
@@ -790,7 +789,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
 
 The following fields are available:
 
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+- **AppraiserVersion**  The version of the Appraiser binary (executable) generating the events.
 
 
 ### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageAdd
@@ -856,7 +855,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.SystemMemoryAdd
 
-This event sends data on the amount of memory on the system and whether it meets requirements, to help keep Windows up-to-date.
+This event sends data on the amount of memory on the system and whether it meets requirements, to help keep Windows up to date.
 
 The following fields are available:
 
@@ -927,7 +926,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfAdd
 
-This event sends data indicating whether the system supports the LahfSahf CPU requirement, to help keep Windows up-to-date.
+This event sends data indicating whether the system supports the LAHF & SAHF CPU requirement, to help keep Windows up to date.
 
 The following fields are available:
 
@@ -960,7 +959,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.SystemProcessorNxAdd
 
-This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up-to-date.
+This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up to date.
 
 The following fields are available:
 
@@ -1159,7 +1158,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.SystemWlanAdd
 
-This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up-to-date.
+This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up to date.
 
 The following fields are available:
 
@@ -1196,32 +1195,32 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.TelemetryRunHealth
 
-This event indicates the parameters and result of a telemetry (diagnostic) run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up to date.
+This event indicates the parameters and result of a diagnostic data run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up to date.
 
 The following fields are available:
 
 - **AppraiserBranch**  The source branch in which the version of Appraiser that is running was built.
-- **AppraiserDataVersion**  The version of the data files being used by the Appraiser telemetry run.
+- **AppraiserDataVersion**  The version of the data files being used by the Appraiser diagnostic data run.
 - **AppraiserProcess**  The name of the process that launched Appraiser.
 - **AppraiserVersion**  The file version (major, minor and build) of the Appraiser DLL, concatenated without dots.
 - **AuxFinal**  Obsolete, always set to false.
 - **AuxInitial**  Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app.
 - **DeadlineDate**  A timestamp representing the deadline date, which is the time until which appraiser will wait to do a full scan.
-- **EnterpriseRun**  Indicates if the telemetry run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter.
+- **EnterpriseRun**  Indicates whether the diagnostic data run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter.
 - **FullSync**  Indicates if Appraiser is performing a full sync, which means that full set of events representing the state of the machine are sent. Otherwise, only the changes from the previous run are sent.
 - **InventoryFullSync**  Indicates if inventory is performing a full sync, which means that the full set of events representing the inventory of machine are sent.
 - **PCFP**  An ID for the system calculated by hashing hardware identifiers.
 - **PerfBackoff**  Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal.
 - **PerfBackoffInsurance**  Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row.
 - **RunAppraiser**  Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device.
-- **RunDate**  The date that the telemetry run was stated, expressed as a filetime.
-- **RunGeneralTel**  Indicates if the generaltel.dll component was run. Generaltel collects additional telemetry on an infrequent schedule and only from machines at telemetry levels higher than Basic.
+- **RunDate**  The date that the diagnostic data run was stated, expressed as a filetime.
+- **RunGeneralTel**  Indicates if the generaltel.dll component was run. Generaltel collects additional diagnostic data on an infrequent schedule and only from machines at diagnostic data levels higher than Basic.
 - **RunOnline**  Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information.
-- **RunResult**  The hresult of the Appraiser telemetry run.
-- **SendingUtc**  Indicates if the Appraiser client is sending events during the current telemetry run.
+- **RunResult**  The hresult of the Appraiser diagnostic data run.
+- **SendingUtc**  Indicates whether the Appraiser client is sending events during the current diagnostic data run.
 - **StoreHandleIsNotNull**  Obsolete, always set to false
-- **TelementrySent**  Indicates if telemetry was successfully sent.
-- **ThrottlingUtc**  Indicates if the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also telemetry reliability.
+- **TelementrySent**  Indicates whether diagnostic data was successfully sent.
+- **ThrottlingUtc**  Indicates whether the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also diagnostic data reliability.
 - **Time**  The client time of the event.
 - **VerboseMode**  Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging.
 - **WhyFullSyncWithoutTablePrefix**  Indicates the reason or reasons that a full sync was generated.
@@ -1444,6 +1443,7 @@ The following fields are available:
 - **LicenseStateReason**  Retrieves why (or how) a system is licensed or unlicensed.  The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by the MS store.
 - **OA3xOriginalProductKey**  Retrieves the License key stamped by the OEM to the machine.
 - **OSEdition**  Retrieves the version of the current OS.
+- **OSInstallDateTime**  Retrieves the date the OS was installed using ISO 8601 (Date part) == yyyy-mm-dd
 - **OSInstallType**  Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc
 - **OSOOBEDateTime**  Retrieves Out of Box Experience (OOBE) Date in Coordinated Universal Time (UTC).
 - **OSSKU**  Retrieves the Friendly Name of OS Edition.
@@ -1538,6 +1538,7 @@ The following fields are available:
 - **InternalPrimaryDisplayResolutionVertical**  Retrieves the number of pixels in the vertical direction of the internal display.
 - **InternalPrimaryDisplaySizePhysicalH**  Retrieves the physical horizontal length of the display in mm. Used for calculating the diagonal length in inches .
 - **InternalPrimaryDisplaySizePhysicalY**  Retrieves the physical vertical length of the display in mm. Used for calculating the diagonal length in inches
+- **InternalPrimaryDisplayType**  Represents the type of technology used in the monitor, such as Plasma, LED, LCOS, etc.
 - **NumberofExternalDisplays**  Retrieves the number of external displays connected to the machine
 - **NumberofInternalDisplays**  Retrieves the number of internal displays in a machine.
 - **VRAMDedicated**  Retrieves the video RAM in MB.
@@ -1720,7 +1721,7 @@ The following fields are available:
 - **mon**  Combined monitor and event sequence numbers in the format: monitor sequence : event sequence
 - **op**  Represents the ETW Op Code.
 - **raId**  Represents the ETW Related ActivityId. Logged via TraceLogging or directly via ETW.
-- **sqmId**  The Windows SQM ID.
+- **sqmId**  The Windows SQM (Software Quality Metrics—a precursor of Windows 10 Diagnostic Data collection) device identifier.
 - **stId**  Represents the Scenario Entry Point ID. This is a unique GUID for each event in a diagnostic scenario. This used to be Scenario Trigger ID.
 - **tickets**  An array of strings that refer back to a key in the X-Tickets http header that the client uploaded along with a batch of events.
 
@@ -1778,6 +1779,47 @@ This event provides information about the results of installing optional Windows
 
 
 
+### CbsServicingProvider.CbsQualityUpdateInstall
+
+This event reports on the performance and reliability results of installing Servicing content from Windows Update to keep Windows up to date.
+
+
+
+### CbsServicingProvider.CbsSelectableUpdateChangeV2
+
+This event reports the results of enabling or disabling optional Windows Content to keep Windows up to date.
+
+The following fields are available:
+
+- **applicableUpdateState**  Indicates the highest applicable state of the optional content.
+- **buildVersion**  The build version of the package being installed.
+- **clientId**  The name of the application requesting the optional content change.
+- **downloadSource**  Indicates if optional content was obtained from Windows Update or a locally accessible file.
+- **downloadtimeInSeconds**  Indicates if optional content was obtained from Windows Update or a locally accessible file.
+- **executionID**  A unique ID used to identify events associated with a single servicing operation and not reused for future operations.
+- **executionSequence**  A counter that tracks the number of servicing operations attempted on the device.
+- **firstMergedExecutionSequence**  The value of a pervious executionSequence counter that is being merged with the current operation, if applicable.
+- **firstMergedID**  A unique ID of a pervious servicing operation that is being merged with this operation, if applicable.
+- **hrDownloadResult**  The return code of the download operation.
+- **hrStatusUpdate**  The return code of the servicing operation.
+- **identityHash**  A pseudonymized (hashed) identifier for the Windows Package that is being installed or uninstalled.
+- **initiatedOffline**  Indicates whether the operation was performed against an offline Windows image file or a running instance of Windows.
+- **majorVersion**  The major version of the package being installed.
+- **minorVersion**  The minor version of the package being installed.
+- **packageArchitecture**  The architecture of the package being installed.
+- **packageLanguage**  The language of the package being installed.
+- **packageName**  The name of the package being installed.
+- **rebootRequired**  Indicates whether a reboot is required to complete the operation.
+- **revisionVersion**  The revision number of the package being installed.
+- **stackBuild**  The build number of the servicing stack binary performing the installation.
+- **stackMajorVersion**  The major version number of the servicing stack binary performing the installation.
+- **stackMinorVersion**  The minor version number of the servicing stack binary performing the installation.
+- **stackRevision**  The revision number of the servicing stack binary performing the installation.
+- **updateName**  The name of the optional Windows Operation System feature being enabled or disabled.
+- **updateStartState**  A value indicating the state of the optional content before the operation started.
+- **updateTargetState**  A value indicating the desired state of the optional content.
+
+
 ## Content Delivery Manager events
 
 ### Microsoft.Windows.ContentDeliveryManager.ProcessCreativeEvent
@@ -1864,7 +1906,7 @@ The following fields are available:
 
 ### TelClientSynthetic.ConnectivityHeartBeat_0
 
-This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it fires an event. A Connectivity Heartbeat event also fires when a device recovers from costed network to free network.
+This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it sends an event. A Connectivity Heartbeat event is also sent when a device recovers from costed network to free network.
 
 The following fields are available:
 
@@ -2597,6 +2639,45 @@ The following fields are available:
 - **InventoryVersion**  The version of the inventory file generating the events.
 
 
+### Microsoft.Windows.Inventory.General.AppHealthStaticAdd
+
+This event sends details collected for a specific application on the source device.
+
+The following fields are available:
+
+- **AhaVersion**  The binary version of the App Health Analyzer tool.
+- **ApplicationErrors**  The count of application errors from the event log.
+- **Bitness**  The architecture type of the application (16 Bit or 32 bit or 64 bit).
+- **device_level**  Various JRE/JAVA versions installed on a particular device.
+- **ExtendedProperties**  Attribute used for aggregating all other attributes under this event type.
+- **Jar**  Flag to determine if an app has a Java JAR file dependency.
+- **Jre**  Flag to determine if an app has JRE framework dependency.
+- **Jre_version**  JRE versions an app has declared framework dependency for.
+- **Name**  Name of the application.
+- **NonDPIAware**  Flag to determine if an app is non-DPI aware
+- **NumBinaries**  Count of all binaries (.sys,.dll,.ini) from application install location.
+- **RequiresAdmin**  Flag to determine if an app requests admin privileges for execution.
+- **RequiresAdminv2**  Additional flag to determine if an app requests admin privileges for execution.
+- **RequiresUIAccess**  Flag to determine if an app is based on UI features for accessibility.
+- **VB6**  Flag to determine if an app is based on VB6 framework.
+- **VB6v2**  Additional flag to determine if an app is based on VB6 framework.
+- **Version**  Version of the application.
+- **VersionCheck**  Flag to determine if an app has a static dependency on OS version.
+- **VersionCheckv2**  Additional flag to determine if an app has a static dependency on OS version.
+
+
+### Microsoft.Windows.Inventory.General.AppHealthStaticStartSync
+
+This event indicates the beginning of a series of AppHealthStaticAdd events.
+
+The following fields are available:
+
+- **AllowTelemetry**  Indicates the presence of the 'allowtelemetry' command line argument.
+- **CommandLineArgs**  Command line arguments passed when launching the App Health Analyzer executable.
+- **Enhanced**  Indicates the presence of the 'enhanced' command line argument.
+- **StartTime**  UTC date and time at which this event was sent.
+
+
 ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd
 
 Invalid variant - Provides data on the installed Office Add-ins
@@ -2724,6 +2805,15 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
 The following fields are available:
 
 - **IndicatorValue**  The indicator value.
+- **Value**  Describes an operating system indicator that may be relevant for the device upgrade.
+
+
+### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorEndSync
+
+This event indicates that a new set of InventoryMiscellaneousUexIndicatorAdd events has been sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 
 
 ### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorRemove
@@ -2814,6 +2904,20 @@ The following fields are available:
 - **UptimeDeltaMS**  Duration in last state in milliseconds.
 
 
+## Migration events
+
+### Microsoft.Windows.MigrationCore.MigObjectCountKFSys
+
+This event returns data about the count of the migration objects across various phases during feature update.
+
+
+
+### Microsoft.Windows.MigrationCore.MigObjectCountKFUsr
+
+This event returns data to track the count of the migration objects across various phases during feature update.
+
+
+
 ## OneDrive events
 
 ### Microsoft.OneDrive.Sync.Setup.APIOperation
@@ -4387,7 +4491,7 @@ The following fields are available:
 
 - **EndpointUrl**  The endpoint URL where the device obtains update metadata. This is used to distinguish between test, staging, and production environments.
 - **EventScenario**  The purpose of this event, such as scan started, scan succeeded, or scan failed.
-- **ExtendedStatusCode**  The secondary status code of the event.
+- **ExtendedStatusCode**  Secondary status code for certain scenarios where StatusCode was not specific enough.
 - **LeafCertId**  The integral ID from the FragmentSigning data for the certificate that failed.
 - **ListOfSHA256OfIntermediateCerData**  A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate.
 - **MetadataIntegrityMode**  The mode of the transport metadata integrity check. 0 = unknown; 1 = ignore; 2 = audit; 3 = enforce
@@ -4799,7 +4903,13 @@ The following fields are available:
 
 ### FacilitatorTelemetry.DCATDownload
 
-This event indicates whether devices received additional or critical supplemental content during an OS Upgrade, to help keep Windows up-to-date and secure.
+This event indicates whether devices received additional or critical supplemental content during an OS Upgrade, to help keep Windows up to date and secure.
+
+
+
+### FacilitatorTelemetry.DUDownload
+
+This event returns data about the download of supplemental packages critical to upgrading a device to the next version of Windows.
 
 
 
@@ -4811,7 +4921,7 @@ This event determines whether devices received additional or critical supplement
 
 ### Setup360Telemetry.Downlevel
 
-This event sends data indicating that the device has started the downlevel phase of the upgrade, to help keep Windows up-to-date and secure.
+This event sends data indicating that the device has started the downlevel phase of the upgrade, to help keep Windows up to date and secure.
 
 The following fields are available:
 
@@ -5127,6 +5237,7 @@ The following fields are available:
 - **CategoryId**  The Item Category ID.
 - **ClientAppId**  The identity of the app that initiated this operation.
 - **HResult**  The result code of the last action performed before this operation.
+- **IntentPFNs**  Intent Product Family Name
 - **IsBundle**  Is this a bundle?
 - **IsInteractive**  Was this requested by a user?
 - **IsMandatory**  Was this a mandatory update?
@@ -5137,6 +5248,7 @@ The following fields are available:
 - **PFN**  The product family name of the product being installed.
 - **ProductId**  The identity of the package or packages being installed.
 - **SystemAttemptNumber**  The total number of automatic attempts at installation before it was canceled.
+- **UpdateId**  Update ID (if this is an update)
 - **UserAttemptNumber**  The total number of user attempts at installation before it was canceled.
 - **WUContentId**  The Windows Update content ID.
 
@@ -5164,6 +5276,7 @@ The following fields are available:
 - **BundleId**  The identity of the Windows Insider build that is associated with this product.
 - **CategoryId**  The identity of the package or packages being installed.
 - **ClientAppId**  The identity of the app that initiated this operation.
+- **IntentPFNs**  Intent Product Family Name
 - **IsBundle**  Is this a bundle?
 - **IsInteractive**  Was this requested by a user?
 - **IsMandatory**  Is this a mandatory update?
@@ -5203,16 +5316,20 @@ The following fields are available:
 
 - **AggregatedPackageFullNames**  Includes a set of package full names for each app that is part of an atomic set.
 - **AttemptNumber**  The total number of attempts to acquire this product.
+- **BundleId**  The bundle ID
 - **CategoryId**  The identity of the package or packages being installed.
 - **ClientAppId**  The identity of the app that initiated this operation.
 - **HResult**  HResult code to show the result of the operation (success/failure).
+- **IntentPFNs**  Intent Product Family Name
 - **IsBundle**  Is this a bundle?
 - **IsInteractive**  Did the user initiate the installation?
 - **IsMandatory**  Is this a mandatory update?
 - **IsRemediation**  Is this repairing a previous installation?
 - **IsRestore**  Is this happening after a device restore?
 - **IsUpdate**  Is this an update?
+- **IsWin32**  Flag indicating if this is a Win32app.
 - **ParentBundledId**  The product's parent bundle ID.
+- **ParentBundleId**  The parent bundle ID (if it's part of a bundle).
 - **PFN**  Product Family Name of the product being installed.
 - **ProductId**  The Store Product ID for the product being installed.
 - **SystemAttemptNumber**  The number of attempts by the system to acquire this product.
@@ -5235,16 +5352,19 @@ The following fields are available:
 - **DownloadSize**  The total size of the download.
 - **ExtendedHResult**  Any extended HResult error codes.
 - **HResult**  The result code of the last action performed.
+- **IntentPFNs**  Intent Product Family Name
 - **IsBundle**  Is this a bundle?
 - **IsInteractive**  Is this initiated by the user?
 - **IsMandatory**  Is this a mandatory installation?
 - **IsRemediation**  Is this repairing a previous installation?
 - **IsRestore**  Is this a restore of a previously acquired product?
 - **IsUpdate**  Is this an update?
+- **IsWin32**  Flag indicating if this is a Win32 app (unused).
 - **ParentBundleId**  The parent bundle ID (if it's part of a bundle).
 - **PFN**  The Product Family Name of the app being download.
 - **ProductId**  The Store Product ID for the product being installed.
 - **SystemAttemptNumber**  The number of attempts by the system to download.
+- **UpdateId**  Update ID (if this is an update)
 - **UserAttemptNumber**  The number of attempts by the user to download.
 - **WUContentId**  The Windows Update content ID.
 
@@ -5280,16 +5400,19 @@ The following fields are available:
 - **ClientAppId**  The identity of the app that initiated this operation.
 - **ExtendedHResult**  The extended HResult error code.
 - **HResult**  The result code of the last action performed.
+- **IntentPFNs**  Intent Product Family Name
 - **IsBundle**  Is this a bundle?
 - **IsInteractive**  Is this an interactive installation?
 - **IsMandatory**  Is this a mandatory installation?
 - **IsRemediation**  Is this repairing a previous installation?
 - **IsRestore**  Is this automatically restoring a previously acquired product?
 - **IsUpdate**  Is this an update?
+- **IsWin32**  Flag indicating if this a Win32 app (unused).
 - **ParentBundleId**  The product ID of the parent (if this product is part of a bundle).
 - **PFN**  Product Family Name of the product being installed.
 - **ProductId**  The Store Product ID for the product being installed.
 - **SystemAttemptNumber**  The total number of system attempts.
+- **UpdateId**  Update ID (if this is an update)
 - **UserAttemptNumber**  The total number of user attempts.
 - **WUContentId**  The Windows Update content ID.
 
@@ -5319,16 +5442,19 @@ The following fields are available:
 - **CategoryId**  The identity of the package or packages being installed.
 - **ClientAppId**  The identity of the app that initiated this operation.
 - **HResult**  The result code of the last action performed.
+- **IntentPFNs**  The licensing identity of this package.
 - **IsBundle**  Is this a bundle?
 - **IsInteractive**  Is this user requested?
 - **IsMandatory**  Is this a mandatory update?
 - **IsRemediation**  Is this repairing a previous installation?
 - **IsRestore**  Is this restoring previously acquired content?
 - **IsUpdate**  Is this an update?
+- **IsWin32**  Flag indicating if this a Win32 app (unused).
 - **ParentBundleId**  The product ID of the parent (if this product is part of a bundle).
 - **PFN**  The name of the package or packages requested for install.
 - **ProductId**  The Store Product ID for the product being installed.
 - **SystemAttemptNumber**  The total number of system attempts.
+- **UpdateId**  Update ID (if this is an update)
 - **UserAttemptNumber**  The total number of user attempts.
 - **WUContentId**  The Windows Update content ID.
 
@@ -5345,6 +5471,7 @@ The following fields are available:
 - **CategoryId**  The identity of the package or packages being installed.
 - **ClientAppId**  The identity of the app that initiated this operation.
 - **HResult**  The result code of the last action performed.
+- **IntentPFNs**  The licensing identity of this package.
 - **IsBundle**  Is this a bundle?
 - **IsInteractive**  Is this user requested?
 - **IsMandatory**  Is this a mandatory update?
@@ -5414,6 +5541,7 @@ The following fields are available:
 - **BundleId**  The identity of the build associated with this product.
 - **CategoryId**  The identity of the package or packages being installed.
 - **ClientAppId**  The identity of the app that initiated this operation.
+- **IntentPFNs**  The licensing identity of this package.
 - **IsBundle**  Is this a bundle?
 - **IsInteractive**  Is this user requested?
 - **IsMandatory**  Is this a mandatory update?
@@ -5443,6 +5571,7 @@ The following fields are available:
 - **CategoryId**  The identity of the package or packages being installed.
 - **ClientAppId**  The identity of the app that initiated this operation.
 - **HResult**  The result code of the last action performed before this operation.
+- **IntentPFNs**  Intent Product Family Name
 - **IsBundle**  Is this a bundle?
 - **IsInteractive**  Is this user requested?
 - **IsMandatory**  Is this a mandatory update?
@@ -6260,6 +6389,12 @@ This event sends data specific to the FixupEditionId mitigation used for OS Upda
 
 ## Windows Update Reserve Manager events
 
+### Microsoft.Windows.UpdateReserveManager.CommitPendingHardReserveAdjustment
+
+This event is sent when the Update Reserve Manager commits a hard reserve adjustment that was pending.
+
+
+
 ### Microsoft.Windows.UpdateReserveManager.InitializeUpdateReserveManager
 
 This event returns data about the Update Reserve Manager, including whether it’s been initialized.
@@ -6272,6 +6407,12 @@ This event is sent when the Update Reserve Manager removes a pending hard reserv
 
 
 
+### Microsoft.Windows.UpdateReserveManager.UpdatePendingHardReserveAdjustment
+
+This event is sent when the Update Reserve Manager needs to adjust the size of the hard reserve after the option content is installed.
+
+
+
 ## Winlogon events
 
 ### Microsoft.Windows.Security.Winlogon.SetupCompleteLogon
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
index 1cecae9cf2..8c6ee5c804 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
@@ -1,5 +1,5 @@
 ---
-description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level. Specific to Windows 10, version 1709.
+description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level.
 title: Windows 10, version 1709 basic diagnostic events and fields (Windows 10)
 keywords: privacy, telemetry
 ms.prod: w10
@@ -7,14 +7,14 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 localizationpriority: high
-author: dansimp
-ms.author: dansimp
+author: brianlic-msft
+ms.author: brianlic
 manager: dansimp
 ms.collection: M365-security-compliance
 ms.topic: article
 audience: ITPro
-ms.date: 04/19/2019
-ms.reviewer: 
+ms.date: 01/04/2020
+ms.reviewer:
 ---
 
 
@@ -33,8 +33,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th
 
 You can learn more about Windows functional and diagnostic data through these articles:
 
-
-- [Windows 10, version 1903 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md)
+- [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md)
 - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
 - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md)
 - [Windows 10, version 1703 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md)
@@ -102,7 +101,7 @@ The following fields are available:
 - **HasCitData**  Indicates whether the file is present in CIT data.
 - **HasUpgradeExe**  Indicates whether the anti-virus app has an upgrade.exe file.
 - **IsAv**  Is the file an anti-virus reporting EXE?
-- **ResolveAttempted**  This will always be an empty string when sending telemetry.
+- **ResolveAttempted**  This will always be an empty string when sending diagnostic data.
 - **SdbEntries**  An array of fields that indicates the SDB entries that apply to this file.
 
 
@@ -201,7 +200,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd
 
-This event sends blocking data about any compatibility blocking entries hit on the system that are not directly related to specific applications or devices, to help keep Windows up-to-date.
+This event sends blocking data about any compatibility blocking entries on the system that are not directly related to specific applications or devices, to help keep Windows up to date.
 
 This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
@@ -234,7 +233,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveAdd
 
-This event sends compatibility database information about non-blocking compatibility entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+This event sends compatibility database information about non-blocking compatibility entries on the system that are not keyed by either applications or devices, to help keep Windows up to date.
 
 This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
@@ -267,7 +266,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd
 
-This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up to date.
 
 This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
@@ -300,7 +299,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosAdd
 
-This event sends compatibility database information about the BIOS to help keep Windows up-to-date.
+This event sends compatibility database information about the BIOS to help keep Windows up to date.
 
 This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
@@ -333,7 +332,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.DecisionApplicationFileAdd
 
-This event sends compatibility decision data about a file to help keep Windows up-to-date.
+This event sends compatibility decision data about a file to help keep Windows up to date.
 
 This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
@@ -347,7 +346,7 @@ The following fields are available:
 - **HasUxBlockOverride**  Does the file have a block that is overridden by a tag in the SDB?
 - **MigApplication**  Does the file have a MigXML from the SDB associated with it that applies to the current upgrade mode?
 - **MigRemoval**  Does the file have a MigXML from the SDB that will cause the app to be removed on upgrade?
-- **NeedsDismissAction**  Will the file cause an action that can be dimissed?
+- **NeedsDismissAction**  Will the file cause an action that can be dismissed?
 - **NeedsInstallPostUpgradeData**  After upgrade, the file will have a post-upgrade notification to install a replacement for the app.
 - **NeedsNotifyPostUpgradeData**  Does the file have a notification that should be shown after upgrade?
 - **NeedsReinstallPostUpgradeData**  After upgrade, this file will have a post-upgrade notification to reinstall the app.
@@ -384,7 +383,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.DecisionDevicePnpAdd
 
-This event sends compatibility decision data about a PNP device to help keep Windows up to date.
+This event sends compatibility decision data about a Plug and Play (PNP) device to help keep Windows up to date.
 
 This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
@@ -828,7 +827,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
 
 The following fields are available:
 
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+- **AppraiserVersion**  The version of the Appraiser binary (executable) generating the events.
 
 
 ### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageAdd
@@ -895,7 +894,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.SystemMemoryAdd
 
-This event sends data on the amount of memory on the system and whether it meets requirements, to help keep Windows up-to-date.
+This event sends data on the amount of memory on the system and whether it meets requirements, to help keep Windows up to date.
 
 This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
@@ -970,7 +969,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfAdd
 
-This event sends data indicating whether the system supports the LahfSahf CPU requirement, to help keep Windows up-to-date.
+This event sends data indicating whether the system supports the LAHF & SAHF CPU requirement, to help keep Windows up to date.
 
 This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
@@ -1005,7 +1004,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.SystemProcessorNxAdd
 
-This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up-to-date.
+This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up to date.
 
 This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
@@ -1216,7 +1215,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.SystemWlanAdd
 
-This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up-to-date.
+This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up to date.
 
 This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
@@ -1255,7 +1254,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.TelemetryRunHealth
 
-This event indicates the parameters and result of a telemetry (diagnostic) run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up to date.
+This event indicates the parameters and result of a diagnostic data run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up to date.
 
 The following fields are available:
 
@@ -1266,21 +1265,21 @@ The following fields are available:
 - **AuxFinal**  Obsolete, always set to false.
 - **AuxInitial**  Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app.
 - **DeadlineDate**  A timestamp representing the deadline date, which is the time until which appraiser will wait to do a full scan.
-- **EnterpriseRun**  Indicates if the telemetry run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter.
+- **EnterpriseRun**  Indicates whether the diagnostic data run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter.
 - **FullSync**  Indicates if Appraiser is performing a full sync, which means that full set of events representing the state of the machine are sent. Otherwise, only the changes from the previous run are sent.
 - **InventoryFullSync**  Indicates if inventory is performing a full sync, which means that the full set of events representing the inventory of machine are sent.
 - **PCFP**  An ID for the system calculated by hashing hardware identifiers.
 - **PerfBackoff**  Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal.
 - **PerfBackoffInsurance**  Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row.
 - **RunAppraiser**  Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device.
-- **RunDate**  The date that the telemetry run was stated, expressed as a filetime.
-- **RunGeneralTel**  Indicates if the generaltel.dll component was run. Generaltel collects additional telemetry on an infrequent schedule and only from machines at telemetry levels higher than Basic.
+- **RunDate**  The date that the diagnostic data run was stated, expressed as a filetime.
+- **RunGeneralTel**  Indicates if the generaltel.dll component was run. Generaltel collects additional diagnostic data on an infrequent schedule and only from machines at diagnostic data levels higher than Basic.
 - **RunOnline**  Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information.
-- **RunResult**  The hresult of the Appraiser telemetry run.
-- **SendingUtc**  Indicates if the Appraiser client is sending events during the current telemetry run.
+- **RunResult**  The hresult of the Appraiser diagnostic data run.
+- **SendingUtc**  Indicates whether the Appraiser client is sending events during the current diagnostic data run.
 - **StoreHandleIsNotNull**  Obsolete, always set to false
-- **TelementrySent**  Indicates if telemetry was successfully sent.
-- **ThrottlingUtc**  Indicates if the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also telemetry reliability.
+- **TelementrySent**  Indicates whether diagnostic data was successfully sent.
+- **ThrottlingUtc**  Indicates whether the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also diagnostic data reliability.
 - **Time**  The client time of the event.
 - **VerboseMode**  Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging.
 - **WhyFullSyncWithoutTablePrefix**  Indicates the reason or reasons that a full sync was generated.
@@ -1819,7 +1818,7 @@ The following fields are available:
 - **mon**  Combined monitor and event sequence numbers in the format: monitor sequence : event sequence
 - **op**  Represents the ETW Op Code.
 - **raId**  Represents the ETW Related ActivityId. Logged via TraceLogging or directly via ETW.
-- **sqmId**  The Windows SQM ID.
+- **sqmId**  The Windows SQM (Software Quality Metrics—a precursor of Windows 10 Diagnostic Data collection) device identifier.
 - **stId**  Represents the Scenario Entry Point ID. This is a unique GUID for each event in a diagnostic scenario. This used to be Scenario Trigger ID.
 - **tickets**  An array of strings that refer back to a key in the X-Tickets http header that the client uploaded along with a batch of events.
 
@@ -1914,6 +1913,12 @@ The following fields are available:
 - **pendingDecision**  Indicates the cause of reboot, if applicable.
 
 
+### CbsServicingProvider.CbsQualityUpdateInstall
+
+This event reports on the performance and reliability results of installing Servicing content from Windows Update to keep Windows up to date.
+
+
+
 ### CbsServicingProvider.CbsSelectableUpdateChangeV2
 
 This event reports the results of enabling or disabling optional Windows Content to keep Windows up to date.
@@ -1965,7 +1970,7 @@ Fired by UTC at startup to signal what data we are allowed to collect.
 
 ### TelClientSynthetic.ConnectivityHeartBeat_0
 
-This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it fires an event. A Connectivity Heartbeat event also fires when a device recovers from costed network to free network.
+This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it sends an event. A Connectivity Heartbeat event is also sent when a device recovers from costed network to free network.
 
 
 
@@ -2476,7 +2481,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Inventory.Core.InventoryDevicePnpAdd
 
-This event represents the basic metadata about a plug and play (PNP) device and its associated driver.
+This event sends basic metadata about a PNP device and its associated driver to help keep Windows up to date. This information is used to assess if the PNP device and driver will remain compatible when upgrading Windows.
 
 This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
@@ -2650,6 +2655,45 @@ The following fields are available:
 - **InventoryVersion**  The version of the inventory file generating the events.
 
 
+### Microsoft.Windows.Inventory.General.AppHealthStaticAdd
+
+This event sends details collected for a specific application on the source device.
+
+The following fields are available:
+
+- **AhaVersion**  The binary version of the App Health Analyzer tool.
+- **ApplicationErrors**  The count of application errors from the event log.
+- **Bitness**  The architecture type of the application (16 Bit or 32 bit or 64 bit).
+- **device_level**  Various JRE/JAVA versions installed on a particular device.
+- **ExtendedProperties**  Attribute used for aggregating all other attributes under this event type.
+- **Jar**  Flag to determine if an app has a Java JAR file dependency.
+- **Jre**  Flag to determine if an app has JRE framework dependency.
+- **Jre_version**  JRE versions an app has declared framework dependency for.
+- **Name**  Name of the application.
+- **NonDPIAware**  Flag to determine if an app is non-DPI aware
+- **NumBinaries**  Count of all binaries (.sys,.dll,.ini) from application install location.
+- **RequiresAdmin**  Flag to determine if an app requests admin privileges for execution.
+- **RequiresAdminv2**  Additional flag to determine if an app requests admin privileges for execution.
+- **RequiresUIAccess**  Flag to determine if an app is based on UI features for accessibility.
+- **VB6**  Flag to determine if an app is based on VB6 framework.
+- **VB6v2**  Additional flag to determine if an app is based on VB6 framework.
+- **Version**  Version of the application.
+- **VersionCheck**  Flag to determine if an app has a static dependency on OS version.
+- **VersionCheckv2**  Additional flag to determine if an app has a static dependency on OS version.
+
+
+### Microsoft.Windows.Inventory.General.AppHealthStaticStartSync
+
+This event indicates the beginning of a series of AppHealthStaticAdd events.
+
+The following fields are available:
+
+- **AllowTelemetry**  Indicates the presence of the 'allowtelemetry' command line argument.
+- **CommandLineArgs**  Command line arguments passed when launching the App Health Analyzer executable.
+- **Enhanced**  Indicates the presence of the 'enhanced' command line argument.
+- **StartTime**  UTC date and time at which this event was sent.
+
+
 ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd
 
 Invalid variant - Provides data on the installed Office Add-ins
@@ -2837,7 +2881,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
 
 The following fields are available:
 
-- **BrowserFlags**  Browser flags for Office-related products
+- **BrowserFlags**  Browser flags for Office-related products.
 - **ExchangeProviderFlags**  Office Exchange provider policies
 - **InventoryVersion**  The version of the inventory binary generating the events.
 - **SharedComputerLicensing**  Office Shared Computer Licensing policies
@@ -3039,6 +3083,26 @@ The following fields are available:
 - **UserInputTime**  The amount of time the loader application spent waiting for user input.
 
 
+## Migration events
+
+### Microsoft.Windows.MigrationCore.MigObjectCountDLUsr
+
+This event returns data to track the count of the migration objects across various phases during feature update.
+
+
+
+### Microsoft.Windows.MigrationCore.MigObjectCountKFSys
+
+This event returns data about the count of the migration objects across various phases during feature update.
+
+
+
+### Microsoft.Windows.MigrationCore.MigObjectCountKFUsr
+
+This event returns data to track the count of the migration objects across various phases during feature update.
+
+
+
 ## OneDrive events
 
 ### Microsoft.OneDrive.Sync.Setup.APIOperation
@@ -4411,7 +4475,7 @@ The following fields are available:
 
 - **EndpointUrl**  The endpoint URL where the device obtains update metadata. This is used to distinguish between test, staging, and production environments.
 - **EventScenario**  The purpose of this event, such as scan started, scan succeeded, or scan failed.
-- **ExtendedStatusCode**  The secondary status code of the event.
+- **ExtendedStatusCode**  Secondary status code for certain scenarios where StatusCode was not specific enough.
 - **LeafCertId**  The integral ID from the FragmentSigning data for the certificate that failed.
 - **ListOfSHA256OfIntermediateCerData**  A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate.
 - **MetadataIntegrityMode**  The mode of the transport metadata integrity check. 0 = unknown; 1 = ignore; 2 = audit; 3 = enforce
@@ -5032,7 +5096,13 @@ The following fields are available:
 
 ### FacilitatorTelemetry.DCATDownload
 
-This event indicates whether devices received additional or critical supplemental content during an OS Upgrade, to help keep Windows up-to-date and secure.
+This event indicates whether devices received additional or critical supplemental content during an OS Upgrade, to help keep Windows up to date and secure.
+
+
+
+### FacilitatorTelemetry.DUDownload
+
+This event returns data about the download of supplemental packages critical to upgrading a device to the next version of Windows.
 
 
 
@@ -5044,7 +5114,7 @@ This event determines whether devices received additional or critical supplement
 
 ### Setup360Telemetry.Downlevel
 
-This event sends data indicating that the device has started the downlevel phase of the upgrade, to help keep Windows up-to-date and secure.
+This event sends data indicating that the device has started the downlevel phase of the upgrade, to help keep Windows up to date and secure.
 
 The following fields are available:
 
@@ -5274,7 +5344,7 @@ The following fields are available:
 - **ReportId**  With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
 - **Setup360Extended**  Detailed information about the phase/action when the potential failure occurred.
 - **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
-- **Setup360Result**  The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
+- **Setup360Result**  The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors.
 - **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT.
 - **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
 - **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
@@ -5293,6 +5363,18 @@ The following fields are available:
 - **m**  The WaaS (“Workspace as a Service”—cloud-based “workspace”) Assessment Error String.
 
 
+### Microsoft.Windows.WaaSMedic.RemediationFailed
+
+This event is sent when the WaaS Medic update stack remediation tool fails to apply a described resolution to a problem that is blocking Windows Update from operating correctly on a target device.
+
+The following fields are available:
+
+- **diagnostic**  Parameter where the resolution failed.
+- **hResult**  Error code that resulted from attempting the resolution.
+- **isRemediated**  Indicates whether the condition was remediated.
+- **pluginName**  Name of the attempted resolution.
+
+
 ### Microsoft.Windows.WaaSMedic.Summary
 
 This event provides the results of the WaaSMedic diagnostic run
@@ -5459,6 +5541,7 @@ The following fields are available:
 
 - **AggregatedPackageFullNames**  Includes a set of package full names for each app that is part of an atomic set.
 - **AttemptNumber**  The total number of attempts to acquire this product.
+- **BundleId**  The bundle ID
 - **CategoryId**  The identity of the package or packages being installed.
 - **ClientAppId**  The identity of the app that initiated this operation.
 - **HResult**  HResult code to show the result of the operation (success/failure).
@@ -5468,6 +5551,7 @@ The following fields are available:
 - **IsRemediation**  Is this repairing a previous installation?
 - **IsRestore**  Is this happening after a device restore?
 - **IsUpdate**  Is this an update?
+- **ParentBundleId**  The parent bundle ID (if it's part of a bundle).
 - **PFN**  Product Family Name of the product being installed.
 - **ProductId**  The Store Product ID for the product being installed.
 - **SystemAttemptNumber**  The number of attempts by the system to acquire this product.
@@ -6573,6 +6657,7 @@ The following fields are available:
 This event is sent when the Update Reserve Manager commits a hard reserve adjustment that was pending.
 
 
+
 ### Microsoft.Windows.UpdateReserveManager.InitializeUpdateReserveManager
 
 This event returns data about the Update Reserve Manager, including whether it’s been initialized.
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
index 94306ce392..64a869e06a 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
@@ -1,5 +1,5 @@
 ---
-description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level. Specific to Windows 10, version 1803.
+description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level.
 title: Windows 10, version 1803 basic diagnostic events and fields (Windows 10)
 keywords: privacy, telemetry
 ms.prod: w10
@@ -7,14 +7,14 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 localizationpriority: high
-author: dansimp
-ms.author: dansimp
+author: brianlic-msft
+ms.author: brianlic
 manager: dansimp
 ms.collection: M365-security-compliance
 ms.topic: article
 audience: ITPro
-ms.date: 04/19/2019
-ms.reviewer: 
+ms.date: 01/04/2020
+ms.reviewer:
 ---
 
 
@@ -33,7 +33,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th
 
 You can learn more about Windows functional and diagnostic data through these articles:
 
-- [Windows 10, version 1903 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md)
+- [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md)
 - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
 - [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md)
 - [Windows 10, version 1703 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md)
@@ -135,7 +135,7 @@ The following fields are available:
 - **HasCitData**  Indicates whether the file is present in CIT data.
 - **HasUpgradeExe**  Indicates whether the anti-virus app has an upgrade.exe file.
 - **IsAv**  Is the file an antivirus reporting EXE?
-- **ResolveAttempted**  This will always be an empty string when sent.
+- **ResolveAttempted**  This will always be an empty string when sending diagnostic data.
 - **SdbEntries**  An array of fields that indicates the SDB entries that apply to this file.
 
 
@@ -234,7 +234,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd
 
-This event sends blocking data about any compatibility blocking entries hit on the system that are not directly related to specific applications or devices, to help keep Windows up-to-date.
+This event sends blocking data about any compatibility blocking entries on the system that are not directly related to specific applications or devices, to help keep Windows up to date.
 
 This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
@@ -267,7 +267,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveAdd
 
-This event sends compatibility database information about non-blocking compatibility entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+This event sends compatibility database information about non-blocking compatibility entries on the system that are not keyed by either applications or devices, to help keep Windows up to date.
 
 This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
@@ -300,7 +300,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd
 
-This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up to date.
 
 This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
@@ -333,7 +333,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosAdd
 
-This event sends compatibility database information about the BIOS to help keep Windows up-to-date.
+This event sends compatibility database information about the BIOS to help keep Windows up to date.
 
 This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
@@ -366,7 +366,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.DecisionApplicationFileAdd
 
-This event sends compatibility decision data about a file to help keep Windows up-to-date.
+This event sends compatibility decision data about a file to help keep Windows up to date.
 
 This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
@@ -381,7 +381,7 @@ The following fields are available:
 - **HasUxBlockOverride**  Does the file have a block that is overridden by a tag in the SDB?
 - **MigApplication**  Does the file have a MigXML from the SDB associated with it that applies to the current upgrade mode?
 - **MigRemoval**  Does the file have a MigXML from the SDB that will cause the app to be removed on upgrade?
-- **NeedsDismissAction**  Will the file cause an action that can be dimissed?
+- **NeedsDismissAction**  Will the file cause an action that can be dismissed?
 - **NeedsInstallPostUpgradeData**  After upgrade, the file will have a post-upgrade notification to install a replacement for the app.
 - **NeedsNotifyPostUpgradeData**  Does the file have a notification that should be shown after upgrade?
 - **NeedsReinstallPostUpgradeData**  After upgrade, this file will have a post-upgrade notification to reinstall the app.
@@ -418,7 +418,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.DecisionDevicePnpAdd
 
-This event sends compatibility decision data about a PNP device to help keep Windows up to date.
+This event sends compatibility decision data about a Plug and Play (PNP) device to help keep Windows up to date.
 
 This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
@@ -865,7 +865,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
 
 The following fields are available:
 
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+- **AppraiserVersion**  The version of the Appraiser binary (executable) generating the events.
 
 
 ### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageAdd
@@ -931,7 +931,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.SystemMemoryAdd
 
-This event sends data on the amount of memory on the system and whether it meets requirements, to help keep Windows up-to-date.
+This event sends data on the amount of memory on the system and whether it meets requirements, to help keep Windows up to date.
 
 This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
@@ -1006,7 +1006,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfAdd
 
-This event sends data indicating whether the system supports the LahfSahf CPU requirement, to help keep Windows up-to-date.
+This event sends data indicating whether the system supports the LAHF & SAHF CPU requirement, to help keep Windows up to date.
 
 This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
@@ -1041,7 +1041,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.SystemProcessorNxAdd
 
-This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up-to-date.
+This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up to date.
 
 This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
@@ -1258,7 +1258,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.SystemWlanAdd
 
-This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up-to-date.
+This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up to date.
 
 This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
@@ -1297,18 +1297,18 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.TelemetryRunHealth
 
-This event indicates the parameters and result of a telemetry (diagnostic) run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up to date.
+This event indicates the parameters and result of a diagnostic data run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up to date.
 
 The following fields are available:
 
 - **AppraiserBranch**  The source branch in which the version of Appraiser that is running was built.
-- **AppraiserDataVersion**  The version of the data files being used by the Appraiser telemetry run.
+- **AppraiserDataVersion**  The version of the data files being used by the Appraiser diagnostic data run.
 - **AppraiserProcess**  The name of the process that launched Appraiser.
 - **AppraiserVersion**  The file version (major, minor and build) of the Appraiser DLL, concatenated without dots.
 - **AuxFinal**  Obsolete, always set to false.
 - **AuxInitial**  Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app.
 - **DeadlineDate**  A timestamp representing the deadline date, which is the time until which appraiser will wait to do a full scan.
-- **EnterpriseRun**  Indicates if the telemetry run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter.
+- **EnterpriseRun**  Indicates whether the diagnostic data run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter.
 - **FullSync**  Indicates if Appraiser is performing a full sync, which means that full set of events representing the state of the machine are sent. Otherwise, only the changes from the previous run are sent.
 - **InboxDataVersion**  The original version of the data files before retrieving any newer version.
 - **IndicatorsWritten**  Indicates if all relevant UEX indicators were successfully written or updated.
@@ -1317,14 +1317,14 @@ The following fields are available:
 - **PerfBackoff**  Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal.
 - **PerfBackoffInsurance**  Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row.
 - **RunAppraiser**  Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device.
-- **RunDate**  The date that the telemetry run was stated, expressed as a filetime.
-- **RunGeneralTel**  Indicates if the generaltel.dll component was run. Generaltel collects additional telemetry on an infrequent schedule and only from machines at telemetry levels higher than Basic.
+- **RunDate**  The date that the diagnostic data run was stated, expressed as a filetime.
+- **RunGeneralTel**  Indicates if the generaltel.dll component was run. Generaltel collects additional diagnostic data on an infrequent schedule and only from machines at diagnostic data levels higher than Basic.
 - **RunOnline**  Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information.
-- **RunResult**  The hresult of the Appraiser telemetry run.
-- **SendingUtc**  Indicates if the Appraiser client is sending events during the current telemetry run.
+- **RunResult**  The hresult of the Appraiser diagnostic data run.
+- **SendingUtc**  Indicates whether the Appraiser client is sending events during the current diagnostic data run.
 - **StoreHandleIsNotNull**  Obsolete, always set to false
-- **TelementrySent**  Indicates if telemetry was successfully sent.
-- **ThrottlingUtc**  Indicates if the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also telemetry reliability.
+- **TelementrySent**  Indicates whether diagnostic data was successfully sent.
+- **ThrottlingUtc**  Indicates whether the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also diagnostic data reliability.
 - **Time**  The client time of the event.
 - **VerboseMode**  Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging.
 - **WhyFullSyncWithoutTablePrefix**  Indicates the reason or reasons that a full sync was generated.
@@ -1391,6 +1391,18 @@ The following fields are available:
 - **IEVersion**  The version of Internet Explorer that is running on the device.
 
 
+### Census.Azure
+
+This event returns data from Microsoft-internal Azure server machines (only from Microsoft-internal machines with Server SKUs). All other machines (those outside Microsoft and/or machines that are not part of the “Azure fleet”) return empty data sets.
+
+The following fields are available:
+
+- **CloudCoreBuildEx**  The Azure CloudCore build number.
+- **CloudCoreSupportBuildEx**  The Azure CloudCore support build number.
+- **NodeID**  The node identifier on the device that indicates whether the device is part of the Azure fleet.
+- **PartA_PrivTags**  The privacy tags associated with the event.
+
+
 ### Census.Battery
 
 This event sends type and capacity data about the battery on the device, as well as the number of connected standby devices in use, type to help keep Windows up to date.
@@ -2105,6 +2117,43 @@ The following fields are available:
 - **transactionCanceled**  Indicates whether the uninstall was cancelled.
 
 
+### CbsServicingProvider.CbsQualityUpdateInstall
+
+This event reports on the performance and reliability results of installing Servicing content from Windows Update to keep Windows up to date.
+
+The following fields are available:
+
+- **buildVersion**  The build version number of the update package.
+- **clientId**  The name of the application requesting the optional content.
+- **corruptionHistoryFlags**  A bitmask of the types of component store corruption that have caused update failures on the device.
+- **corruptionType**  An enumeration listing the type of data corruption responsible for the current update failure.
+- **currentStateEnd**  The final state of the package after the operation has completed.
+- **doqTimeSeconds**  The time in seconds spent updating drivers.
+- **executeTimeSeconds**  The number of seconds required to execute the install.
+- **failureDetails**  The driver or installer that caused the update to fail.
+- **failureSourceEnd**  An enumeration indicating at what phase of the update a failure occurred.
+- **hrStatusEnd**  The return code of the install operation.
+- **initiatedOffline**  A true or false value indicating whether the package was installed into an offline Windows Imaging Format (WIM) file.
+- **majorVersion**  The major version number of the update package.
+- **minorVersion**  The minor version number of the update package.
+- **originalState**  The starting state of the package.
+- **overallTimeSeconds**  The time (in seconds) to perform the overall servicing operation.
+- **PartA_PrivTags**  The privacy tags associated with the event.
+- **planTimeSeconds**  The time in seconds required to plan the update operations.
+- **poqTimeSeconds**  The time in seconds processing file and registry operations.
+- **postRebootTimeSeconds**  The time (in seconds) to do startup processing for the update.
+- **preRebootTimeSeconds**  The time (in seconds) between execution of the installation and the reboot.
+- **primitiveExecutionContext**  An enumeration indicating at what phase of shutdown or startup the update was installed.
+- **rebootCount**  The number of reboots required to install the update.
+- **rebootTimeSeconds**  The time (in seconds) before startup processing begins for the update.
+- **resolveTimeSeconds**  The time in seconds required to resolve the packages that are part of the update.
+- **revisionVersion**  The revision version number of the update package.
+- **rptTimeSeconds**  The time in seconds spent executing installer plugins.
+- **shutdownTimeSeconds**  The time (in seconds) required to do shutdown processing for the update.
+- **stackRevision**  The revision number of the servicing stack.
+- **stageTimeSeconds**  The time (in seconds) required to stage all files that are part of the update.
+
+
 ### CbsServicingProvider.CbsSelectableUpdateChangeV2
 
 This event reports the results of enabling or disabling optional Windows Content to keep Windows up to date.
@@ -2250,7 +2299,7 @@ The following fields are available:
 
 ### TelClientSynthetic.ConnectivityHeartbeat_0
 
-This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it fires an event. A Connectivity Heartbeat event also fires when a device recovers from costed network to free network.
+This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it sends an event. A Connectivity Heartbeat event is also sent when a device recovers from costed network to free network.
 
 The following fields are available:
 
@@ -3394,7 +3443,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Inventory.Core.InventoryDevicePnpAdd
 
-This event represents the basic metadata about a plug and play (PNP) device and its associated driver.
+This event sends basic metadata about a PNP device and its associated driver to help keep Windows up to date. This information is used to assess if the PNP device and driver will remain compatible when upgrading Windows.
 
 This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
@@ -3568,6 +3617,50 @@ The following fields are available:
 - **InventoryVersion**  The version of the inventory file generating the events.
 
 
+### Microsoft.Windows.Inventory.General.AppHealthStaticAdd
+
+This event sends details collected for a specific application on the source device.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AhaVersion**  The binary version of the App Health Analyzer tool.
+- **ApplicationErrors**  The count of application errors from the event log.
+- **Bitness**  The architecture type of the application (16 Bit or 32 bit or 64 bit).
+- **device_level**  Various JRE/JAVA versions installed on a particular device.
+- **ExtendedProperties**  Attribute used for aggregating all other attributes under this event type.
+- **Jar**  Flag to determine if an app has a Java JAR file dependency.
+- **Jre**  Flag to determine if an app has JRE framework dependency.
+- **Jre_version**  JRE versions an app has declared framework dependency for.
+- **Name**  Name of the application.
+- **NonDPIAware**  Flag to determine if an app is non-DPI aware
+- **NumBinaries**  Count of all binaries (.sys,.dll,.ini) from application install location.
+- **ProgramId**  The ID of the associated program.
+- **RequiresAdmin**  Flag to determine if an app requests admin privileges for execution.
+- **RequiresAdminv2**  Additional flag to determine if an app requests admin privileges for execution.
+- **RequiresUIAccess**  Flag to determine if an app is based on UI features for accessibility.
+- **VB6**  Flag to determine if an app is based on VB6 framework.
+- **VB6v2**  Additional flag to determine if an app is based on VB6 framework.
+- **Version**  Version of the application.
+- **VersionCheck**  Flag to determine if an app has a static dependency on OS version.
+- **VersionCheckv2**  Additional flag to determine if an app has a static dependency on OS version.
+
+
+### Microsoft.Windows.Inventory.General.AppHealthStaticStartSync
+
+This event indicates the beginning of a series of AppHealthStaticAdd events.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AllowTelemetry**  Indicates the presence of the 'allowtelemetry' command line argument.
+- **CommandLineArgs**  Command line arguments passed when launching the App Health Analyzer executable.
+- **Enhanced**  Indicates the presence of the 'enhanced' command line argument.
+- **StartTime**  UTC date and time at which this event was sent.
+
+
 ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd
 
 Provides data on the installed Office Add-ins
@@ -3760,10 +3853,10 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
 
 The following fields are available:
 
-- **BrowserFlags**  Browser flags for Office-related products
-- **ExchangeProviderFlags**  Provider policies for Office Exchange
+- **BrowserFlags**  Browser flags for Office-related products.
+- **ExchangeProviderFlags**  Provider policies for Office Exchange.
 - **InventoryVersion**  The version of the inventory binary generating the events.
-- **SharedComputerLicensing**  Office shared computer licensing policies
+- **SharedComputerLicensing**  Office shared computer licensing policies.
 
 
 ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsStartSync
@@ -3994,6 +4087,215 @@ The following fields are available:
 - **UptimeDeltaMS**  Total time (in milliseconds) added to Uptime since the last event
 
 
+## Microsoft Edge events
+
+### Aria.160f0649efde47b7832f05ed000fc453.Microsoft.WebBrowser.SystemInfo.Config
+
+This event sends basic device connectivity and configuration information from Microsoft Edge about the current data collection consent, app version, and installation state to keep Microsoft Edge up to date and secure.
+
+The following fields are available:
+
+- **app_version**  The internal Microsoft Edge build version string.
+- **appConsentState**  Bit flags that describe the consent for data collection on the device, or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000).
+- **Channel**  An integer indicating the channel of the installation (Canary or Dev).
+- **client_id**  A non-durable unique identifier with which all other diagnostic client data is associated. This value is reset whenever UMA data collection is disabled, or when the application is uninstalled.
+- **ConnectionType**  The first reported type of network connection currently connected. Possible values: Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth
+- **container_client_id**  The client ID of the container if the device is in Windows Defender Application Guard mode.
+- **container_session_id**  The session ID of the container if the device is in Windows Defender Application Guard mode.
+- **Etag**  Etag is an identifier representing all service applied configurations and experiments for the current browser session. There is not value in this field is the device is at the Basic diagnostic data level.
+- **EventInfo.Level**  The minimum Windows diagnostic data level required for the event. Possible values: 1 -- Basic, 2 -- Enhanced, 3 -- Full
+- **install_date**  The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour.
+- **installSource**  An enumeration representing the source of this installation. Possible values: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13).
+- **PayloadClass**  The base class used to serialize and deserialize the Protobuf binary payload.
+- **PayloadGUID**  A random identifier generated for each original monolithic Protobuf payload, before the payload is potentially broken up into manageably-sized chunks for transmission.
+- **PayloadLogType**  The log type for the event correlating with. Possible values: 0 -- Unknown, 1 -- Stability, 2 -- On-going, 3 -- Independent, 4 -- UKM, or 5 -- Instance level
+- **session_id** An ordered identifier that is guaranteed to be greater than the previous session identifier each time the user launches the application, reset on subsequent launch after client_id changes. session_id is seeded during the initial installation of the application. session_id is effectively unique per client_id value. Several other internal identifier values, such as window or tab IDs, are only meaningful within a particular session. The session_id value is forgotten when the application is uninstalled, but not during an upgrade.
+
+
+### Aria.29e24d069f27450385c7acaa2f07e277.Microsoft.WebBrowser.SystemInfo.Config
+
+This event sends basic device connectivity and configuration information from Microsoft Edge about the current data collection consent, app version, and installation state to keep Microsoft Edge up to date and secure.
+
+The following fields are available:
+
+- **app_version**  The internal Microsoft Edge build version string.
+- **appConsentState**  Bit flags that describe the consent for data collection on the device, or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000).
+- **Channel**  An integer indicating the channel of the installation (Canary or Dev).
+- **client_id**  A non-durable unique identifier with which all other diagnostic client data is associated. This value is reset whenever UMA data collection is disabled, or when the application is uninstalled.
+- **ConnectionType**  The first reported type of network connection currently connected. Possible values: Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth
+- **container_client_id**  The client ID of the container if the device is in Windows Defender Application Guard mode.
+- **container_session_id**  The session ID of the container if the device is in Windows Defender Application Guard mode.
+- **Etag**  Etag is an identifier representing all service applied configurations and experiments for the current browser session. There is not value in this field is the device is at the Basic diagnostic data level.
+- **EventInfo.Level**  The minimum Windows diagnostic data level required for the event. Possible values: 1 -- Basic, 2 -- Enhanced, 3 -- Full
+- **install_date**  The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour.
+- **installSource**  An enumeration representing the source of this installation. Possible values: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13).
+- **PayloadClass**  The base class used to serialize and deserialize the Protobuf binary payload.
+- **PayloadGUID**  A random identifier generated for each original monolithic Protobuf payload, before the payload is potentially broken up into manageably-sized chunks for transmission.
+- **PayloadLogType**  The log type for the event correlating with. Possible values: 0 -- Unknown, 1 -- Stability, 2 -- On-going, 3 -- Independent, 4 -- UKM, or 5 -- Instance level
+- **session_id** An ordered identifier that is guaranteed to be greater than the previous session identifier each time the user launches the application, reset on subsequent launch after client_id changes. session_id is seeded during the initial installation of the application. session_id is effectively unique per client_id value. Several other internal identifier values, such as window or tab IDs, are only meaningful within a particular session. The session_id value is forgotten when the application is uninstalled, but not during an upgrade.
+
+
+### Aria.7005b72804a64fa4b2138faab88f877b.Microsoft.WebBrowser.SystemInfo.Config
+
+This event sends basic device connectivity and configuration information from Microsoft Edge about the current data collection consent, app version, and installation state to keep Microsoft Edge up to date and secure.
+
+The following fields are available:
+
+- **app_version**  The internal Microsoft Edge build version string.
+- **appConsentState**  Bit flags that describe the consent for data collection on the device, or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000).
+- **Channel**  An integer indicating the channel of the installation (Canary or Dev).
+- **client_id**  A non-durable unique identifier with which all other diagnostic client data is associated. This value is reset whenever UMA data collection is disabled, or when the application is uninstalled.
+- **ConnectionType**  The first reported type of network connection currently connected. Possible values: Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth
+- **container_client_id**  The client ID of the container if the device is in Windows Defender Application Guard mode.
+- **container_session_id**  The session ID of the container if the device is in Windows Defender Application Guard mode.
+- **Etag**  Etag is an identifier representing all service applied configurations and experiments for the current browser session. There is not value in this field is the device is at the Basic diagnostic data level.
+- **EventInfo.Level**  The minimum Windows diagnostic data level required for the event. Possible values: 1 -- Basic, 2 -- Enhanced, 3 -- Full
+- **install_date**  The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour.
+- **installSource**  An enumeration representing the source of this installation. Possible values: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13).
+- **PayloadClass**  The base class used to serialize and deserialize the Protobuf binary payload.
+- **PayloadGUID**  A random identifier generated for each original monolithic Protobuf payload, before the payload is potentially broken up into manageably-sized chunks for transmission.
+- **PayloadLogType**  The log type for the event correlating with. Possible values: 0 -- Unknown, 1 -- Stability, 2 -- On-going, 3 -- Independent, 4 -- UKM, or 5 -- Instance level
+- **session_id** An ordered identifier that is guaranteed to be greater than the previous session identifier each time the user launches the application, reset on subsequent launch after client_id changes. session_id is seeded during the initial installation of the application. session_id is effectively unique per client_id value. Several other internal identifier values, such as window or tab IDs, are only meaningful within a particular session. The session_id value is forgotten when the application is uninstalled, but not during an upgrade.
+
+
+### Aria.754de735ccd546b28d0bfca8ac52c3de.Microsoft.WebBrowser.SystemInfo.Config
+
+This config event sends basic device connectivity and configuration information from Microsoft Edge about the current data collection consent, app version, and installation state to keep Microsoft Edge up to date and secure.
+
+The following fields are available:
+
+- **app_version**  The internal Microsoft Edge build version string.
+- **appConsentState**  Bit flags that describe the consent for data collection on the device, or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000).
+- **Channel**  An integer indicating the channel of the installation (Canary or Dev).
+- **client_id**  A non-durable unique identifier with which all other diagnostic client data is associated. This value is reset whenever UMA data collection is disabled, or when the application is uninstalled.
+- **ConnectionType**  The first reported type of network connection currently connected. Possible values: Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth
+- **container_client_id**  The client ID of the container if the device is in Windows Defender Application Guard mode.
+- **container_session_id**  The session ID of the container if the device is in Windows Defender Application Guard mode.
+- **Etag**  Etag is an identifier representing all service applied configurations and experiments for the current browser session. There is not value in this field is the device is at the Basic diagnostic data level.
+- **EventInfo.Level**  The minimum Windows diagnostic data level required for the event. Possible values: 1 -- Basic, 2 -- Enhanced, 3 -- Full
+- **install_date**  The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour.
+- **installSource**  An enumeration representing the source of this installation. Possible values: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13).
+- **PayloadClass**  The base class used to serialize and deserialize the Protobuf binary payload.
+- **PayloadGUID**  A random identifier generated for each original monolithic Protobuf payload, before the payload is potentially broken up into manageably-sized chunks for transmission.
+- **PayloadLogType**  The log type for the event correlating with. Possible values: 0 -- Unknown, 1 -- Stability, 2 -- On-going, 3 -- Independent, 4 -- UKM, or 5 -- Instance level
+- **session_id** An ordered identifier that is guaranteed to be greater than the previous session identifier each time the user launches the application, reset on subsequent launch after client_id changes. session_id is seeded during the initial installation of the application. session_id is effectively unique per client_id value. Several other internal identifier values, such as window or tab IDs, are only meaningful within a particular session. The session_id value is forgotten when the application is uninstalled, but not during an upgrade.
+
+
+### Aria.af397ef28e484961ba48646a5d38cf54.Microsoft.WebBrowser.Installer.EdgeUpdate.Ping
+
+This event sends hardware and software inventory information about the Microsoft Edge Update service, Microsoft Edge applications, and the current system environment, including app configuration, update configuration, and hardware capabilities. It's  used to measure the reliability and performance of the EdgeUpdate service and if Microsoft Edge applications are up to date.
+
+The following fields are available:
+
+- **appAp**  Microsoft Edge Update parameters, including channel, architecture, platform, and additional parameters identifying the release of Microsoft Edge to update and how to install it. Example: 'beta-arch_x64-full'. Default: ''.
+- **appAppId**  The GUID that identifies the product channels such as Edge Canary, Dev, Beta, Stable, and Edge Update.
+- **appBrandCode**  The 4-digit brand code under which the the product was installed, if any. Possible values: 'GGLS' (default), 'GCEU' (enterprise install), and '' (unknown).
+- **appChannel**  An integer indicating the channel of the installation (e.g. Canary or Dev).
+- **appClientId** A generalized form of the brand code that can accept a wider range of values and is used for similar purposes. Default: ''.
+- **appCohort**  A machine-readable string identifying the release channel that the app belongs to. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
+- **appCohortHint**  A machine-readable enum indicating that the client has a desire to switch to a different release cohort. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
+- **appCohortName**  A stable non-localized human-readable enum indicating which (if any) set of messages the app should display to the user. For example, an app with a cohort name of 'beta' might display beta-specific branding to the user. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
+- **appConsentState**  Bit flags describing the diagnostic data disclosure and response flow where 1 indicates the affirmative and 0 indicates the negative or unspecified data. Bit 1 indicates consent was given, bit 2 indicates data originated from the download page, bit 18 indicates choice for sending data about how the browser is used, and bit 19 indicates choice for sending data about websites visited.
+- **appDayOfInstall**  The date-based counting equivalent of appInstallTimeDiffSec (the numeric calendar day that the app was installed on). This value is provided by the server in the response to the first request in the installation flow. Default: '-2' (Unknown).
+- **appExperiments**  A semicolon-delimited key/value list of experiment identifiers and treatment groups. This field is unused and always empty in Edge Update. Default: ''.
+- **appInstallTimeDiffSec**  The difference between the current time and the install date in seconds. '0' if unknown. Default: '-1'.
+- **appLang**  The language of the product install, in IETF BCP 47 representation. Default: ''.
+- **appNextVersion**  The version of the app that the update attempted to reach, regardless of the success or failure of the update operation. Default: '0.0.0.0'.
+- **appPingEventAppSize**  The total number of bytes of all downloaded packages. Default: '0'.
+- **appPingEventDownloadMetricsDownloadedBytes**  For events representing a download, the number of bytes expected to be downloaded. For events representing an entire update flow, the sum of all such expected bytes over the course of the update flow. Default: '0'.
+- **appPingEventDownloadMetricsDownloader**  A string identifying the download algorithm and/or stack. Example values include: 'bits', 'direct', 'winhttp', 'p2p'. Sent in events that have an event type of '14' only. Default: ''.
+- **appPingEventDownloadMetricsDownloadTimeMs**  For events representing a download, the time elapsed between the start of the download and the end of the download, in milliseconds. For events representing an entire update flow, the sum of all such download times over the course of the update flow. Sent in events that have an event type of '1', '2', '3', and '14' only. Default: '0'.
+- **appPingEventDownloadMetricsError**  The error code (if any) of the operation, encoded as a signed base-10 integer. Default: '0'.
+- **appPingEventDownloadMetricsServerIpHint**  For events representing a download, the CDN Host IP address that corresponds to the update file server. The CDN host is controlled by Microsoft servers and always maps to IP addresses hosting *.delivery.mp.microsoft.com or msedgesetup.azureedge.net. Default: ''.
+- **appPingEventDownloadMetricsTotalBytes**  For events representing a download, the number of bytes expected to be downloaded. For events representing an entire update flow, the sum of all such expected bytes over the course of the update flow. Default: '0'.
+- **appPingEventDownloadMetricsUrl** For events representing a download, the CDN URL provided by the update server for the client to download the update, the URL is controlled by Microsoft servers and always maps back to either *.delivery.mp.microsoft.com or msedgesetup.azureedge.net. Default: ''.
+- **appPingEventDownloadTimeMs**  For events representing a download, the time elapsed between the start of the download and the end of the download, in milliseconds. For events representing an entire update flow, the sum of all such download times over the course of the update flow. Sent in events that have an event type of '1', '2', '3', and '14' only. Default: '0'.
+- **appPingEventErrorCode**  The error code (if any) of the operation, encoded as a signed, base-10 integer. Default: '0'.
+- **appPingEventEventResult**  An enumeration indicating the result of the event. Common values are '0' (Error) and '1' (Success). Default: '0' (Error).
+- **appPingEventEventType**  An enumeration indicating the type of the event and the event stage. Default: '0' (Unknown).
+- **appPingEventExtraCode1**  Additional numeric information about the operation's result, encoded as a signed, base-10 integer. Default: '0'.
+- **appPingEventInstallTimeMs**  For events representing an install, the time elapsed between the start of the install and the end of the install, in milliseconds. For events representing an entire update flow, the sum of all such durations. Sent in events that have an event type of '2' and '3' only. Default: '0'.
+- **appPingEventNumBytesDownloaded**  The number of bytes downloaded for the specified application. Default: '0'.
+- **appPingEventSequenceId**  An ID that uniquely identifies particular events within one requestId. Since a request can contain multiple ping events, this field is necessary to uniquely identify each possible event.
+- **appPingEventSourceUrlIndex**  For events representing a download, the position of the download URL in the list of URLs supplied by the server in a  tag.
+- **appPingEventUpdateCheckTimeMs**	For events representing an entire update flow, the time elapsed between the start of the update check and the end of the update check, in milliseconds. Sent in events that have an event type of '2' and '3' only. Default: '0'.
+- **appUpdateCheckIsUpdateDisabled**  The state of whether app updates are restricted by group policy. True if updates have been restricted by group policy or false if they have not.
+- **appUpdateCheckTargetVersionPrefix**  A component-wise prefix of a version number, or a complete version number suffixed with the $ character. The prefix is interpreted a dotted-tuple that specifies the exactly-matching elements; it is not a lexical prefix (for example, '1.2.3' MUST match '1.2.3.4' but MUST NOT match '1.2.34'). Default: ''.
+- **appUpdateCheckTtToken**  An opaque access token that can be used to identify the requesting client as a member of a trusted-tester group. If non-empty, the request is sent over SSL or another secure protocol. This field is unused by Edge Update and always empty. Default: ''.
+- **appVersion**  The version of the product install. Default: '0.0.0.0'.
+- **EventInfo.Level**  The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full.
+- **eventType**  A string representation of appPingEventEventType indicating the type of the event.
+- **hwHasAvx**  '1' if the client's hardware supports the SSE instruction set. '0' if the client's hardware does not support the SSE instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse**  '1' if the client's hardware supports the SSE instruction set. '0' if the client's hardware does not support the SSE instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse2**  '1' if the client's hardware supports the SSE2 instruction set. '0' if the client's hardware does not support the SSE2 instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse3**  '1' if the client's hardware supports the SSE3 instruction set. '0' if the client's hardware does not support the SSE3 instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse41**  '1' if the client's hardware supports the SSE4.1 instruction set. '0' if the client's hardware does not support the SSE4.1 instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse42**  '1' if the client's hardware supports the SSE4.2 instruction set. '0' if the client's hardware does not support the SSE4.2 instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSsse3**  '1' if the client's hardware supports the SSSE3 instruction set. '0' if the client's hardware does not support the SSSE3 instruction set. '-1' if unknown. Default: '-1'.
+- **hwPhysmemory**  The physical memory available to the client, truncated down to the nearest gibibyte. '-1' if unknown. This value is intended to reflect the maximum theoretical storage capacity of the client, not including any hard drive or paging to a hard drive or peripheral. Default: '-1'.
+- **isMsftDomainJoined**  '1' if the client is a member of a Microsoft domain. '0' otherwise. Default: '0'.
+- **osArch**  The architecture of the operating system (e.g. 'x86', 'x64', 'arm'). '' if unknown. Default: ''.
+- **osPlatform**  The operating system family that the within which the Omaha client is running (e.g. 'win', 'mac', 'linux', 'ios', 'android'). '' if unknown. The operating system name should be transmitted in lowercase with minimal formatting. Default: ''.
+- **osServicePack**  The secondary version of the operating system. '' if unknown. Default: ''.
+- **osVersion**  The primary version of the operating system. '' if unknown. Default: ''.
+- **requestCheckPeriodSec**  The update interval in seconds. The value is read from the registry. Default: '-1'.
+- **requestDlpref**  A comma-separated list of values specifying the preferred download URL behavior. The first value is the highest priority, further values reflect secondary, tertiary, et cetera priorities. Legal values are '' (in which case the entire list must be empty, indicating unknown or no-preference) or 'cacheable' (the server should prioritize sending URLs that are easily cacheable). Default: ''.
+- **requestDomainJoined**  '1' if the device is part of a managed enterprise domain. Otherwise '0'.
+- **requestInstallSource**  A string specifying the cause of the update flow. For example: 'ondemand', or 'scheduledtask'. Default: ''.
+- **requestIsMachine**  '1' if the client is known to be installed with system-level or administrator privileges. '0' otherwise. Default: '0'.
+- **requestOmahaShellVersion**  The version of the Omaha installation folder. Default: ''.
+- **requestOmahaVersion**  The version of the Omaha updater itself (the entity sending this request). Default: '0.0.0.0'.
+- **requestProtocolVersion**  The version of the Omaha protocol. Compatible clients MUST provide a value of '3.0'. Compatible clients MUST always transmit this attribute. Default: undefined.
+- **requestRequestId**  A randomly-generated (uniformly distributed) GUID, corresponding to the Omaha request. Default: ''.
+- **requestSessionCorrelationVectorBase**  A client generated random MS Correlation Vector base code used to correlate the update session with update and CDN servers. Default: ''.
+- **requestSessionId**  A randomly-generated (uniformly distributed) GUID. Each single update flow (e.g. update check, update application, event ping sequence) should have (with high probability) a single unique sessionid. Default: ''.
+- **requestTestSource**  Either '', 'dev', 'qa', 'prober', 'auto', or 'ossdev'. Any value except '' indicates that the request is a test and should not be counted toward normal metrics. Default: ''.
+- **requestUid**  A randomly-generated (uniformly distributed) GUID, corresponding to the Omaha user. Each request attempt should have (with high probability) a unique request id. Default: ''.
+
+
+### Aria.f4a7d46e472049dfba756e11bdbbc08f.Microsoft.WebBrowser.SystemInfo.Config
+
+This config event sends basic device connectivity and configuration information from Microsoft Edge about the current data collection consent, app version, and installation state to keep Microsoft Edge up to date and secure.
+
+The following fields are available:
+
+- **app_version**  The internal Microsoft Edge build version string.
+- **appConsentState**  Bit flags that describe the consent for data collection on the device, or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000).
+- **Channel**  An integer indicating the channel of the installation (Canary or Dev).
+- **client_id**  A non-durable unique identifier with which all other diagnostic client data is associated. This value is reset whenever UMA data collection is disabled, or when the application is uninstalled.
+- **ConnectionType**  The first reported type of network connection currently connected. Possible values: Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth
+- **container_client_id**  The client ID of the container if the device is in Windows Defender Application Guard mode.
+- **container_session_id**  The session ID of the container if the device is in Windows Defender Application Guard mode.
+- **Etag**  Etag is an identifier representing all service applied configurations and experiments for the current browser session. There is not value in this field is the device is at the Basic diagnostic data level.
+- **EventInfo.Level**  The minimum Windows diagnostic data level required for the event. Possible values: 1 -- Basic, 2 -- Enhanced, 3 -- Full
+- **install_date**  The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour.
+- **installSource**  An enumeration representing the source of this installation. Possible values: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13).
+- **PayloadClass**  The base class used to serialize and deserialize the Protobuf binary payload.
+- **PayloadGUID**  A random identifier generated for each original monolithic Protobuf payload, before the payload is potentially broken up into manageably-sized chunks for transmission.
+- **PayloadLogType**  The log type for the event correlating with. Possible values: 0 -- Unknown, 1 -- Stability, 2 -- On-going, 3 -- Independent, 4 -- UKM, or 5 -- Instance level
+- **session_id** An ordered identifier that is guaranteed to be greater than the previous session identifier each time the user launches the application, reset on subsequent launch after client_id changes. session_id is seeded during the initial installation of the application. session_id is effectively unique per client_id value. Several other internal identifier values, such as window or tab IDs, are only meaningful within a particular session. The session_id value is forgotten when the application is uninstalled, but not during an upgrade.
+
+
+## Migration events
+
+### Microsoft.Windows.MigrationCore.MigObjectCountDLUsr
+
+This event returns data to track the count of the migration objects across various phases during feature update.
+
+
+
+### Microsoft.Windows.MigrationCore.MigObjectCountKFSys
+
+This event returns data about the count of the migration objects across various phases during feature update.
+
+
+
+### Microsoft.Windows.MigrationCore.MigObjectCountKFUsr
+
+This event returns data to track the count of the migration objects across various phases during feature update.
+
+
+
 ## Miracast events
 
 ### Microsoft.Windows.Cast.Miracast.MiracastSessionEnd
@@ -4937,6 +5239,12 @@ The following fields are available:
 
 ## SIH events
 
+### SIHEngineTelemetry.ExecuteAction
+
+This event is triggered with SIH attempts to execute (e.g. install) the update or action in question. Includes important information like if the update required a reboot.
+
+
+
 ### SIHEngineTelemetry.SLSActionData
 
 This event reports if the SIH client was able to successfully parse the manifest describing the actions to be evaluated.
@@ -5287,28 +5595,111 @@ The following fields are available:
 - **CallerApplicationName**  Name of application making the Windows Update request. Used to identify context of request.
 - **EndpointUrl**  The endpoint URL where the device obtains update metadata. This is used to distinguish between test, staging, and production environments.
 - **EventScenario**  The purpose of this event, such as scan started, scan succeeded, or scan failed.
-- **ExtendedStatusCode**  The secondary status code of the event.
+- **ExtendedStatusCode**  Secondary status code for certain scenarios where StatusCode was not specific enough.
 - **LeafCertId**  The integral ID from the FragmentSigning data for the certificate that failed.
 - **ListOfSHA256OfIntermediateCerData**  A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate.
 - **MetadataIntegrityMode**  The mode of the transport metadata integrity check. 0 = unknown; 1 = ignore; 2 = audit; 3 = enforce
-- **MetadataSignature**  Base64 string of the signature associated with the update metadata (specified by revision id)
+- **MetadataSignature**  A base64-encoded string of the signature associated with the update metadata (specified by revision ID).
 - **RawMode**  The raw unparsed mode string from the SLS response. This field is null if not applicable.
 - **RawValidityWindowInDays**  The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable.
-- **RevisionId**  Identifies the revision of this specific piece of content
-- **RevisionNumber**  Identifies the revision number of this specific piece of content
+- **RevisionId**  The revision ID for a specific piece of content.
+- **RevisionNumber**  The revision number for a specific piece of content.
 - **ServiceGuid**  Identifies the service to which the software distribution client is connected, Example: Windows Update or Microsoft Store
 - **SHA256OfLeafCerData**  A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate.
-- **SHA256OfLeafCertPublicKey**  Base64 encoding of hash of the Base64CertData in the FragmentSigning data of leaf certificate.
+- **SHA256OfLeafCertPublicKey**  A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate.
 - **SHA256OfTimestampToken**  An encoded string of the timestamp token.
-- **SignatureAlgorithm**  Hash algorithm for the metadata signature
+- **SignatureAlgorithm**  The hash algorithm for the metadata signature.
 - **SLSPrograms**  A test program to which a device may have opted in. Example: Insider Fast
-- **StatusCode**  The status code of the event.
+- **StatusCode**  Result code of the event (success, cancellation, failure code HResult).
 - **TimestampTokenCertThumbprint**  The thumbprint of the encoded timestamp token.
 - **TimestampTokenId**  The time this was created. It is encoded in a timestamp blob and will be zero if the token is malformed.
-- **UpdateId**  Identifier associated with the specific piece of content
+- **UpdateId**  The update ID for a specific piece of content.
 - **ValidityWindowInDays**  The validity window that's in effect when verifying the timestamp.
 
 
+## Update Assistant events
+
+### Microsoft.Windows.UpdateAssistant.Orchestrator.BlockingEventId
+
+The event sends basic info on the reason that Windows 10 was not updated due to compatibility issues, previous rollbacks, or admin policies.
+
+The following fields are available:
+
+- **ApplicabilityBlockedReason**  Blocked due to an applicability issue.
+- **BlockWuUpgrades**  The upgrade assistant is currently blocked.
+- **clientID**  An identification of the current release of Update Assistant.
+- **CloverTrail**  This device is Clovertrail.
+- **DeviceIsMdmManaged**  This device is MDM managed.
+- **IsNetworkAvailable**  If the device network is not available.
+- **IsNetworkMetered**  If network is metered.
+- **IsSccmManaged**  This device is SCCM managed.
+- **NewlyInstalledOs**  OS is newly installed quiet period.
+- **PausedByPolicy**  Updates are paused by policy.
+- **RecoveredFromRS3**  Previously recovered from RS3.
+- **RS1UninstallActive**  Blocked due to an active RS1 uninstall.
+- **RS3RollBacks**  Exceeded number of allowable RS3 rollbacks.
+- **triggerTaskSource**  Describe which task launches this instance.
+- **WsusManaged**  This device is WSUS managed.
+- **ZeroExhaust**  This device is zero exhaust.
+
+
+### Microsoft.Windows.UpdateAssistant.Orchestrator.DeniedLaunchEventId
+
+The event sends basic info when a device was blocked or prevented from updating to the latest Windows 10 version.
+
+The following fields are available:
+
+- **clientID**  An identification of the current release of Update Assistant.
+- **denyReason**  All the reasons why the Update Assistant was prevented from launching. Bitmask with values from UpdateAssistant.cpp eUpgradeModeReason.
+- **triggerTaskSource**  Describe which task launches this instance.
+
+
+### Microsoft.Windows.UpdateAssistant.Orchestrator.FailedLaunchEventId
+
+Event to mark that Update Assistant Orchestrator failed to launch Update Assistant.
+
+The following fields are available:
+
+- **calendarRun**  Standard time-based triggered task.
+- **clientID**  An identification of the current release of Update Assistant.
+- **hResult**  Error code of the Update Assistant Orchestrator failure.
+- **triggerTaskSource**  Describe which task launches this instance.
+
+
+### Microsoft.Windows.UpdateAssistant.Orchestrator.FailedOneSettingsQueryEventId
+
+Event indicating One Settings was not queried by update assistant.
+
+The following fields are available:
+
+- **clientID**  An identification of the current release of Update Assistant.
+- **hResult**  Error code of One Settings query failure.
+
+
+### Microsoft.Windows.UpdateAssistant.Orchestrator.LaunchEventId
+
+This event sends basic information on whether the device should be updated to the latest Windows 10 version.
+
+The following fields are available:
+
+- **autoStartRunCount**  The auto start run count of Update Assistant.
+- **clientID**  The ID of the current release of Update Assistant.
+- **launchMode**  Indicates the type of launch performed.
+- **launchTypeReason**  A bitmask of all the reasons for type of launch.
+- **triggerTaskSource**  Indicates which task launches this instance.
+
+
+### Microsoft.Windows.UpdateAssistant.Orchestrator.RestoreEventId
+
+The event sends basic info on whether the Windows 10 update notification has previously launched.
+
+The following fields are available:
+
+- **clientID**  ID of the current release of Update Assistant.
+- **restoreReason**  All the reasons for the restore.
+- **triggerTaskSource**  Indicates which task launches this instance.
+
+
 ## Update events
 
 ### Update360Telemetry.Revert
@@ -5722,7 +6113,7 @@ The following fields are available:
 
 ### FacilitatorTelemetry.DCATDownload
 
-This event indicates whether devices received additional or critical supplemental content during an OS Upgrade, to help keep Windows up-to-date and secure.
+This event indicates whether devices received additional or critical supplemental content during an OS Upgrade, to help keep Windows up to date and secure.
 
 The following fields are available:
 
@@ -5760,7 +6151,7 @@ The following fields are available:
 
 ### Setup360Telemetry.Downlevel
 
-This event sends data indicating that the device has started the downlevel phase of the upgrade, to help keep Windows up-to-date and secure.
+This event sends data indicating that the device has started the downlevel phase of the upgrade, to help keep Windows up to date and secure.
 
 The following fields are available:
 
@@ -6041,7 +6432,7 @@ The following fields are available:
 - **ReportId**  With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
 - **Setup360Extended**  Detailed information about the phase/action when the potential failure occurred.
 - **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
-- **Setup360Result**  The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
+- **Setup360Result**  The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors.
 - **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT.
 - **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
 - **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
@@ -6219,6 +6610,7 @@ The following fields are available:
 
 - **AggregatedPackageFullNames**  Includes a set of package full names for each app that is part of an atomic set.
 - **AttemptNumber**  The total number of attempts to acquire this product.
+- **BundleId**  The bundle ID
 - **CategoryId**  The identity of the package or packages being installed.
 - **ClientAppId**  The identity of the app that initiated this operation.
 - **HResult**  HResult code to show the result of the operation (success/failure).
@@ -6228,6 +6620,7 @@ The following fields are available:
 - **IsRemediation**  Is this repairing a previous installation?
 - **IsRestore**  Is this happening after a device restore?
 - **IsUpdate**  Is this an update?
+- **ParentBundleId**  The parent bundle ID (if it's part of a bundle).
 - **PFN**  Product Family Name of the product being installed.
 - **ProductId**  The Store Product ID for the product being installed.
 - **SystemAttemptNumber**  The number of attempts by the system to acquire this product.
@@ -7169,6 +7562,19 @@ The following fields are available:
 - **wuDeviceid**  The unique device ID used by Windows Update.
 
 
+### Microsoft.Windows.Update.Orchestrator.DetectionResult
+
+This event runs when an update is detected. This helps ensure Windows is kept up to date.
+
+The following fields are available:
+
+- **applicableUpdateIdList**  A list of applicable update IDs.
+- **applicableUpdateList**  A list of applicable update names.
+- **seekerUpdateIdList**  A list of optional update IDs.
+- **seekerUpdateList**  A list of optional update names.
+- **wuDeviceid**  The Windows Update device identifier.
+
+
 ### Microsoft.Windows.Update.Orchestrator.DisplayNeeded
 
 This event indicates the reboot was postponed due to needing a display.
@@ -7481,6 +7887,32 @@ The following fields are available:
 - **wuDeviceid**  Unique device ID used by Windows Update.
 
 
+### Microsoft.Windows.Update.Orchestrator.SeekerUpdateAvailable
+
+This event defines when an optional update is available for the device to help keep Windows up to date.
+
+The following fields are available:
+
+- **flightID**  The unique identifier of the Windows Insider build on this device.
+- **isFeatureUpdate**  Indicates whether the update is a Feature Update.
+- **revisionNumber**  The revision number of the update.
+- **updateId**  The GUID (Globally Unique Identifier) of the update.
+- **wuDeviceid**  The Windows Update device identifier.
+
+
+### Microsoft.Windows.Update.Orchestrator.SeekUpdate
+
+This event occurs when user initiates "seeker" scan. This helps keep Windows up to date.
+
+The following fields are available:
+
+- **flightID**  The ID of the Windows Insider builds on the device.
+- **isFeatureUpdate**  Indicates that the target of the Seek is a feature update.
+- **revisionNumber**  The revision number of the update.
+- **updateId**  The identifier of the update.
+- **wuDeviceid**  The Windows Update device identifier.
+
+
 ### Microsoft.Windows.Update.Orchestrator.SystemNeeded
 
 This event sends data about why a device is unable to reboot, to help keep Windows up to date.
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
index 65bf5e307f..bbf2e70bfb 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
@@ -1,5 +1,5 @@
 ---
-description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level. Specific to Windows 10,  version 1809.
+description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level.
 title: Windows 10, version 1809 basic diagnostic events and fields (Windows 10)
 keywords: privacy, telemetry
 ms.prod: w10
@@ -7,14 +7,14 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 localizationpriority: high
-author: dansimp
-ms.author: dansimp
+author: brianlic-msft
+ms.author: brianlic
 manager: dansimp
 ms.collection: M365-security-compliance
 ms.topic: article
 audience: ITPro
-ms.date: 04/19/2019
-ms.reviewer: 
+ms.date: 01/04/2020
+ms.reviewer:
 ---
 
 
@@ -33,7 +33,8 @@ Use this article to learn about diagnostic events, grouped by event area, and th
 
 You can learn more about Windows functional and diagnostic data through these articles:
 
-- [Windows 10, version 1903 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md)
+
+- [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md)
 - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md)
 - [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md)
 - [Windows 10, version 1703 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md)
@@ -81,7 +82,7 @@ Automatically closed activity for start/stop operations that aren't explicitly c
 
 ### Microsoft.Windows.Security.AppLockerCSP.AddParams
 
-Parameters passed to Add function of the AppLockerCSP Node.
+This event indicates the parameters passed to the Add function of the AppLocker Configuration Service Provider (CSP) to help keep Windows secure.
 
 The following fields are available:
 
@@ -91,13 +92,13 @@ The following fields are available:
 
 ### Microsoft.Windows.Security.AppLockerCSP.AddStart
 
-Start of "Add" Operation for the AppLockerCSP Node.
+This event indicates the start of an Add operation for the AppLocker Configuration Service Provider (CSP) to help keep Windows secure.
 
 
 
 ### Microsoft.Windows.Security.AppLockerCSP.AddStop
 
-End of "Add" Operation for AppLockerCSP Node.
+This event indicates the end of an Add operation for the AppLocker Configuration Service Provider (CSP) to help keep Windows secure.
 
 The following fields are available:
 
@@ -106,7 +107,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Security.AppLockerCSP.CAppLockerCSP::Rollback
 
-Result of the 'Rollback' operation in AppLockerCSP.
+This event provides the result of the Rollback operation in the AppLocker Configuration Service Provider (CSP) to help keep Windows secure.
 
 The following fields are available:
 
@@ -116,7 +117,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Security.AppLockerCSP.ClearParams
 
-Parameters passed to the "Clear" operation for AppLockerCSP.
+This event provides the parameters passed to the Clear operation of the AppLocker Configuration Service Provider (CSP) to help keep Windows secure.
 
 The following fields are available:
 
@@ -125,13 +126,13 @@ The following fields are available:
 
 ### Microsoft.Windows.Security.AppLockerCSP.ClearStart
 
-Start of the "Clear" operation for the AppLockerCSP Node.
+This event indicates the start of the Clear operation of the AppLocker Configuration Service Provider (CSP) to help keep Windows secure.
 
 
 
 ### Microsoft.Windows.Security.AppLockerCSP.ClearStop
 
-End of the "Clear" operation for the AppLockerCSP node.
+This event indicates the end of the Clear operation of the AppLocker Configuration Service Provider (CSP) to help keep Windows secure.
 
 The following fields are available:
 
@@ -140,7 +141,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Security.AppLockerCSP.ConfigManagerNotificationStart
 
-Start of the "ConfigManagerNotification" operation for AppLockerCSP.
+This event indicates the start of the Configuration Manager Notification operation of the AppLocker Configuration Service Provider (CSP) to help keep Windows secure.
 
 The following fields are available:
 
@@ -149,7 +150,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Security.AppLockerCSP.ConfigManagerNotificationStop
 
-End of the "ConfigManagerNotification" operation for AppLockerCSP.
+This event indicates the end of the Configuration Manager Notification operation of the AppLocker Configuration Service Provider (CSP) to help keep Windows secure.
 
 The following fields are available:
 
@@ -158,7 +159,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceParams
 
-Parameters passed to the CreateNodeInstance function of the AppLockerCSP node.
+This event provides the parameters that were passed to the Create Node Instance operation of the AppLocker Configuration Service Provider (CSP) to help keep Windows secure.
 
 The following fields are available:
 
@@ -169,13 +170,13 @@ The following fields are available:
 
 ### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceStart
 
-Start of the "CreateNodeInstance" operation for the AppLockerCSP node.
+This event indicates the start of the Create Node Instance operation of the AppLocker Configuration Service Provider (CSP) to help keep Windows secure.
 
 
 
 ### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceStop
 
-End of the "CreateNodeInstance" operation for the AppLockerCSP node
+This event indicates the end of the Create Node Instance operation of the AppLocker Configuration Service Provider (CSP) to help keep Windows secure.
 
 The following fields are available:
 
@@ -184,7 +185,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Security.AppLockerCSP.DeleteChildParams
 
-Parameters passed to the DeleteChild function of the AppLockerCSP node.
+This event provides the parameters passed to the Delete Child operation of the AppLocker Configuration Service Provider (CSP) to help keep Windows secure.
 
 The following fields are available:
 
@@ -194,13 +195,13 @@ The following fields are available:
 
 ### Microsoft.Windows.Security.AppLockerCSP.DeleteChildStart
 
-Start of the "DeleteChild" operation for the AppLockerCSP node.
+This event indicates the start of the Delete Child operation of the AppLocker Configuration Service Provider (CSP) to help keep Windows secure.
 
 
 
 ### Microsoft.Windows.Security.AppLockerCSP.DeleteChildStop
 
-End of the "DeleteChild" operation for the AppLockerCSP node.
+This event indicates the end of the Delete Child operation of the AppLocker Configuration Service Provider (CSP) to help keep Windows secure.
 
 The following fields are available:
 
@@ -209,7 +210,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Security.AppLockerCSP.EnumPolicies
 
-Logged URI relative to %SYSTEM32%\AppLocker, if the Plugin GUID is null, or the CSP doesn't believe the old policy is present.
+This event provides the logged Uniform Resource Identifier (URI) relative to %SYSTEM32%\AppLocker if the plug-in GUID is null or the Configuration Service Provider (CSP) doesn't believe the old policy is present.
 
 The following fields are available:
 
@@ -218,7 +219,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesParams
 
-Parameters passed to the GetChildNodeNames function of the AppLockerCSP node.
+This event provides the parameters passed to the Get Child Node Names operation of the AppLocker Configuration Service Provider (CSP) to help keep Windows secure.
 
 The following fields are available:
 
@@ -227,13 +228,13 @@ The following fields are available:
 
 ### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesStart
 
-Start of the "GetChildNodeNames" operation for the AppLockerCSP node.
+This event indicates the start of the Get Child Node Names operation of the AppLocker Configuration Service Provider (CSP) to help keep Windows secure.
 
 
 
 ### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesStop
 
-End of the "GetChildNodeNames" operation for the AppLockerCSP node.
+This event indicates the end of the Get Child Node Names operation of the AppLocker Configuration Service Provider (CSP) to help keep Windows secure.
 
 The following fields are available:
 
@@ -244,7 +245,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Security.AppLockerCSP.GetLatestId
 
-The result of 'GetLatestId' in AppLockerCSP (the latest time stamped GUID).
+This event provides the latest time-stamped unique identifier in the AppLocker Configuration Service Provider (CSP) to help keep Windows secure.
 
 The following fields are available:
 
@@ -254,7 +255,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Security.AppLockerCSP.HResultException
 
-HRESULT thrown by any arbitrary function in AppLockerCSP.
+This event provides the result code (HRESULT) generated by any arbitrary function in the AppLocker Configuration Service Provider (CSP).
 
 The following fields are available:
 
@@ -266,7 +267,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Security.AppLockerCSP.SetValueParams
 
-Parameters passed to the SetValue function of the AppLockerCSP node.
+This event provides the parameters that were passed to the SetValue operation in the AppLocker Configuration Service Provider (CSP) to help keep Windows secure.
 
 The following fields are available:
 
@@ -276,7 +277,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Security.AppLockerCSP.SetValueStart
 
-Start of the "SetValue" operation for the AppLockerCSP node.
+This event indicates the start of the SetValue operation in the AppLocker Configuration Service Provider (CSP) to help keep Windows secure.
 
 
 
@@ -291,7 +292,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Security.AppLockerCSP.TryRemediateMissingPolicies
 
-EntryPoint of fix step or policy remediation, includes URI relative to %SYSTEM32%\AppLocker that needs to be fixed.
+This event provides information for fixing a policy in the AppLocker Configuration Service Provider (CSP) to help keep Windows secure. It includes Uniform Resource Identifier (URI) relative to %SYSTEM32%\AppLocker that needs to be fixed.
 
 The following fields are available:
 
@@ -309,6 +310,8 @@ The following fields are available:
 - **DatasourceApplicationFile_19ASetup**  The count of the number of this particular object type present on this device.
 - **DatasourceApplicationFile_19H1**  The count of the number of this particular object type present on this device.
 - **DatasourceApplicationFile_19H1Setup**  The count of the number of this particular object type present on this device.
+- **DatasourceApplicationFile_20H1**  The count of the number of this particular object type present on this device.
+- **DatasourceApplicationFile_20H1Setup**  The count of the number of this particular object type present on this device.
 - **DatasourceApplicationFile_RS1**  An ID for the system, calculated by hashing hardware identifiers.
 - **DatasourceApplicationFile_RS2**  An ID for the system, calculated by hashing hardware identifiers.
 - **DatasourceApplicationFile_RS3**  The count of the number of this particular object type present on this device.
@@ -322,6 +325,8 @@ The following fields are available:
 - **DatasourceDevicePnp_19ASetup**  The count of the number of this particular object type present on this device.
 - **DatasourceDevicePnp_19H1**  The count of the number of this particular object type present on this device.
 - **DatasourceDevicePnp_19H1Setup**  The count of the number of this particular object type present on this device.
+- **DatasourceDevicePnp_20H1**  The count of the number of this particular object type present on this device.
+- **DatasourceDevicePnp_20H1Setup**  The count of the number of this particular object type present on this device.
 - **DatasourceDevicePnp_RS1**  The total DataSourceDevicePnp objects targeting Windows 10 version 1607 on this device.
 - **DatasourceDevicePnp_RS2**  The count of the number of this particular object type present on this device.
 - **DatasourceDevicePnp_RS3**  The count of the number of this particular object type present on this device.
@@ -335,6 +340,8 @@ The following fields are available:
 - **DatasourceDriverPackage_19ASetup**  The count of the number of this particular object type present on this device.
 - **DatasourceDriverPackage_19H1**  The count of the number of this particular object type present on this device.
 - **DatasourceDriverPackage_19H1Setup**  The count of the number of this particular object type present on this device.
+- **DatasourceDriverPackage_20H1**  The count of the number of this particular object type present on this device.
+- **DatasourceDriverPackage_20H1Setup**  The count of the number of this particular object type present on this device.
 - **DatasourceDriverPackage_RS1**  The total DataSourceDriverPackage objects targeting Windows 10 version 1607 on this device.
 - **DatasourceDriverPackage_RS2**  The total DataSourceDriverPackage objects targeting Windows 10, version 1703 on this device.
 - **DatasourceDriverPackage_RS3**  The count of the number of this particular object type present on this device.
@@ -348,6 +355,8 @@ The following fields are available:
 - **DataSourceMatchingInfoBlock_19ASetup**  The count of the number of this particular object type present on this device.
 - **DataSourceMatchingInfoBlock_19H1**  The count of the number of this particular object type present on this device.
 - **DataSourceMatchingInfoBlock_19H1Setup**  The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoBlock_20H1**  The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoBlock_20H1Setup**  The count of the number of this particular object type present on this device.
 - **DataSourceMatchingInfoBlock_RS1**  The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1607 on this device.
 - **DataSourceMatchingInfoBlock_RS2**  The count of the number of this particular object type present on this device.
 - **DataSourceMatchingInfoBlock_RS3**  The count of the number of this particular object type present on this device.
@@ -361,6 +370,8 @@ The following fields are available:
 - **DataSourceMatchingInfoPassive_19ASetup**  The count of the number of this particular object type present on this device.
 - **DataSourceMatchingInfoPassive_19H1**  The count of the number of this particular object type present on this device.
 - **DataSourceMatchingInfoPassive_19H1Setup**  The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPassive_20H1**  The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPassive_20H1Setup**  The count of the number of this particular object type present on this device.
 - **DataSourceMatchingInfoPassive_RS1**  The total DataSourceMatchingInfoPassive objects targeting Windows 10 version 1607 on this device.
 - **DataSourceMatchingInfoPassive_RS2**  The count of the number of this particular object type present on this device.
 - **DataSourceMatchingInfoPassive_RS3**  The count of the number of this particular object type present on this device.
@@ -374,6 +385,8 @@ The following fields are available:
 - **DataSourceMatchingInfoPostUpgrade_19ASetup**  The count of the number of this particular object type present on this device.
 - **DataSourceMatchingInfoPostUpgrade_19H1**  The count of the number of this particular object type present on this device.
 - **DataSourceMatchingInfoPostUpgrade_19H1Setup**  The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPostUpgrade_20H1**  The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPostUpgrade_20H1Setup**  The count of the number of this particular object type present on this device.
 - **DataSourceMatchingInfoPostUpgrade_RS1**  The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device.
 - **DataSourceMatchingInfoPostUpgrade_RS2**  The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 on this device.
 - **DataSourceMatchingInfoPostUpgrade_RS3**  The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device.
@@ -387,6 +400,8 @@ The following fields are available:
 - **DatasourceSystemBios_19ASetup**  The count of the number of this particular object type present on this device.
 - **DatasourceSystemBios_19H1**  The count of the number of this particular object type present on this device.
 - **DatasourceSystemBios_19H1Setup**  The count of the number of this particular object type present on this device.
+- **DatasourceSystemBios_20H1**  The count of the number of this particular object type present on this device.
+- **DatasourceSystemBios_20H1Setup**  The count of the number of this particular object type present on this device.
 - **DatasourceSystemBios_RS1**  The total DatasourceSystemBios objects targeting Windows 10 version 1607 present on this device.
 - **DatasourceSystemBios_RS2**  The total DatasourceSystemBios objects targeting Windows 10 version 1703 present on this device.
 - **DatasourceSystemBios_RS3**  The total DatasourceSystemBios objects targeting Windows 10 version 1709 present on this device.
@@ -400,6 +415,8 @@ The following fields are available:
 - **DecisionApplicationFile_19ASetup**  The count of the number of this particular object type present on this device.
 - **DecisionApplicationFile_19H1**  The count of the number of this particular object type present on this device.
 - **DecisionApplicationFile_19H1Setup**  The count of the number of this particular object type present on this device.
+- **DecisionApplicationFile_20H1**  The count of the number of this particular object type present on this device.
+- **DecisionApplicationFile_20H1Setup**  The count of the number of this particular object type present on this device.
 - **DecisionApplicationFile_RS1**  The count of the number of this particular object type present on this device.
 - **DecisionApplicationFile_RS2**  The count of the number of this particular object type present on this device.
 - **DecisionApplicationFile_RS3**  The count of the number of this particular object type present on this device.
@@ -413,6 +430,8 @@ The following fields are available:
 - **DecisionDevicePnp_19ASetup**  The count of the number of this particular object type present on this device.
 - **DecisionDevicePnp_19H1**  The count of the number of this particular object type present on this device.
 - **DecisionDevicePnp_19H1Setup**  The count of the number of this particular object type present on this device.
+- **DecisionDevicePnp_20H1**  The count of the number of this particular object type present on this device.
+- **DecisionDevicePnp_20H1Setup**  The count of the number of this particular object type present on this device.
 - **DecisionDevicePnp_RS1**  The total DecisionDevicePnp objects targeting Windows 10 version 1607 on this device.
 - **DecisionDevicePnp_RS2**  The count of the number of this particular object type present on this device.
 - **DecisionDevicePnp_RS3**  The count of the number of this particular object type present on this device.
@@ -426,6 +445,8 @@ The following fields are available:
 - **DecisionDriverPackage_19ASetup**  The count of the number of this particular object type present on this device.
 - **DecisionDriverPackage_19H1**  The count of the number of this particular object type present on this device.
 - **DecisionDriverPackage_19H1Setup**  The count of the number of this particular object type present on this device.
+- **DecisionDriverPackage_20H1**  The count of the number of this particular object type present on this device.
+- **DecisionDriverPackage_20H1Setup**  The count of the number of this particular object type present on this device.
 - **DecisionDriverPackage_RS1**  The total DecisionDriverPackage objects targeting Windows 10 version 1607 on this device.
 - **DecisionDriverPackage_RS2**  The count of the number of this particular object type present on this device.
 - **DecisionDriverPackage_RS3**  The count of the number of this particular object type present on this device.
@@ -439,6 +460,8 @@ The following fields are available:
 - **DecisionMatchingInfoBlock_19ASetup**  The count of the number of this particular object type present on this device.
 - **DecisionMatchingInfoBlock_19H1**  The count of the number of this particular object type present on this device.
 - **DecisionMatchingInfoBlock_19H1Setup**  The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoBlock_20H1**  The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoBlock_20H1Setup**  The count of the number of this particular object type present on this device.
 - **DecisionMatchingInfoBlock_RS1**  The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1607 present on this device.
 - **DecisionMatchingInfoBlock_RS2**  The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1703 present on this device.
 - **DecisionMatchingInfoBlock_RS3**  The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1709 present on this device.
@@ -452,6 +475,8 @@ The following fields are available:
 - **DecisionMatchingInfoPassive_19ASetup**  The count of the number of this particular object type present on this device.
 - **DecisionMatchingInfoPassive_19H1**  The count of the number of this particular object type present on this device.
 - **DecisionMatchingInfoPassive_19H1Setup**  The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPassive_20H1**  The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPassive_20H1Setup**  The count of the number of this particular object type present on this device.
 - **DecisionMatchingInfoPassive_RS1**  The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1607 on this device.
 - **DecisionMatchingInfoPassive_RS2**  The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1703 on this device.
 - **DecisionMatchingInfoPassive_RS3**  The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1803 on this device.
@@ -465,6 +490,8 @@ The following fields are available:
 - **DecisionMatchingInfoPostUpgrade_19ASetup**  The count of the number of this particular object type present on this device.
 - **DecisionMatchingInfoPostUpgrade_19H1**  The count of the number of this particular object type present on this device.
 - **DecisionMatchingInfoPostUpgrade_19H1Setup**  The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPostUpgrade_20H1**  The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPostUpgrade_20H1Setup**  The count of the number of this particular object type present on this device.
 - **DecisionMatchingInfoPostUpgrade_RS1**  The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device.
 - **DecisionMatchingInfoPostUpgrade_RS2**  The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 on this device.
 - **DecisionMatchingInfoPostUpgrade_RS3**  The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device.
@@ -478,6 +505,8 @@ The following fields are available:
 - **DecisionMediaCenter_19ASetup**  The count of the number of this particular object type present on this device.
 - **DecisionMediaCenter_19H1**  The count of the number of this particular object type present on this device.
 - **DecisionMediaCenter_19H1Setup**  The total DecisionMediaCenter objects targeting the next release of Windows on this device.
+- **DecisionMediaCenter_20H1**  The count of the number of this particular object type present on this device.
+- **DecisionMediaCenter_20H1Setup**  The count of the number of this particular object type present on this device.
 - **DecisionMediaCenter_RS1**  The total DecisionMediaCenter objects targeting Windows 10 version 1607 present on this device.
 - **DecisionMediaCenter_RS2**  The total DecisionMediaCenter objects targeting Windows 10 version 1703 present on this device.
 - **DecisionMediaCenter_RS3**  The total DecisionMediaCenter objects targeting Windows 10 version 1709 present on this device.
@@ -491,6 +520,8 @@ The following fields are available:
 - **DecisionSystemBios_19ASetup**  The total DecisionSystemBios objects targeting the next release of Windows on this device.
 - **DecisionSystemBios_19H1**  The count of the number of this particular object type present on this device.
 - **DecisionSystemBios_19H1Setup**  The total DecisionSystemBios objects targeting the next release of Windows on this device.
+- **DecisionSystemBios_20H1**  The count of the number of this particular object type present on this device.
+- **DecisionSystemBios_20H1Setup**  The count of the number of this particular object type present on this device.
 - **DecisionSystemBios_RS1**  The total DecisionSystemBios objects targeting Windows 10 version 1607 on this device.
 - **DecisionSystemBios_RS2**  The total DecisionSystemBios objects targeting Windows 10 version 1703 on this device.
 - **DecisionSystemBios_RS3**  The total DecisionSystemBios objects targeting Windows 10 version 1709 on this device.
@@ -502,6 +533,7 @@ The following fields are available:
 - **DecisionSystemBios_TH1**  The count of the number of this particular object type present on this device.
 - **DecisionSystemBios_TH2**  The count of the number of this particular object type present on this device.
 - **DecisionSystemProcessor_RS2**  The count of the number of this particular object type present on this device.
+- **DecisionTest_20H1Setup**  The count of the number of this particular object type present on this device.
 - **DecisionTest_RS1**  An ID for the system, calculated by hashing hardware identifiers.
 - **InventoryApplicationFile**  The count of the number of this particular object type present on this device.
 - **InventoryDeviceContainer**  A count of device container objects in cache.
@@ -529,6 +561,8 @@ The following fields are available:
 - **Wmdrm_19ASetup**  The count of the number of this particular object type present on this device.
 - **Wmdrm_19H1**  The count of the number of this particular object type present on this device.
 - **Wmdrm_19H1Setup**  The total Wmdrm objects targeting the next release of Windows on this device.
+- **Wmdrm_20H1**  The count of the number of this particular object type present on this device.
+- **Wmdrm_20H1Setup**  The count of the number of this particular object type present on this device.
 - **Wmdrm_RS1**  An ID for the system, calculated by hashing hardware identifiers.
 - **Wmdrm_RS2**  An ID for the system, calculated by hashing hardware identifiers.
 - **Wmdrm_RS3**  An ID for the system, calculated by hashing hardware identifiers.
@@ -555,7 +589,7 @@ The following fields are available:
 - **HasCitData**  Indicates whether the file is present in CIT data.
 - **HasUpgradeExe**  Indicates whether the anti-virus app has an upgrade.exe file.
 - **IsAv**  Is the file an anti-virus reporting EXE?
-- **ResolveAttempted**  This will always be an empty string when sending telemetry.
+- **ResolveAttempted**  This will always be an empty string when sending diagnostic data.
 - **SdbEntries**  An array of fields that indicates the SDB entries that apply to this file.
 
 
@@ -659,13 +693,14 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd
 
-This event sends blocking data about any compatibility blocking entries hit on the system that are not directly related to specific applications or devices, to help keep Windows up-to-date.
+This event sends blocking data about any compatibility blocking entries on the system that are not directly related to specific applications or devices, to help keep Windows up to date.
 
 This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
 - **AppraiserVersion**  The version of the appraiser file generating the events.
+- **ResolveAttempted**  This will always be an empty string when sending diagnostic data.
 
 
 ### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockRemove
@@ -692,7 +727,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveAdd
 
-This event sends compatibility database information about non-blocking compatibility entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+This event sends compatibility database information about non-blocking compatibility entries on the system that are not keyed by either applications or devices, to help keep Windows up to date.
 
 This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
@@ -725,7 +760,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd
 
-This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up to date.
 
 This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
@@ -758,7 +793,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosAdd
 
-This event sends compatibility database information about the BIOS to help keep Windows up-to-date.
+This event sends compatibility database information about the BIOS to help keep Windows up to date.
 
 This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
@@ -791,7 +826,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.DecisionApplicationFileAdd
 
-This event sends compatibility decision data about a file to help keep Windows up-to-date.
+This event sends compatibility decision data about a file to help keep Windows up to date.
 
 This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
@@ -806,7 +841,7 @@ The following fields are available:
 - **HasUxBlockOverride**  Does the file have a block that is overridden by a tag in the SDB?
 - **MigApplication**  Does the file have a MigXML from the SDB associated with it that applies to the current upgrade mode?
 - **MigRemoval**  Does the file have a MigXML from the SDB that will cause the app to be removed on upgrade?
-- **NeedsDismissAction**  Will the file cause an action that can be dimissed?
+- **NeedsDismissAction**  Will the file cause an action that can be dismissed?
 - **NeedsInstallPostUpgradeData**  After upgrade, the file will have a post-upgrade notification to install a replacement for the app.
 - **NeedsNotifyPostUpgradeData**  Does the file have a notification that should be shown after upgrade?
 - **NeedsReinstallPostUpgradeData**  After upgrade, this file will have a post-upgrade notification to reinstall the app.
@@ -843,7 +878,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.DecisionDevicePnpAdd
 
-This event sends compatibility decision data about a PNP device to help keep Windows up to date.
+This event sends compatibility decision data about a Plug and Play (PNP) device to help keep Windows up to date.
 
 This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
@@ -941,10 +976,12 @@ The following fields are available:
 - **AppraiserVersion**  The version of the appraiser file generating the events.
 - **BlockingApplication**  Are there are any application issues that interfere with upgrade due to matching info blocks?
 - **DisplayGenericMessage**  Will a generic message be shown for this block?
+- **NeedsDismissAction**  Will the file cause an action that can be dismissed?
 - **NeedsUninstallAction**  Does the user need to take an action in setup due to a matching info block?
 - **SdbBlockUpgrade**  Is a matching info block blocking upgrade?
 - **SdbBlockUpgradeCanReinstall**  Is a matching info block blocking upgrade, but has the can reinstall tag?
 - **SdbBlockUpgradeUntilUpdate**  Is a matching info block blocking upgrade but has the until update tag?
+- **SdbReinstallUpgradeWarn**  The file is tagged as needing to be reinstalled after upgrade with a warning in the SDB. It does not block upgrade.
 
 
 ### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockRemove
@@ -1295,7 +1332,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
 
 The following fields are available:
 
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+- **AppraiserVersion**  The version of the Appraiser binary (executable) generating the events.
 
 
 ### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageAdd
@@ -1363,7 +1400,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.SystemMemoryAdd
 
-This event sends data on the amount of memory on the system and whether it meets requirements, to help keep Windows up-to-date.
+This event sends data on the amount of memory on the system and whether it meets requirements, to help keep Windows up to date.
 
 This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
@@ -1438,7 +1475,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfAdd
 
-This event sends data indicating whether the system supports the LahfSahf CPU requirement, to help keep Windows up-to-date.
+This event sends data indicating whether the system supports the LAHF & SAHF CPU requirement, to help keep Windows up to date.
 
 This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
@@ -1473,7 +1510,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.SystemProcessorNxAdd
 
-This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up-to-date.
+This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up to date.
 
 This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
@@ -1684,7 +1721,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.SystemWlanAdd
 
-This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up-to-date.
+This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up to date.
 
 This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
@@ -1723,18 +1760,18 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.TelemetryRunHealth
 
-This event indicates the parameters and result of a telemetry (diagnostic) run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up to date.
+This event indicates the parameters and result of a diagnostic data run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up to date.
 
 The following fields are available:
 
 - **AppraiserBranch**  The source branch in which the version of Appraiser that is running was built.
-- **AppraiserDataVersion**  The version of the data files being used by the Appraiser telemetry run.
+- **AppraiserDataVersion**  The version of the data files being used by the Appraiser diagnostic data run.
 - **AppraiserProcess**  The name of the process that launched Appraiser.
 - **AppraiserVersion**  The file version (major, minor and build) of the Appraiser DLL, concatenated without dots.
 - **AuxFinal**  Obsolete, always set to false.
 - **AuxInitial**  Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app.
 - **DeadlineDate**  A timestamp representing the deadline date, which is the time until which appraiser will wait to do a full scan.
-- **EnterpriseRun**  Indicates if the telemetry run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter.
+- **EnterpriseRun**  Indicates whether the diagnostic data run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter.
 - **FullSync**  Indicates if Appraiser is performing a full sync, which means that full set of events representing the state of the machine are sent. Otherwise, only the changes from the previous run are sent.
 - **InboxDataVersion**  The original version of the data files before retrieving any newer version.
 - **IndicatorsWritten**  Indicates if all relevant UEX indicators were successfully written or updated.
@@ -1743,18 +1780,19 @@ The following fields are available:
 - **PerfBackoff**  Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal.
 - **PerfBackoffInsurance**  Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row.
 - **RunAppraiser**  Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device.
-- **RunDate**  The date that the telemetry run was stated, expressed as a filetime.
-- **RunGeneralTel**  Indicates if the generaltel.dll component was run. Generaltel collects additional telemetry on an infrequent schedule and only from machines at telemetry levels higher than Basic.
+- **RunDate**  The date that the diagnostic data run was stated, expressed as a filetime.
+- **RunGeneralTel**  Indicates if the generaltel.dll component was run. Generaltel collects additional diagnostic data on an infrequent schedule and only from machines at diagnostic data levels higher than Basic.
 - **RunOnline**  Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information.
-- **RunResult**  The hresult of the Appraiser telemetry run.
+- **RunResult**  The hresult of the Appraiser diagnostic data run.
 - **ScheduledUploadDay**  The day scheduled for the upload.
-- **SendingUtc**  Indicates if the Appraiser client is sending events during the current telemetry run.
+- **SendingUtc**  Indicates whether the Appraiser client is sending events during the current diagnostic data run.
 - **StoreHandleIsNotNull**  Obsolete, always set to false
-- **TelementrySent**  Indicates if telemetry was successfully sent.
-- **ThrottlingUtc**  Indicates if the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also telemetry reliability.
+- **TelementrySent**  Indicates whether diagnostic data was successfully sent.
+- **ThrottlingUtc**  Indicates whether the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also diagnostic data reliability.
 - **Time**  The client time of the event.
 - **VerboseMode**  Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging.
 - **WhyFullSyncWithoutTablePrefix**  Indicates the reason or reasons that a full sync was generated.
+- **WhyRunSkipped**  Indicates the reason or reasons that an appraiser run was skipped.
 
 
 ### Microsoft.Windows.Appraiser.General.WmdrmAdd
@@ -1798,6 +1836,47 @@ The following fields are available:
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
 
 
+## Audio endpoint events
+
+### Microsoft.Windows.Audio.EndpointBuilder.DeviceInfo
+
+This event logs the successful enumeration of an audio endpoint (such as a microphone or speaker) and provides information about the audio endpoint.
+
+The following fields are available:
+
+- **BusEnumeratorName**  The name of the bus enumerator (for example, HDAUDIO or USB).
+- **ContainerId**  An identifier that uniquely groups the functional devices associated with a single-function or multifunction device.
+- **DeviceInstanceId**  The unique identifier for this instance of the device.
+- **EndpointDevnodeId**  The IMMDevice identifier of the associated devnode.
+- **EndpointFormFactor**  The enumeration value for the form factor of the endpoint device (for example speaker, microphone, remote  network device).
+- **endpointID**  The unique identifier for the audio endpoint.
+- **endpointInstanceId**  The unique identifier for the software audio endpoint. Used for joining to other audio event.
+- **Flow**  Indicates whether the endpoint is capture (1) or render (0).
+- **HWID**  The hardware identifier for the endpoint.
+- **IsBluetooth**  Indicates whether the device is a Bluetooth device.
+- **IsSideband**  Indicates whether the device is a sideband device.
+- **IsUSB**  Indicates whether the device is a USB device.
+- **JackSubType**  A unique ID representing the KS node type of the endpoint.
+- **MicArrayGeometry**  Describes the microphone array, including the microphone position, coordinates, type, and frequency range. See [MicArrayGeometry](#micarraygeometry).
+- **persistentId**  A unique ID for this endpoint which is retained across migrations.
+
+### MicArrayGeometry
+
+This event provides information about the layout of the individual microphone elements in the microphone array.
+
+The following fields are available:
+
+- **MicCoords**  The location and orientation of the microphone element.
+- **usFrequencyBandHi**  The high end of the frequency range for the microphone.
+- **usFrequencyBandLo**  The low end of the frequency range for the microphone.
+- **usMicArrayType**  The type of the microphone array.
+- **usNumberOfMicrophones**  The number of microphones in the array.
+- **usVersion**  The version of the microphone array specification.
+- **wHorizontalAngleBegin**  The horizontal angle of the start of the working volume (reported as radians times 10,000).
+- **wHorizontalAngleEnd**  The horizontal angle of the end of the working volume (reported as radians times 10,000).
+- **wVerticalAngleBegin**  The vertical angle of the start of the working volume (reported as radians times 10,000).
+- **wVerticalAngleEnd**  The vertical angle of the end of the working volume (reported as radians times 10,000).
+
 ## Census events
 
 ### Census.App
@@ -2247,6 +2326,7 @@ The following fields are available:
 - **IsVirtualDevice**  Retrieves that when the Hypervisor is Microsoft's Hyper-V Hypervisor or other Hv#1 Hypervisor, this field will be set to FALSE for the Hyper-V host OS and TRUE for any guest OS's. This field should not be relied upon for non-Hv#1 Hypervisors.
 - **SLATSupported**  Represents whether Second Level Address Translation (SLAT) is supported by the hardware.
 - **VirtualizationFirmwareEnabled**  Represents whether virtualization is enabled in the firmware.
+- **VMId**  A string that identifies a virtual machine.
 
 
 ### Census.WU
@@ -2734,7 +2814,7 @@ The following fields are available:
 
 ### TelClientSynthetic.ConnectivityHeartBeat_0
 
-This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it fires an event. A Connectivity Heartbeat event also fires when a device recovers from costed network to free network.
+This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it sends an event. A Connectivity Heartbeat event is also sent when a device recovers from costed network to free network.
 
 The following fields are available:
 
@@ -3175,6 +3255,20 @@ The following fields are available:
 - **CV**  Correlation vector.
 
 
+### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityGenericFailure
+
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler CheckApplicability call.
+
+The following fields are available:
+
+- **CampaignID**  Campaign ID being run
+- **ClientID**  Client ID being run
+- **CoordinatorVersion**  Coordinator version of DTU
+- **CV**  Correlation vector
+- **CV_new**  New correlation vector
+- **hResult**  HRESULT of the failure
+
+
 ### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityInternalGenericFailure
 
 This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler CheckApplicabilityInternal call.
@@ -3395,6 +3489,144 @@ The following fields are available:
 - **CV**  Correlation vector.
 
 
+## DISM events
+
+### Microsoft.Windows.StartRepairCore.DISMLatestInstalledLCU
+
+The DISM Latest Installed LCU sends information to report result of search for latest installed LCU after last successful boot.
+
+The following fields are available:
+
+- **dismInstalledLCUPackageName**  The name of the latest installed package.
+
+
+### Microsoft.Windows.StartRepairCore.DISMPendingInstall
+
+The DISM Pending Install event sends information to report pending package installation found.
+
+The following fields are available:
+
+- **dismPendingInstallPackageName**  The name of the pending package.
+
+
+### Microsoft.Windows.StartRepairCore.SRTRootCauseDiagEnd
+
+The SRT Root Cause Diagnosis End event sends information to report diagnosis operation completed for given plug-in.
+
+The following fields are available:
+
+- **errorCode**  The result code returned by the event.
+- **flightIds**  The Flight IDs (identifier of the beta release) of found driver updates.
+- **foundDriverUpdateCount**  The number of found driver updates.
+- **srtRootCauseDiag**  The scenario name for a diagnosis event.
+
+
+### Microsoft.Windows.StartRepairCore.SRTRootCauseDiagStart
+
+The SRT Root Cause Diagnosis Start event sends information to report diagnosis operation started for given plug-in.
+
+The following fields are available:
+
+- **srtRootCauseDiag**  The scenario name for a diagnosis event.
+
+
+## Driver installation events
+
+### Microsoft.Windows.DriverInstall.DeviceInstall
+
+This critical event sends information about the driver installation that took place.
+
+The following fields are available:
+
+- **ClassGuid**  The unique ID for the device class.
+- **ClassLowerFilters**  The list of lower filter class drivers.
+- **ClassUpperFilters**  The list of upper filter class drivers.
+- **CoInstallers**  The list of coinstallers.
+- **ConfigFlags**  The device configuration flags.
+- **DeviceConfigured**  Indicates whether this device was configured through the kernel configuration.
+- **DeviceInstanceId**  The unique identifier of the device in the system.
+- **DeviceStack**  The device stack of the driver being installed.
+- **DriverDate**  The date of the driver.
+- **DriverDescription**  A description of the driver function.
+- **DriverInfName**  Name of the INF file (the setup information file) for the driver.
+- **DriverInfSectionName**  Name of the DDInstall section within the driver INF file.
+- **DriverPackageId**  The ID of the driver package that is staged to the driver store.
+- **DriverProvider**  The driver manufacturer or provider.
+- **DriverUpdated**  Indicates whether the driver is replacing an old driver.
+- **DriverVersion**  The version of the driver file.
+- **EndTime**  The time the installation completed.
+- **Error**  Provides the WIN32 error code for the installation.
+- **ExtensionDrivers**  List of extension drivers that complement this installation.
+- **FinishInstallAction**  Indicates whether the co-installer invoked the finish-install action.
+- **FinishInstallUI**  Indicates whether the installation process shows the user interface.
+- **FirmwareDate**  The firmware date that will be stored in the EFI System Resource Table (ESRT).
+- **FirmwareRevision**  The firmware revision that will be stored in the EFI System Resource Table (ESRT).
+- **FirmwareVersion**  The firmware version that will be stored in the EFI System Resource Table (ESRT).
+- **FirstHardwareId**  The ID in the hardware ID list that provides the most specific device description.
+- **FlightIds**  A list of the different Windows Insider builds on the device.
+- **GenericDriver**  Indicates whether the driver is a generic driver.
+- **Inbox**  Indicates whether the driver package is included with Windows.
+- **InstallDate**  The date the driver was installed.
+- **LastCompatibleId**  The ID in the hardware ID list that provides the least specific device description.
+- **LegacyInstallReasonError**  The error code for the legacy installation.
+- **LowerFilters**  The list of lower filter drivers.
+- **MatchingDeviceId**  The hardware ID or compatible ID that Windows used to install the device instance.
+- **NeedReboot**  Indicates whether the driver requires a reboot.
+- **OriginalDriverInfName**  The original name of the INF file before it was renamed.
+- **ParentDeviceInstanceId**  The device instance ID of the parent of the device.
+- **PendedUntilReboot**  Indicates whether the installation is pending until the device is rebooted.
+- **Problem**  Error code returned by the device after installation.
+- **ProblemStatus**  The status of the device after the driver installation.
+- **RebootRequiredReason**  DWORD (Double Word—32-bit unsigned integer) containing the reason why the device required a reboot during install.
+- **SecondaryDevice**  Indicates whether the device is a secondary device.
+- **ServiceName**  The service name of the driver.
+- **SetupMode**  Indicates whether the driver installation took place before the Out Of Box Experience (OOBE) was completed.
+- **StartTime**  The time when the installation started.
+- **SubmissionId**  The driver submission identifier assigned by the Windows Hardware Development Center.
+- **UpperFilters**  The list of upper filter drivers.
+
+
+### Microsoft.Windows.DriverInstall.NewDevInstallDeviceEnd
+
+This event sends data about the driver installation once it is completed.
+
+The following fields are available:
+
+- **DeviceInstanceId**  The unique identifier of the device in the system.
+- **DriverUpdated**  Indicates whether the driver was updated.
+- **Error**  The Win32 error code of the installation.
+- **FlightId**  The ID of the Windows Insider build the device received.
+- **InstallDate**  The date the driver was installed.
+- **InstallFlags**  The driver installation flags.
+- **OptionalData**  Metadata specific to WU (Windows Update) associated with the driver (flight IDs, recovery IDs, etc.)
+- **RebootRequired**  Indicates whether a reboot is required after the installation.
+- **RollbackPossible**  Indicates whether this driver can be rolled back.
+- **WuTargetedHardwareId**  Indicates that the driver was installed because the device hardware ID was targeted by the Windows Update.
+- **WuUntargetedHardwareId**  Indicates that the driver was installed because Windows Update performed a generic driver update for all devices of that hardware class.
+
+
+### Microsoft.Windows.DriverInstall.NewDevInstallDeviceStart
+
+This event sends data about the driver that the new driver installation is replacing.
+
+The following fields are available:
+
+- **DeviceInstanceId**  The unique identifier of the device in the system.
+- **FirstInstallDate**  The first time a driver was installed on this device.
+- **LastDriverDate**  Date of the driver that is being replaced.
+- **LastDriverInbox**  Indicates whether the previous driver was included with Windows.
+- **LastDriverInfName**  Name of the INF file (the setup information file) of the driver being replaced.
+- **LastDriverVersion**  The version of the driver that is being replaced.
+- **LastFirmwareDate**  The date of the last firmware reported from the EFI System Resource Table (ESRT).
+- **LastFirmwareRevision**  The last firmware revision number reported from EFI System Resource Table (ESRT).
+- **LastFirmwareVersion**  The last firmware version reported from the EFI System Resource Table (ESRT).
+- **LastInstallDate**  The date a driver was last installed on this device.
+- **LastMatchingDeviceId**  The hardware ID or compatible ID that Windows last used to install the device instance.
+- **LastProblem**  The previous problem code that was set on the device.
+- **LastProblemStatus**  The previous problem code that was set on the device.
+- **LastSubmissionId**  The driver submission identifier of the driver that is being replaced.
+
+
 ## DxgKernelTelemetry events
 
 ### DxgKrnlTelemetry.GPUAdapterInventoryV2
@@ -3408,12 +3640,15 @@ The following fields are available:
 - **bootId**  The system boot ID.
 - **BrightnessVersionViaDDI**  The version of the Display Brightness Interface.
 - **ComputePreemptionLevel**  The maximum preemption level supported by GPU for compute payload.
+- **DDIInterfaceVersion**  The device driver interface version.
 - **DedicatedSystemMemoryB**  The amount of system memory dedicated for GPU use (in bytes).
 - **DedicatedVideoMemoryB**  The amount of dedicated VRAM of the GPU (in bytes).
 - **DisplayAdapterLuid**  The display adapter LUID.
 - **DriverDate**  The date of the display driver.
 - **DriverRank**  The rank of the display driver.
 - **DriverVersion**  The display driver version.
+- **DriverWorkarounds**  Bitfield data for specific driver workarounds enabled for this device.
+- **DriverWorkarounds.Length**  The length of the DriverWorkarounds bitfield.
 - **DX10UMDFilePath**  The file path to the location of the DirectX 10 Display User Mode Driver in the Driver Store.
 - **DX11UMDFilePath**  The file path to the location of the DirectX 11 Display User Mode Driver in the Driver Store.
 - **DX12UMDFilePath**  The file path to the location of the DirectX 12 Display User Mode Driver in the Driver Store.
@@ -3422,8 +3657,11 @@ The following fields are available:
 - **GPUPreemptionLevel**  The maximum preemption level supported by GPU for graphics payload.
 - **GPURevisionID**  The GPU revision ID.
 - **GPUVendorID**  The GPU vendor ID.
+- **InterfaceFuncPointersProvided1**  The number of device driver interface function pointers provided.
+- **InterfaceFuncPointersProvided2**  The number of device driver interface function pointers provided.
 - **InterfaceId**  The GPU interface ID.
 - **IsDisplayDevice**  Does the GPU have displaying capabilities?
+- **IsHwSchEnabled**  Indicates whether Hardware Scheduling is enabled.
 - **IsHwSchSupported**  Indicates whether the adapter supports hardware scheduling.
 - **IsHybridDiscrete**  Does the GPU have discrete GPU capabilities in a hybrid device?
 - **IsHybridIntegrated**  Does the GPU have integrated GPU capabilities in a hybrid device?
@@ -3887,7 +4125,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Inventory.Core.InventoryDevicePnpAdd
 
-This event represents the basic metadata about a plug and play (PNP) device and its associated driver.
+This event sends basic metadata about a PNP device and its associated driver to help keep Windows up to date. This information is used to assess if the PNP device and driver will remain compatible when upgrading Windows.
 
 This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
@@ -3914,7 +4152,7 @@ The following fields are available:
 - **HWID**  A list of hardware IDs for the device.
 - **Inf**  The name of the INF file (possibly renamed by the OS, such as oemXX.inf).
 - **InstallDate**  The date of the most recent installation of the device on the machine.
-- **InstallState**  The device installation state. For a list of values, see: https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx
+- **InstallState**  The device installation state.  One of these values: https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx
 - **InventoryVersion**  The version number of the inventory process generating the events.
 - **LowerClassFilters**  The identifiers of the Lower Class filters installed for the device.
 - **LowerFilters**  The identifiers of the Lower filters installed for the device.
@@ -4089,39 +4327,12 @@ The following fields are available:
 
 This event sends details collected for a specific application on the source device.
 
-The following fields are available:
-
-- **AhaVersion**  The binary version of the App Health Analyzer tool.
-- **ApplicationErrors**  The count of application errors from the event log.
-- **Bitness**  The architecture type of the application (16 Bit or 32 bit or 64 bit).
-- **device_level**  Various JRE/JAVA versions installed on a particular device.
-- **ExtendedProperties**  Attribute used for aggregating all other attributes under this event type.
-- **Jar**  Flag to determine if an app has a Java JAR file dependency.
-- **Jre**  Flag to determine if an app has JRE framework dependency.
-- **Jre_version**  JRE versions an app has declared framework dependency for.
-- **Name**  Name of the application.
-- **NonDPIAware**  Flag to determine if an app is non-DPI aware.
-- **NumBinaries**  Count of all binaries (.sys,.dll,.ini) from application install location.
-- **RequiresAdmin**  Flag to determine if an app requests admin privileges for execution.
-- **RequiresAdminv2**  Additional flag to determine if an app requests admin privileges for execution.
-- **RequiresUIAccess**  Flag to determine if an app is based on UI features for accessibility.
-- **VB6**  Flag to determine if an app is based on VB6 framework.
-- **VB6v2**  Additional flag to determine if an app is based on VB6 framework.
-- **Version**  Version of the application.
-- **VersionCheck**  Flag to determine if an app has a static dependency on OS version.
-- **VersionCheckv2**  Additional flag to determine if an app has a static dependency on OS version.
 
 
 ### Microsoft.Windows.Inventory.General.AppHealthStaticStartSync
 
 This event indicates the beginning of a series of AppHealthStaticAdd events.
 
-The following fields are available:
-
-- **AllowTelemetry**  Indicates the presence of the 'allowtelemetry' command line argument.
-- **CommandLineArgs**  Command line arguments passed when launching the App Health Analyzer executable.
-- **Enhanced**  Indicates the presence of the 'enhanced' command line argument.
-- **StartTime**  UTC date and time at which this event was sent.
 
 
 ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd
@@ -4316,10 +4527,10 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
 
 The following fields are available:
 
-- **BrowserFlags**  Browser flags for Office-related products
-- **ExchangeProviderFlags**  Provider policies for Office Exchange
+- **BrowserFlags**  Browser flags for Office-related products.
+- **ExchangeProviderFlags**  Provider policies for Office Exchange.
 - **InventoryVersion**  The version of the inventory binary generating the events.
-- **SharedComputerLicensing**  Office shared computer licensing policies
+- **SharedComputerLicensing**  Office shared computer licensing policies.
 
 
 ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsStartSync
@@ -4534,6 +4745,250 @@ The following fields are available:
 - **UserInputTime**  The amount of time the loader application spent waiting for user input.
 
 
+### Microsoft.Windows.Kernel.DeviceConfig.DeviceConfig
+
+This critical device configuration event provides information about drivers for a driver installation that took place within the kernel.
+
+The following fields are available:
+
+- **ClassGuid**  The unique ID for the device class.
+- **DeviceInstanceId**  The unique ID for the device on the system.
+- **DriverDate**  The date of the driver.
+- **DriverFlightIds**  The IDs for the driver flights.
+- **DriverInfName**  Driver INF file name.
+- **DriverProvider**  The driver manufacturer or provider.
+- **DriverSubmissionId**  The driver submission ID assigned by the hardware developer center.
+- **DriverVersion**  The driver version number.
+- **ExtensionDrivers**  The list of extension driver INF files, extension IDs, and associated flight IDs.
+- **FirstHardwareId**  The ID in the hardware ID list that provides the most specific device description.
+- **InboxDriver**  Indicates whether the driver package is included with Windows.
+- **InstallDate**  Date the driver was installed.
+- **LastCompatibleId**  The ID in the hardware ID list that provides the least specific device description.
+- **Legacy**  Indicates whether the driver is a legacy driver.
+- **NeedReboot**  Indicates whether the driver requires a reboot.
+- **SetupMode**  Indicates whether the device configuration occurred during the Out Of Box Experience (OOBE).
+- **StatusCode**  The NTSTATUS of device configuration operation.
+
+
+### Microsoft.Windows.Kernel.PnP.AggregateClearDevNodeProblem
+
+This event is sent when a problem code is cleared from a device.
+
+The following fields are available:
+
+- **Count**  The total number of events.
+- **DeviceInstanceId**  The unique identifier of the device on the system.
+- **LastProblem**  The previous problem that was cleared.
+- **LastProblemStatus**  The previous NTSTATUS value that was cleared.
+- **Problem**  The new problem code set on the device node.
+- **ProblemStatus**  The new NT_STATUS set on the device node.
+- **ServiceName**  The name of the driver or service attached to the device.
+
+
+### Microsoft.Windows.Kernel.PnP.AggregateSetDevNodeProblem
+
+This event is sent when a new problem code is assigned to a device.
+
+The following fields are available:
+
+- **Count**  The total number of events.
+- **DeviceInstanceId**  The unique identifier of the device in the system.
+- **LastProblem**  The previous problem code that was set on the device.
+- **LastProblemStatus**  The previous NTSTATUS value that was set on the device.
+- **Problem**  The new problem code that was set on the device.
+- **ProblemStatus**  The new NTSTATUS value that was set on the device.
+- **ServiceName**  The driver or service name that is attached to the device.
+
+
+## Microsoft Edge events
+
+### Aria.160f0649efde47b7832f05ed000fc453.Microsoft.WebBrowser.SystemInfo.Config
+
+This event sends basic device connectivity and configuration information from Microsoft Edge about the current data collection consent, app version, and installation state to keep Microsoft Edge up to date and secure.
+
+The following fields are available:
+
+- **app_version**  The internal Microsoft Edge build version string.
+- **appConsentState**  Bit flags that describe the consent for data collection on the device, or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000).
+- **Channel**  An integer indicating the channel of the installation (Canary or Dev).
+- **client_id**  A non-durable unique identifier with which all other diagnostic client data is associated. This value is reset whenever UMA data collection is disabled, or when the application is uninstalled.
+- **ConnectionType**  The first reported type of network connection currently connected. Possible values: Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth
+- **container_client_id**  The client ID of the container if the device is in Windows Defender Application Guard mode.
+- **container_session_id**  The session ID of the container if the device is in Windows Defender Application Guard mode.
+- **Etag**  Etag is an identifier representing all service applied configurations and experiments for the current browser session. There is not value in this field is the device is at the Basic diagnostic data level.
+- **EventInfo.Level**  The minimum Windows diagnostic data level required for the event. Possible values: 1 -- Basic, 2 -- Enhanced, 3 -- Full
+- **install_date**  The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour.
+- **installSource**  An enumeration representing the source of this installation. Possible values: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13).
+- **PayloadClass**  The base class used to serialize and deserialize the Protobuf binary payload.
+- **PayloadGUID**  A random identifier generated for each original monolithic Protobuf payload, before the payload is potentially broken up into manageably-sized chunks for transmission.
+- **PayloadLogType**  The log type for the event correlating with. Possible values: 0 -- Unknown, 1 -- Stability, 2 -- On-going, 3 -- Independent, 4 -- UKM, or 5 -- Instance level
+- **session_id** An ordered identifier that is guaranteed to be greater than the previous session identifier each time the user launches the application, reset on subsequent launch after client_id changes. session_id is seeded during the initial installation of the application. session_id is effectively unique per client_id value. Several other internal identifier values, such as window or tab IDs, are only meaningful within a particular session. The session_id value is forgotten when the application is uninstalled, but not during an upgrade.
+
+
+### Aria.29e24d069f27450385c7acaa2f07e277.Microsoft.WebBrowser.SystemInfo.Config
+
+This event sends basic device connectivity and configuration information from Microsoft Edge about the current data collection consent, app version, and installation state to keep Microsoft Edge up to date and secure.
+
+The following fields are available:
+
+- **app_version**  The internal Microsoft Edge build version string.
+- **appConsentState**  Bit flags that describe the consent for data collection on the device, or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000).
+- **Channel**  An integer indicating the channel of the installation (Canary or Dev).
+- **client_id**  A non-durable unique identifier with which all other diagnostic client data is associated. This value is reset whenever UMA data collection is disabled, or when the application is uninstalled.
+- **ConnectionType**  The first reported type of network connection currently connected. Possible values: Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth
+- **container_client_id**  The client ID of the container if the device is in Windows Defender Application Guard mode.
+- **container_session_id**  The session ID of the container if the device is in Windows Defender Application Guard mode.
+- **Etag**  Etag is an identifier representing all service applied configurations and experiments for the current browser session. There is not value in this field is the device is at the Basic diagnostic data level.
+- **EventInfo.Level**  The minimum Windows diagnostic data level required for the event. Possible values: 1 -- Basic, 2 -- Enhanced, 3 -- Full
+- **install_date**  The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour.
+- **installSource**  An enumeration representing the source of this installation. Possible values: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13).
+- **PayloadClass**  The base class used to serialize and deserialize the Protobuf binary payload.
+- **PayloadGUID**  A random identifier generated for each original monolithic Protobuf payload, before the payload is potentially broken up into manageably-sized chunks for transmission.
+- **PayloadLogType**  The log type for the event correlating with. Possible values: 0 -- Unknown, 1 -- Stability, 2 -- On-going, 3 -- Independent, 4 -- UKM, or 5 -- Instance level
+- **session_id** An ordered identifier that is guaranteed to be greater than the previous session identifier each time the user launches the application, reset on subsequent launch after client_id changes. session_id is seeded during the initial installation of the application. session_id is effectively unique per client_id value. Several other internal identifier values, such as window or tab IDs, are only meaningful within a particular session. The session_id value is forgotten when the application is uninstalled, but not during an upgrade.
+
+
+### Aria.7005b72804a64fa4b2138faab88f877b.Microsoft.WebBrowser.SystemInfo.Config
+
+This event sends basic device connectivity and configuration information from Microsoft Edge about the current data collection consent, app version, and installation state to keep Microsoft Edge up to date and secure.
+
+The following fields are available:
+
+- **app_version**  The internal Microsoft Edge build version string.
+- **appConsentState**  Bit flags that describe the consent for data collection on the device, or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000).
+- **Channel**  An integer indicating the channel of the installation (Canary or Dev).
+- **client_id**  A non-durable unique identifier with which all other diagnostic client data is associated. This value is reset whenever UMA data collection is disabled, or when the application is uninstalled.
+- **ConnectionType**  The first reported type of network connection currently connected. Possible values: Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth
+- **container_client_id**  The client ID of the container if the device is in Windows Defender Application Guard mode.
+- **container_session_id**  The session ID of the container if the device is in Windows Defender Application Guard mode.
+- **Etag**  Etag is an identifier representing all service applied configurations and experiments for the current browser session. There is not value in this field is the device is at the Basic diagnostic data level.
+- **EventInfo.Level**  The minimum Windows diagnostic data level required for the event. Possible values: 1 -- Basic, 2 -- Enhanced, 3 -- Full
+- **install_date**  The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour.
+- **installSource**  An enumeration representing the source of this installation. Possible values: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13).
+- **PayloadClass**  The base class used to serialize and deserialize the Protobuf binary payload.
+- **PayloadGUID**  A random identifier generated for each original monolithic Protobuf payload, before the payload is potentially broken up into manageably-sized chunks for transmission.
+- **PayloadLogType**  The log type for the event correlating with. Possible values: 0 -- Unknown, 1 -- Stability, 2 -- On-going, 3 -- Independent, 4 -- UKM, or 5 -- Instance level
+- **session_id** An ordered identifier that is guaranteed to be greater than the previous session identifier each time the user launches the application, reset on subsequent launch after client_id changes. session_id is seeded during the initial installation of the application. session_id is effectively unique per client_id value. Several other internal identifier values, such as window or tab IDs, are only meaningful within a particular session. The session_id value is forgotten when the application is uninstalled, but not during an upgrade.
+
+
+### Aria.754de735ccd546b28d0bfca8ac52c3de.Microsoft.WebBrowser.SystemInfo.Config
+
+This config event sends basic device connectivity and configuration information from Microsoft Edge about the current data collection consent, app version, and installation state to keep Microsoft Edge up to date and secure.
+
+The following fields are available:
+
+- **app_version**  The internal Microsoft Edge build version string.
+- **appConsentState**  Bit flags that describe the consent for data collection on the device, or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000).
+- **Channel**  An integer indicating the channel of the installation (Canary or Dev).
+- **client_id**  A non-durable unique identifier with which all other diagnostic client data is associated. This value is reset whenever UMA data collection is disabled, or when the application is uninstalled.
+- **ConnectionType**  The first reported type of network connection currently connected. Possible values: Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth
+- **container_client_id**  The client ID of the container if the device is in Windows Defender Application Guard mode.
+- **container_session_id**  The session ID of the container if the device is in Windows Defender Application Guard mode.
+- **Etag**  Etag is an identifier representing all service applied configurations and experiments for the current browser session. There is not value in this field is the device is at the Basic diagnostic data level.
+- **EventInfo.Level**  The minimum Windows diagnostic data level required for the event. Possible values: 1 -- Basic, 2 -- Enhanced, 3 -- Full
+- **install_date**  The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour.
+- **installSource**  An enumeration representing the source of this installation. Possible values: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13).
+- **PayloadClass**  The base class used to serialize and deserialize the Protobuf binary payload.
+- **PayloadGUID**  A random identifier generated for each original monolithic Protobuf payload, before the payload is potentially broken up into manageably-sized chunks for transmission.
+- **PayloadLogType**  The log type for the event correlating with. Possible values: 0 -- Unknown, 1 -- Stability, 2 -- On-going, 3 -- Independent, 4 -- UKM, or 5 -- Instance level
+- **session_id** An ordered identifier that is guaranteed to be greater than the previous session identifier each time the user launches the application, reset on subsequent launch after client_id changes. session_id is seeded during the initial installation of the application. session_id is effectively unique per client_id value. Several other internal identifier values, such as window or tab IDs, are only meaningful within a particular session. The session_id value is forgotten when the application is uninstalled, but not during an upgrade.
+
+
+### Aria.af397ef28e484961ba48646a5d38cf54.Microsoft.WebBrowser.Installer.EdgeUpdate.Ping
+
+This event sends hardware and software inventory information about the Microsoft Edge Update service, Microsoft Edge applications, and the current system environment, including app configuration, update configuration, and hardware capabilities. It's  used to measure the reliability and performance of the EdgeUpdate service and if Microsoft Edge applications are up to date.
+
+The following fields are available:
+
+- **appAp**  Microsoft Edge Update parameters, including channel, architecture, platform, and additional parameters identifying the release of Microsoft Edge to update and how to install it. Example: 'beta-arch_x64-full'. Default: ''.
+- **appAppId**  The GUID that identifies the product channels such as Edge Canary, Dev, Beta, Stable, and Edge Update.
+- **appBrandCode**  The 4-digit brand code under which the the product was installed, if any. Possible values: 'GGLS' (default), 'GCEU' (enterprise install), and '' (unknown).
+- **appChannel**  An integer indicating the channel of the installation (e.g. Canary or Dev).
+- **appClientId** A generalized form of the brand code that can accept a wider range of values and is used for similar purposes. Default: ''.
+- **appCohort**  A machine-readable string identifying the release channel that the app belongs to. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
+- **appCohortHint**  A machine-readable enum indicating that the client has a desire to switch to a different release cohort. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
+- **appCohortName**  A stable non-localized human-readable enum indicating which (if any) set of messages the app should display to the user. For example, an app with a cohort name of 'beta' might display beta-specific branding to the user. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
+- **appConsentState**  Bit flags describing the diagnostic data disclosure and response flow where 1 indicates the affirmative and 0 indicates the negative or unspecified data. Bit 1 indicates consent was given, bit 2 indicates data originated from the download page, bit 18 indicates choice for sending data about how the browser is used, and bit 19 indicates choice for sending data about websites visited.
+- **appDayOfInstall**  The date-based counting equivalent of appInstallTimeDiffSec (the numeric calendar day that the app was installed on). This value is provided by the server in the response to the first request in the installation flow. Default: '-2' (Unknown).
+- **appExperiments**  A semicolon-delimited key/value list of experiment identifiers and treatment groups. This field is unused and always empty in Edge Update. Default: ''.
+- **appInstallTimeDiffSec**  The difference between the current time and the install date in seconds. '0' if unknown. Default: '-1'.
+- **appLang**  The language of the product install, in IETF BCP 47 representation. Default: ''.
+- **appNextVersion**  The version of the app that the update attempted to reach, regardless of the success or failure of the update operation. Default: '0.0.0.0'.
+- **appPingEventAppSize**  The total number of bytes of all downloaded packages. Default: '0'.
+- **appPingEventDownloadMetricsDownloadedBytes**  For events representing a download, the number of bytes expected to be downloaded. For events representing an entire update flow, the sum of all such expected bytes over the course of the update flow. Default: '0'.
+- **appPingEventDownloadMetricsDownloader**  A string identifying the download algorithm and/or stack. Example values include: 'bits', 'direct', 'winhttp', 'p2p'. Sent in events that have an event type of '14' only. Default: ''.
+- **appPingEventDownloadMetricsDownloadTimeMs**  For events representing a download, the time elapsed between the start of the download and the end of the download, in milliseconds. For events representing an entire update flow, the sum of all such download times over the course of the update flow. Sent in events that have an event type of '1', '2', '3', and '14' only. Default: '0'.
+- **appPingEventDownloadMetricsError**  The error code (if any) of the operation, encoded as a signed base-10 integer. Default: '0'.
+- **appPingEventDownloadMetricsServerIpHint**  For events representing a download, the CDN Host IP address that corresponds to the update file server. The CDN host is controlled by Microsoft servers and always maps to IP addresses hosting *.delivery.mp.microsoft.com or msedgesetup.azureedge.net. Default: ''.
+- **appPingEventDownloadMetricsTotalBytes**  For events representing a download, the number of bytes expected to be downloaded. For events representing an entire update flow, the sum of all such expected bytes over the course of the update flow. Default: '0'.
+- **appPingEventDownloadMetricsUrl** For events representing a download, the CDN URL provided by the update server for the client to download the update, the URL is controlled by Microsoft servers and always maps back to either *.delivery.mp.microsoft.com or msedgesetup.azureedge.net. Default: ''.
+- **appPingEventDownloadTimeMs**  For events representing a download, the time elapsed between the start of the download and the end of the download, in milliseconds. For events representing an entire update flow, the sum of all such download times over the course of the update flow. Sent in events that have an event type of '1', '2', '3', and '14' only. Default: '0'.
+- **appPingEventErrorCode**  The error code (if any) of the operation, encoded as a signed, base-10 integer. Default: '0'.
+- **appPingEventEventResult**  An enumeration indicating the result of the event. Common values are '0' (Error) and '1' (Success). Default: '0' (Error).
+- **appPingEventEventType**  An enumeration indicating the type of the event and the event stage. Default: '0' (Unknown).
+- **appPingEventExtraCode1**  Additional numeric information about the operation's result, encoded as a signed, base-10 integer. Default: '0'.
+- **appPingEventInstallTimeMs**  For events representing an install, the time elapsed between the start of the install and the end of the install, in milliseconds. For events representing an entire update flow, the sum of all such durations. Sent in events that have an event type of '2' and '3' only. Default: '0'.
+- **appPingEventNumBytesDownloaded**  The number of bytes downloaded for the specified application. Default: '0'.
+- **appPingEventSequenceId**  An ID that uniquely identifies particular events within one requestId. Since a request can contain multiple ping events, this field is necessary to uniquely identify each possible event.
+- **appPingEventSourceUrlIndex**  For events representing a download, the position of the download URL in the list of URLs supplied by the server in a  tag.
+- **appPingEventUpdateCheckTimeMs**	For events representing an entire update flow, the time elapsed between the start of the update check and the end of the update check, in milliseconds. Sent in events that have an event type of '2' and '3' only. Default: '0'.
+- **appUpdateCheckIsUpdateDisabled**  The state of whether app updates are restricted by group policy. True if updates have been restricted by group policy or false if they have not.
+- **appUpdateCheckTargetVersionPrefix**  A component-wise prefix of a version number, or a complete version number suffixed with the $ character. The prefix is interpreted a dotted-tuple that specifies the exactly-matching elements; it is not a lexical prefix (for example, '1.2.3' MUST match '1.2.3.4' but MUST NOT match '1.2.34'). Default: ''.
+- **appUpdateCheckTtToken**  An opaque access token that can be used to identify the requesting client as a member of a trusted-tester group. If non-empty, the request is sent over SSL or another secure protocol. This field is unused by Edge Update and always empty. Default: ''.
+- **appVersion**  The version of the product install. Default: '0.0.0.0'.
+- **EventInfo.Level**  The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full.
+- **eventType**  A string representation of appPingEventEventType indicating the type of the event.
+- **hwHasAvx**  '1' if the client's hardware supports the SSE instruction set. '0' if the client's hardware does not support the SSE instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse**  '1' if the client's hardware supports the SSE instruction set. '0' if the client's hardware does not support the SSE instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse2**  '1' if the client's hardware supports the SSE2 instruction set. '0' if the client's hardware does not support the SSE2 instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse3**  '1' if the client's hardware supports the SSE3 instruction set. '0' if the client's hardware does not support the SSE3 instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse41**  '1' if the client's hardware supports the SSE4.1 instruction set. '0' if the client's hardware does not support the SSE4.1 instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse42**  '1' if the client's hardware supports the SSE4.2 instruction set. '0' if the client's hardware does not support the SSE4.2 instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSsse3**  '1' if the client's hardware supports the SSSE3 instruction set. '0' if the client's hardware does not support the SSSE3 instruction set. '-1' if unknown. Default: '-1'.
+- **hwPhysmemory**  The physical memory available to the client, truncated down to the nearest gibibyte. '-1' if unknown. This value is intended to reflect the maximum theoretical storage capacity of the client, not including any hard drive or paging to a hard drive or peripheral. Default: '-1'.
+- **isMsftDomainJoined**  '1' if the client is a member of a Microsoft domain. '0' otherwise. Default: '0'.
+- **osArch**  The architecture of the operating system (e.g. 'x86', 'x64', 'arm'). '' if unknown. Default: ''.
+- **osPlatform**  The operating system family that the within which the Omaha client is running (e.g. 'win', 'mac', 'linux', 'ios', 'android'). '' if unknown. The operating system name should be transmitted in lowercase with minimal formatting. Default: ''.
+- **osServicePack**  The secondary version of the operating system. '' if unknown. Default: ''.
+- **osVersion**  The primary version of the operating system. '' if unknown. Default: ''.
+- **requestCheckPeriodSec**  The update interval in seconds. The value is read from the registry. Default: '-1'.
+- **requestDlpref**  A comma-separated list of values specifying the preferred download URL behavior. The first value is the highest priority, further values reflect secondary, tertiary, et cetera priorities. Legal values are '' (in which case the entire list must be empty, indicating unknown or no-preference) or 'cacheable' (the server should prioritize sending URLs that are easily cacheable). Default: ''.
+- **requestDomainJoined**  '1' if the device is part of a managed enterprise domain. Otherwise '0'.
+- **requestInstallSource**  A string specifying the cause of the update flow. For example: 'ondemand', or 'scheduledtask'. Default: ''.
+- **requestIsMachine**  '1' if the client is known to be installed with system-level or administrator privileges. '0' otherwise. Default: '0'.
+- **requestOmahaShellVersion**  The version of the Omaha installation folder. Default: ''.
+- **requestOmahaVersion**  The version of the Omaha updater itself (the entity sending this request). Default: '0.0.0.0'.
+- **requestProtocolVersion**  The version of the Omaha protocol. Compatible clients MUST provide a value of '3.0'. Compatible clients MUST always transmit this attribute. Default: undefined.
+- **requestRequestId**  A randomly-generated (uniformly distributed) GUID, corresponding to the Omaha request. Default: ''.
+- **requestSessionCorrelationVectorBase**  A client generated random MS Correlation Vector base code used to correlate the update session with update and CDN servers. Default: ''.
+- **requestSessionId**  A randomly-generated (uniformly distributed) GUID. Each single update flow (e.g. update check, update application, event ping sequence) should have (with high probability) a single unique sessionid. Default: ''.
+- **requestTestSource**  Either '', 'dev', 'qa', 'prober', 'auto', or 'ossdev'. Any value except '' indicates that the request is a test and should not be counted toward normal metrics. Default: ''.
+- **requestUid**  A randomly-generated (uniformly distributed) GUID, corresponding to the Omaha user. Each request attempt should have (with high probability) a unique request id. Default: ''.
+
+
+### Aria.f4a7d46e472049dfba756e11bdbbc08f.Microsoft.WebBrowser.SystemInfo.Config
+
+This config event sends basic device connectivity and configuration information from Microsoft Edge about the current data collection consent, app version, and installation state to keep Microsoft Edge up to date and secure.
+
+The following fields are available:
+
+- **app_version**  The internal Microsoft Edge build version string.
+- **appConsentState**  Bit flags that describe the consent for data collection on the device, or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000).
+- **Channel**  An integer indicating the channel of the installation (Canary or Dev).
+- **client_id**  A non-durable unique identifier with which all other diagnostic client data is associated. This value is reset whenever UMA data collection is disabled, or when the application is uninstalled.
+- **ConnectionType**  The first reported type of network connection currently connected. Possible values: Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth
+- **container_client_id**  The client ID of the container if the device is in Windows Defender Application Guard mode.
+- **container_session_id**  The session ID of the container if the device is in Windows Defender Application Guard mode.
+- **Etag**  Etag is an identifier representing all service applied configurations and experiments for the current browser session. There is not value in this field is the device is at the Basic diagnostic data level.
+- **EventInfo.Level**  The minimum Windows diagnostic data level required for the event. Possible values: 1 -- Basic, 2 -- Enhanced, 3 -- Full
+- **install_date**  The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour.
+- **installSource**  An enumeration representing the source of this installation. Possible values: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13).
+- **PayloadClass**  The base class used to serialize and deserialize the Protobuf binary payload.
+- **PayloadGUID**  A random identifier generated for each original monolithic Protobuf payload, before the payload is potentially broken up into manageably-sized chunks for transmission.
+- **PayloadLogType**  The log type for the event correlating with. Possible values: 0 -- Unknown, 1 -- Stability, 2 -- On-going, 3 -- Independent, 4 -- UKM, or 5 -- Instance level
+- **session_id** An ordered identifier that is guaranteed to be greater than the previous session identifier each time the user launches the application, reset on subsequent launch after client_id changes. session_id is seeded during the initial installation of the application. session_id is effectively unique per client_id value. Several other internal identifier values, such as window or tab IDs, are only meaningful within a particular session. The session_id value is forgotten when the application is uninstalled, but not during an upgrade.
+
+
 ## Migration events
 
 ### Microsoft.Windows.MigrationCore.MigObjectCountDLUsr
@@ -4747,6 +5202,7 @@ This event determines the error code that was returned when verifying Internet c
 
 The following fields are available:
 
+- **failedCheck**  The error code returned by the operation.
 - **winInetError**  The HResult of the operation.
 
 
@@ -4802,6 +5258,23 @@ The following fields are available:
 - **originatingContextName**  The name of the originating call context that resulted in the failure.
 - **threadId**  The ID of the thread on which the activity is executing.
 
+## Privacy notifier events
+
+
+### Microsoft.Windows.Shell.PrivacyNotifierLogging.PrivacyNotifierCompleted
+
+This event returns data to report the efficacy of a single-use tool to inform users impacted by a known issue and to take corrective action to address the issue.
+
+The following fields are available:
+
+- **cleanupTask**  Indicates whether the task that launched the dialog should be cleaned up.
+- **cleanupTaskResult**  The return code of the attempt to clean up the task used to show the dialog.
+- **deviceEvaluated**  Indicates whether the device was eligible for evaluation of a known issue.
+- **deviceImpacted**  Indicates whether the device was impacted by a known issue.
+- **modalAction**  The action the user took on the dialog that was presented to them.
+- **modalResult**  The return code of the attempt to show a dialog to the user explaining the issue.
+- **resetSettingsResult**  The return code of the action to correct the known issue.
+
 
 ## Remediation events
 
@@ -4880,24 +5353,11 @@ The following fields are available:
 - **QualityUpdateSedimentTargetedTriggers**  Provides information about remediations that are applicable to enable Quality Updates on the device.
 - **RegkeysExist**  Indicates whether specified registry keys exist.
 - **Reload**  True if SIH reload is required.
-- **RemediationAutoUAAcLineStatus**  Indicates the power status returned by the Automatic Update Assistant tool.
-- **RemediationAutoUAAutoStartCount**  Indicates the number of times the Automatic Update Assistant tool has automatically started.
-- **RemediationAutoUACalendarTaskEnabled**  Indicates whether an Automatic Update Assistant tool task is enabled.
-- **RemediationAutoUACalendarTaskExists**  Indicates whether an Automatic Update Assistant tool task exists.
-- **RemediationAutoUACalendarTaskTriggerEnabledCount**  Indicates the number of times an Automatic Update Assistant tool task has been triggered.
-- **RemediationAutoUADaysSinceLastTaskRunTime**  Indicates the last run time an Automatic Update Assistant tool task was run.
-- **RemediationAutoUAGetCurrentSize**  Indicates the current size of the Automatic Update Assistant tool.
+- **RemediationAutoUACleanupNeeded**  Automatic Update Assistant cleanup is required.
 - **RemediationAutoUAIsInstalled**  Indicates whether the Automatic Update Assistant tool is installed.
-- **RemediationAutoUALastTaskRunResult**  Indicates the result from the last time the Automatic Update Assistant tool was run.
-- **RemediationAutoUAMeteredNetwork**  Indicates whether the Automatic Update Assistant tool is running on a metered network.
-- **RemediationAutoUATaskEnabled**  Indicates whether the Automatic Update Assistant tool task is enabled.
-- **RemediationAutoUATaskExists**  Indicates whether an Automatic Update Assistant tool task exists.
+- **RemediationAutoUATaskDisabled**  Indicates whether the Automatic Update Assistant tool task is disabled.
+- **RemediationAutoUATaskNotExists**  Indicates whether an Automatic Update Assistant tool task does not exist.
 - **RemediationAutoUATasksStalled**  Indicates whether an Automatic Update Assistant tool task is stalled.
-- **RemediationAutoUATaskTriggerEnabledCount**  Indicates how many times an Automatic Update Assistant tool task was triggered.
-- **RemediationAutoUAUAExitCode**  Indicates any exit code provided by the Automatic Update Assistant tool.
-- **RemediationAutoUAUAExitState**  Indicates the exit state of the Automatic Update Assistant tool.
-- **RemediationAutoUAUserLoggedIn**  Indicates whether a user is logged in.
-- **RemediationAutoUAUserLoggedInAdmin**  Indicates whether a user is logged in as an Administrator.
 - **RemediationCorruptionRepairBuildNumber**  The build number to use to repair corruption.
 - **RemediationCorruptionRepairCorruptionsDetected**  Indicates whether corruption was detected.
 - **RemediationCorruptionRepairDetected**  Indicates whether an attempt was made to repair the corruption.
@@ -5010,6 +5470,7 @@ The following fields are available:
 - **branchReadinessLevel**  Branch readiness level policy.
 - **cloudControlState**  Value indicating whether the shell is enabled on the cloud control settings.
 - **CV**  The Correlation Vector.
+- **DateTimeDifference**  The difference between the local and reference clocks.
 - **DiskFreeSpaceAfterSedimentPackInMB**  The amount of free disk space (in megabytes) after executing the Sediment Pack.
 - **DiskFreeSpaceBeforeSedimentPackInMB**  The amount of free disk space (in megabytes) before executing the Sediment Pack.
 - **DiskMbFreeAfterCleanup**  The amount of free hard disk space after cleanup, measured in Megabytes.
@@ -5038,6 +5499,7 @@ The following fields are available:
 - **QualityUpdateSedimentMatchedTriggers**  The list of triggers that were matched by the Windows Quality Update remediation.
 - **QualityUpdateSedimentModelExecutionSeconds**  The number of seconds needed to execute the Windows Quality Update remediation.
 - **recoveredFromTargetOS**  Indicates whether the device recovered from the target operating system (OS).
+- **RemediationAutoUASpaceSaved**  Amount of disk space saved in MB after cleaning up AutoUA folders.
 - **RemediationBatteryPowerBatteryLevel**  Indicates the battery level at which it is acceptable to continue operation.
 - **RemediationBatteryPowerExitDueToLowBattery**  True when we exit due to low battery power.
 - **RemediationBatteryPowerOnBattery**  True if we allow execution on battery.
@@ -5046,8 +5508,12 @@ The following fields are available:
 - **RemediationComponentCleanupEstimateInMB**  The amount of space (megabytes) in the WinSxS (Windows Side-by-Side) folder that is available for cleanup by the plug-in.
 - **RemediationConfigurationTroubleshooterIpconfigFix**  TRUE if IPConfig Fix completed successfully.
 - **RemediationConfigurationTroubleshooterNetShFix**  TRUE if network card cache reset ran successfully.
+- **RemediationCorruptionIsManifestFix**  Boolean indicating if the manifest was repaired.
 - **RemediationCorruptionRepairCorruptionsDetected**  Number of corruptions detected on the device.
 - **RemediationCorruptionRepairCorruptionsFixed**  Number of detected corruptions that were fixed on the device.
+- **RemediationCorruptionRepairDownloadCompleted**  Boolean indicating if the download of manifest cab was completed.
+- **RemediationCorruptionRepairDownloadRequired**  Boolean indicating if the download of manifest cab is required for repair.
+- **RemediationCorruptionRepairMeteredNetwork**  Boolean indicating if the device is on a metered network.
 - **RemediationCorruptionRepairPerformActionSuccessful**  Indicates whether corruption repair was successful on the device.
 - **RemediationDiskCleanupSearchFileSizeInMB**  The size of the Cleanup Search index file, measured in megabytes.
 - **RemediationDiskSpaceSavedByCompressionInMB**  The amount of disk space (megabytes) that was compressed by the plug-in.
@@ -5096,6 +5562,7 @@ The following fields are available:
 - **systemDriveFreeDiskSpace**  Indicates the free disk space on system drive, in megabytes.
 - **systemUptimeInHours**  Indicates the amount of time the system in hours has been on since the last boot.
 - **uninstallActive**  TRUE if previous uninstall has occurred for current OS
+- **UpdateApplicabilityFixedBitMap**  Bitmap indicating which fixes were applied by the plugin.
 - **usoScanDaysSinceLastScan**  The number of days since the last USO (Update Session Orchestrator) scan.
 - **usoScanInProgress**  TRUE if a USO (Update Session Orchestrator) scan is in progress, to prevent multiple simultaneous scans.
 - **usoScanIsAllowAutoUpdateKeyPresent**  TRUE if the AllowAutoUpdate registry key is set.
@@ -5357,6 +5824,45 @@ The following fields are available:
 - **WUDeviceID**  The unique identifier controlled by the software distribution client.
 
 
+### SIHEngineTelemetry.ExecuteAction
+
+This event is triggered with SIH attempts to execute (e.g. install) the update or action in question. Includes important information like if the update required a reboot.
+
+The following fields are available:
+
+- **CachedEngineVersion**  The engine DLL version that is being used.
+- **EventInstanceID**  A unique identifier for event instance.
+- **EventScenario**  Indicates the purpose of sending this event, whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **RebootRequired**  Indicates if a reboot was required to complete the action.
+- **ServiceGuid**  A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.).
+- **SihclientVersion**  The SIH version.
+- **StatusCode**  Result code of the event (success, cancellation, failure code HResult).
+- **UpdateID**  A unique identifier for the action being acted upon.
+- **WuapiVersion**  The Windows Update API version.
+- **WuaucltVersion**  The Windows Update version identifier for SIH.
+- **WuauengVersion**  The Windows Update engine version identifier.
+- **WUDeviceID**  The unique identifier controlled by the software distribution client.
+
+
+### SIHEngineTelemetry.PostRebootReport
+
+This event reports the status of an action following a reboot, should one have been required.
+
+The following fields are available:
+
+- **CachedEngineVersion**  The engine DLL version that is being used.
+- **EventInstanceID**  A unique identifier for event instance.
+- **EventScenario**  Indicates the purpose of sending this event, whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **ServiceGuid**  A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.).
+- **SihclientVersion**  Version of SIH Client on the device.
+- **StatusCode**  Result code of the event (success, cancellation, failure code HResult).
+- **UpdateID**  A unique identifier for the action being acted upon.
+- **WuapiVersion**  Version of Windows Update DLL on the device.
+- **WuaucltVersion**  Version of WUAUCLT (Windows Update Auto-Update Client) on the device.
+- **WuauengVersion**  Version of Windows Update (Auto-Update) engine on the device.
+- **WUDeviceID**  The unique identifier controlled by the software distribution client.
+
+
 ## Software update events
 
 ### SoftwareUpdateClientTelemetry.CheckForUpdates
@@ -5511,6 +6017,7 @@ The following fields are available:
 - **DeviceModel**  The model of the device.
 - **DownloadPriority**  Indicates whether a download happened at background, normal, or foreground priority.
 - **DownloadProps**  Information about the download operation properties in the form of a bitmask.
+- **DownloadScenarioId**  A unique ID for a given download, used to tie together Windows Update and Delivery Optimizer events.
 - **DownloadType**  Differentiates the download type of “Self-Initiated Healing” (SIH) downloads between Metadata and Payload downloads.
 - **EventInstanceID**  A globally unique identifier for event instance.
 - **EventScenario**  Indicates the purpose for sending this event: whether because the software distribution just started downloading content; or whether it was cancelled, succeeded, or failed.
@@ -5818,12 +6325,12 @@ Ensures Windows Updates are secure and complete. Event helps to identify whether
 The following fields are available:
 
 - **CallerApplicationName**  Name of application making the Windows Update request. Used to identify context of request.
-- **EndpointUrl**  URL of the endpoint where client obtains update metadata. Used to identify test vs staging vs production environments.
+- **EndpointUrl**  The endpoint URL where the device obtains update metadata. This is used to distinguish between test, staging, and production environments.
 - **EventScenario**  Indicates the purpose of the event - whether because scan started, succeded, failed, etc.
 - **ExtendedStatusCode**  Secondary status code for certain scenarios where StatusCode was not specific enough.
 - **LeafCertId**  The integral ID from the FragmentSigning data for the certificate that failed.
 - **ListOfSHA256OfIntermediateCerData**  A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate.
-- **MetadataIntegrityMode**  Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce
+- **MetadataIntegrityMode**  The mode of the transport metadata integrity check. 0 = unknown; 1 = ignore; 2 = audit; 3 = enforce
 - **MetadataSignature**  A base64-encoded string of the signature associated with the update metadata (specified by revision ID).
 - **RawMode**  The raw unparsed mode string from the SLS response. This field is null if not applicable.
 - **RawValidityWindowInDays**  The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable.
@@ -5834,8 +6341,8 @@ The following fields are available:
 - **SHA256OfLeafCertPublicKey**  A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate.
 - **SHA256OfTimestampToken**  An encoded string of the timestamp token.
 - **SignatureAlgorithm**  The hash algorithm for the metadata signature.
-- **SLSPrograms**  A test program a machine may be opted in. Examples include "Canary" and "Insider Fast".
-- **StatusCode**  Result code of the event (success, cancellation, failure code HResult)
+- **SLSPrograms**  A test program to which a device may have opted in. Example: Insider Fast
+- **StatusCode**  Result code of the event (success, cancellation, failure code HResult).
 - **TimestampTokenCertThumbprint**  The thumbprint of the encoded timestamp token.
 - **TimestampTokenId**  The time this was created. It is encoded in a timestamp blob and will be zero if the token is malformed.
 - **UpdateId**  The update ID for a specific piece of content.
@@ -5854,7 +6361,6 @@ The following fields are available:
 - **UsageMean**  The mean of hourly average CPU usage.
 - **UsageMedian**  The median of hourly average CPU usage.
 - **UsageTwoHourMaxMean**  The mean of the maximum of every two hour of hourly average CPU usage.
-- **UsageTwoHourMedianMean**  The mean of the median of every two hour of hourly average CPU usage.
 
 
 ### Microsoft.Windows.Srum.Sdp.NetworkUsage
@@ -5868,7 +6374,6 @@ The following fields are available:
 - **BytesTotalMean**  The mean of the hourly average bytes total.
 - **BytesTotalMedian**  The median of the hourly average bytes total.
 - **BytesTotalTwoHourMaxMean**  The mean of the maximum of every two hours of hourly average bytes total.
-- **BytesTotalTwoHourMedianMean**  The mean of the median of every two hour of hourly average bytes total.
 - **LinkSpeed**  The adapter link speed.
 
 
@@ -5914,7 +6419,9 @@ This event sends data for the download request phase of updating Windows via the
 
 The following fields are available:
 
+- **ContainsSafeOSDUPackage**  Boolean indicating whether Safe DU packages are part of the payload.
 - **DeletedCorruptFiles**  Boolean indicating whether corrupt payload was deleted.
+- **DownloadComplete**  Indicates if the download is complete.
 - **DownloadRequests**  Number of times a download was retried.
 - **ErrorCode**  The error code returned for the current download request phase.
 - **ExtensionName**  Indicates whether the payload is related to Operating System content or a plugin.
@@ -6136,12 +6643,15 @@ The following fields are available:
 
 - **ErrorCode**  The error code returned for the current reboot.
 - **FlightId**  Unique ID for the flight (test instance version).
+- **IsSuspendable**  Indicates whether the update has the ability to be suspended and resumed at the time of reboot. When the machine is rebooted and the update is in middle of Predownload or Install and Setup.exe is running, this field is TRUE, if not its FALSE.
 - **ObjectId**  The unique value for each Update Agent mode.
+- **Reason**  Indicates the HResult why the machine could not be suspended. If it is successfully suspended, the result is 0.
 - **RelatedCV**  The correlation vector value generated from the latest USO (Update Service Orchestrator) scan.
 - **Result**  The HResult of the event.
 - **ScenarioId**  The ID of the update scenario.
 - **SessionId**  The ID of the update attempt.
 - **UpdateId**  The ID of the update.
+- **UpdateState**  Indicates the state of the machine when Suspend is called. For example, Install, Download, Commit.
 
 
 ### Update360Telemetry.UpdateAgentSetupBoxLaunch
@@ -6160,6 +6670,7 @@ The following fields are available:
 - **SandboxSize**  Size of the sandbox.
 - **ScenarioId**  Indicates the update scenario.
 - **SessionId**  Unique value for each update attempt.
+- **SetupLaunchAttemptCount**  Indicates the count of attempts to launch setup for the current Update Agent instance.
 - **SetupMode**  Mode of setup to be launched.
 - **UpdateId**  Unique ID for each Update.
 - **UserSession**  Indicates whether install was invoked by user actions.
@@ -6167,6 +6678,22 @@ The following fields are available:
 
 ## Update notification events
 
+### Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignHeartbeat
+
+This event is sent at the start of each campaign, to be used as a heartbeat.
+
+The following fields are available:
+
+- **CampaignConfigVersion**  Configuration version for the current campaign.
+- **CampaignID**  Current campaign that is running on Update Notification Pipeline.
+- **ConfigCatalogVersion**  Current catalog version of Update Notification Pipeline.
+- **ContentVersion**  Content version for the current campaign on Update Notification Pipeline.
+- **CV**  Correlation vector.
+- **DetectorVersion**  Most recently run detector version for the current campaign on Update Notification Pipeline.
+- **GlobalEventCounter**  Client-side counter that indicates the event ordering sent by the user.
+- **PackageVersion**  Current package version for Update Notification Pipeline.
+
+
 ### Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignManagerHeartbeat
 
 This event is sent at the start of the CampaignManager event and is intended to be used as a heartbeat.
@@ -6183,11 +6710,28 @@ The following fields are available:
 - **PackageVersion**  Current UNP package version.
 
 
+### Microsoft.Windows.UpdateNotificationPipeline.UnpCampaignManagerRunCampaignFailed
+
+This event is sent when the Campaign Manager encounters an unexpected error while running the campaign.
+
+The following fields are available:
+
+- **CampaignConfigVersion**  Configuration version for the current campaign.
+- **CampaignID**  Currently campaign that's running on Update Notification Pipeline (UNP).
+- **ConfigCatalogVersion**  Current catalog version of UNP.
+- **ContentVersion**  Content version for the current campaign on UNP.
+- **CV**  Correlation vector.
+- **DetectorVersion**  Most recently run detector version for the current campaign on UNP.
+- **GlobalEventCounter**  Client-side counter that indicates the event ordering sent by the user.
+- **hresult**  HRESULT of the failure.
+- **PackageVersion**  Current UNP package version.
+
+
 ## Upgrade events
 
 ### FacilitatorTelemetry.DCATDownload
 
-This event indicates whether devices received additional or critical supplemental content during an OS Upgrade, to help keep Windows up-to-date and secure.
+This event indicates whether devices received additional or critical supplemental content during an OS Upgrade, to help keep Windows up to date and secure.
 
 The following fields are available:
 
@@ -6206,13 +6750,8 @@ This event returns data about the download of supplemental packages critical to
 
 The following fields are available:
 
-- **DownloadRequestAttributes**  The attributes sent for download.
 - **PackageCategoriesFailed**  Lists the categories of packages that failed to download.
 - **PackageCategoriesSkipped**  Lists the categories of package downloads that were skipped.
-- **ResultCode**  The result of the event execution.
-- **Scenario**  Identifies the active Download scenario.
-- **Url**  The URL the download request was sent to.
-- **Version**  Identifies the version of Facilitator used.
 
 
 ### FacilitatorTelemetry.InitializeDU
@@ -6231,7 +6770,7 @@ The following fields are available:
 
 ### Setup360Telemetry.Downlevel
 
-This event sends data indicating that the device has started the downlevel phase of the upgrade, to help keep Windows up-to-date and secure.
+This event sends data indicating that the device has started the downlevel phase of the upgrade, to help keep Windows up to date and secure.
 
 The following fields are available:
 
@@ -6512,7 +7051,7 @@ The following fields are available:
 - **ReportId**  With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
 - **Setup360Extended**  Detailed information about the phase/action when the potential failure occurred.
 - **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
-- **Setup360Result**  The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
+- **Setup360Result**  The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors.
 - **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT.
 - **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
 - **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
@@ -6573,6 +7112,18 @@ The following fields are available:
 - **IsValidDumpFile**  True if the dump file is valid for the debugger, false otherwise
 - **ReportId**  WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson).
 
+### Value
+
+This event returns data about Mean Time to Failure (MTTF) for Windows devices. It is the primary means of estimating reliability problems in Basic Diagnostic reporting with very strong privacy guarantees. Since Basic Diagnostic reporting does not include system up-time, and since that information is important to ensuring the safe and stable operation of Windows, the data provided by this event provides that data in a manner which does not threaten a user’s privacy.
+
+The following fields are available:
+
+- **Algorithm**  The algorithm used to preserve privacy.
+- **DPRange**  The upper bound of the range being measured.
+- **DPValue**  The randomized response returned by the client.
+- **Epsilon**  The level of privacy to be applied.
+- **HistType**  The histogram type if the algorithm is a histogram algorithm.
+- **PertProb**  The probability the entry will be Perturbed if the algorithm chosen is “heavy-hitters”.
 
 ## Windows Error Reporting MTT events
 
@@ -6587,28 +7138,8 @@ The following fields are available:
 - **Value**  Standard UTC emitted DP value structure See [Value](#value).
 
 
-### Value
-
-This event returns data about Mean Time to Failure (MTTF) for Windows devices. It is the primary means of estimating reliability problems in Basic Diagnostic reporting with very strong privacy guarantees. Since Basic Diagnostic reporting does not include system up-time, and since that information is important to ensuring the safe and stable operation of Windows, the data provided by this event provides that data in a manner which does not threaten a user’s privacy.
-
-The following fields are available:
-
-- **Algorithm**  The algorithm used to preserve privacy.
-- **DPRange**  The upper bound of the range being measured.
-- **DPValue**  The randomized response returned by the client.
-- **Epsilon**  The level of privacy to be applied.
-- **HistType**  The histogram type if the algorithm is a histogram algorithm.
-- **PertProb**  The probability the entry will be Perturbed if the algorithm chosen is “heavy-hitters”.
-
-
 ## Windows Store events
 
-### Microsoft.Windows.Store.StoreActivating
-
-This event sends tracking data about when the Store app activation via protocol URI is in progress, to help keep Windows up to date.
-
-
-
 ### Microsoft.Windows.StoreAgent.Telemetry.AbortedInstallation
 
 This event is sent when an installation or update is canceled by a user or the system and is used to help keep Windows Apps up to date and secure.
@@ -6697,6 +7228,7 @@ The following fields are available:
 
 - **AggregatedPackageFullNames**  Includes a set of package full names for each app that is part of an atomic set.
 - **AttemptNumber**  The total number of attempts to acquire this product.
+- **BundleId**  The identity of the test build (flight) associated with this product.
 - **CategoryId**  The identity of the package or packages being installed.
 - **ClientAppId**  The identity of the app that initiated this operation.
 - **HResult**  HResult code to show the result of the operation (success/failure).
@@ -6706,6 +7238,7 @@ The following fields are available:
 - **IsRemediation**  Is this repairing a previous installation?
 - **IsRestore**  Is this happening after a device restore?
 - **IsUpdate**  Is this an update?
+- **ParentBundleId**  The product identifier of the parent if this product is part of a bundle.
 - **PFN**  Product Family Name of the product being installed.
 - **ProductId**  The Store Product ID for the product being installed.
 - **SystemAttemptNumber**  The number of attempts by the system to acquire this product.
@@ -6996,6 +7529,11 @@ This event sends simple Product and Service usage data when a user is using the
 The following fields are available:
 
 - **Phase**  The image creation phase. Values are “Start” or “End”.
+- **Result**  Result of the image creation phase. Indicates if the image was created successfully. Value is integer.
+- **WorkspaceArchitecture**  Architecture of image created.
+- **WorkspaceOsEdition**  OSEdition of the image created.
+- **WskImageEnvironment**  Type of environment image was created for "Lab" or "Non-Lab".
+- **WskSessionId**  A string identifier (GUID) for the workspace.
 - **WskVersion**  The version of the Windows System Kit being used.
 
 
@@ -7009,7 +7547,9 @@ The following fields are available:
 - **CustomizationType**  Indicates the type of customization (drivers or apps).
 - **Mode**  The mode of update to image configuration files. Values are “New” or “Update”.
 - **Phase**  The image creation phase. Values are “Start” or “End”.
+- **Result**  Result of the image creation phase.
 - **Type**  The type of update to image configuration files. Values are “Apps” or “Drivers”.
+- **WskSessionId**  A string identifier (GUID) for the workspace.
 - **WskVersion**  The version of the Windows System Kit being used.
 
 
@@ -7022,11 +7562,21 @@ The following fields are available:
 - **Architecture**  The OS architecture that the workspace will target. Values are one of: “AMD64”, “ARM64”, “x86”, or “ARM”.
 - **OsEdition**  The Operating System Edition that the workspace will target.
 - **Phase**  The image creation phase. Values are “Start” or “End”.
+- **Result**  Stage result. Values are integers.
 - **WorkspaceArchitecture**  The operating system architecture that the workspace will target.
 - **WorkspaceOsEdition**  The operating system edition that the workspace will target.
+- **WskSessionId**  A string identifier (GUID) for the workspace.
 - **WskVersion**  The version of the Windows System Kit being used.
 
 
+## Windows Update CSP events
+
+### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureStarted
+
+This event sends basic information indicating that Feature Rollback has started.
+
+
+
 ## Windows Update Delivery Optimization events
 
 ### Microsoft.OSG.DU.DeliveryOptClient.DownloadCanceled
@@ -7100,6 +7650,7 @@ The following fields are available:
 - **groupConnectionCount**  The total number of connections made to peers in the same group.
 - **internetConnectionCount**  The total number of connections made to peers not in the same LAN or the same group.
 - **isEncrypted**  TRUE if the file is encrypted and will be decrypted after download.
+- **isThrottled**  Indicates the Event Rate was throttled (event represent aggregated data).
 - **isVpn**  Is the device connected to a Virtual Private Network?
 - **jobID**  Identifier for the Windows Update job.
 - **lanConnectionCount**  The total number of connections made to peers in the same LAN.
@@ -7504,6 +8055,16 @@ The following fields are available:
 - **wuDeviceid**  Device ID.
 
 
+### Microsoft.Windows.Update.Orchestrator.CommitFailed
+
+This event indicates that a device was unable to restart after an update.
+
+The following fields are available:
+
+- **errorCode**  The error code that was returned.
+- **wuDeviceid**  The Windows Update device GUID.
+
+
 ### Microsoft.Windows.Update.Orchestrator.DeferRestart
 
 This event indicates that a restart required for installing updates was postponed.
@@ -7545,6 +8106,39 @@ The following fields are available:
 - **wuDeviceid**  The unique device ID used by Windows Update.
 
 
+### Microsoft.Windows.Update.Orchestrator.DetectionActivity
+
+This event returns data about detected updates, as well as the types of update (optional or recommended). This data helps keep Windows up to date.
+
+The following fields are available:
+
+- **applicableUpdateIdList**  The list of update identifiers.
+- **applicableUpdateList**  The list of available updates.
+- **durationInSeconds**  The amount of time (in seconds) it took for the event to run.
+- **expeditedMode**  Indicates whether Expedited Mode is on.
+- **networkCostPolicy**  The network cost.
+- **scanTriggerSource**  Indicates whether the scan is Interactive or Background.
+- **scenario**  The result code of the event.
+- **scenarioReason**  The reason for the result code (scenario).
+- **seekerUpdateIdList**  The list of “seeker” update identifiers.
+- **seekerUpdateList**  The list of “seeker” updates.
+- **services**  The list of services that were called during update.
+- **wilActivity**  The activity results. See [wilActivity](#wilactivity).
+
+
+### Microsoft.Windows.Update.Orchestrator.DetectionResult
+
+This event runs when an update is detected. This helps ensure Windows is kept up to date.
+
+The following fields are available:
+
+- **applicableUpdateIdList**  A list of applicable update IDs.
+- **applicableUpdateList**  A list of applicable update names.
+- **seekerUpdateIdList**  A list of optional update IDs.
+- **seekerUpdateList**  A list of optional update names.
+- **wuDeviceid**  The Windows Update device identifier.
+
+
 ### Microsoft.Windows.Update.Orchestrator.DisplayNeeded
 
 This event indicates the reboot was postponed due to needing a display.
@@ -7720,6 +8314,23 @@ The following fields are available:
 - **wuDeviceid**  The Windows Update Device GUID (Globally-Unique ID).
 
 
+### Microsoft.Windows.Update.Orchestrator.PostInstall
+
+This event is sent after a Windows update install completes.
+
+The following fields are available:
+
+- **batteryLevel**  Current battery capacity in megawatt-hours (mWh) or percentage left.
+- **bundleId**  The unique identifier associated with the specific content bundle.
+- **bundleRevisionnumber**  Identifies the revision number of the content bundle.
+- **errorCode**  The error code returned for the current phase.
+- **eventScenario**  State of update action.
+- **flightID**  The unique identifier for the flight (Windows Insider pre-release build) should be delivered to the device, if applicable.
+- **sessionType**  The Windows Update session type (Interactive or Background).
+- **updateScenarioType**  Identifies the type of Update session being performed.
+- **wuDeviceid**  The unique device identifier used by Windows Update.
+
+
 ### Microsoft.Windows.Update.Orchestrator.PreShutdownStart
 
 This event is generated before the shutdown and commit operations.
@@ -7791,6 +8402,32 @@ The following fields are available:
 - **wuDeviceid**  Unique device ID used by Windows Update.
 
 
+### Microsoft.Windows.Update.Orchestrator.SeekerUpdateAvailable
+
+This event defines when an optional update is available for the device to help keep Windows up to date.
+
+The following fields are available:
+
+- **flightID**  The unique identifier of the Windows Insider build on this device.
+- **isFeatureUpdate**  Indicates whether the update is a Feature Update.
+- **revisionNumber**  The revision number of the update.
+- **updateId**  The GUID (Globally Unique Identifier) of the update.
+- **wuDeviceid**  The Windows Update device identifier.
+
+
+### Microsoft.Windows.Update.Orchestrator.SeekUpdate
+
+This event occurs when user initiates "seeker" scan. This helps keep Windows up to date.
+
+The following fields are available:
+
+- **flightID**  The ID of the Windows Insider builds on the device.
+- **isFeatureUpdate**  Indicates that the target of the Seek is a feature update.
+- **revisionNumber**  The revision number of the update.
+- **updateId**  The identifier of the update.
+- **wuDeviceid**  The Windows Update device identifier.
+
+
 ### Microsoft.Windows.Update.Orchestrator.StickUpdate
 
 This event is sent when the update service orchestrator (USO) indicates the update cannot be superseded by a newer update.
@@ -8018,19 +8655,19 @@ This event sends data specific to the FixAppXReparsePoints mitigation used for O
 
 The following fields are available:
 
-- **ClientId**  Unique identifier for each flight.
+- **ClientId**  In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
 - **FlightId**  Unique GUID that identifies each instances of setuphost.exe.
-- **InstanceId**  The update scenario in which the mitigation was executed.
-- **MitigationScenario**  Correlation vector value generated from the latest USO scan.
-- **RelatedCV**  Number of reparse points that are corrupted but we failed to fix them.
-- **ReparsePointsFailed**  Number of reparse points that were corrupted and were fixed by this mitigation.
-- **ReparsePointsFixed**  Number of reparse points that are not corrupted and no action is required.
-- **ReparsePointsSkipped**  HResult of this operation.
-- **Result**  ID indicating the mitigation scenario.
-- **ScenarioId**  Indicates whether the scenario was supported.
-- **ScenarioSupported**  Unique value for each update attempt.
-- **SessionId**  Unique ID for each Update.
-- **UpdateId**  Unique ID for the Windows Update client.
+- **InstanceId**  Unique GUID that identifies each instances of setuphost.exe.
+- **MitigationScenario**  The update scenario in which the mitigation was executed.
+- **RelatedCV**  Correlation vector value generated from the latest USO scan.
+- **ReparsePointsFailed**  Number of reparse points that were corrupted but were not fixed by this mitigation.
+- **ReparsePointsFixed**  Number of reparse points that were corrupted and were fixed by this mitigation.
+- **ReparsePointsSkipped**  Number of reparse points that are not corrupted and no action is required.
+- **Result**  HResult of this operation.
+- **ScenarioId**  ID indicating the mitigation scenario.
+- **ScenarioSupported**  Indicates whether the scenario was supported.
+- **SessionId**  Unique ID for the update session.
+- **UpdateId**  Unique ID for the Windows Update.
 - **WuId**  Unique ID for the Windows Update client.
 
 
@@ -8103,6 +8740,7 @@ This event is sent when the Update Reserve Manager prepares the Trusted Installe
 
 The following fields are available:
 
+- **FallbackLogicUsed**  Indicates whether fallback logic was used for initialization.
 - **Flags**  The flags that are passed to the function to prepare the Trusted Installer for reserve initialization.
 
 
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index e1626b44e7..70e294409e 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -1,6 +1,6 @@
 --- 
 title: Manage connections from Windows 10 operating system components to Microsoft services
-description: If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider.
+description: Learn how to minimize connections from Windows to Microsoft services, and configure particular privacy settings related to these connections.
 ms.assetid: ACCEB0DD-BC6F-41B1-B359-140B242183D9
 ms.reviewer: 
 keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
diff --git a/windows/release-information/resolved-issues-windows-10-1507.yml b/windows/release-information/resolved-issues-windows-10-1507.yml
index d782b8d33e..1469d2dcf0 100644
--- a/windows/release-information/resolved-issues-windows-10-1507.yml
+++ b/windows/release-information/resolved-issues-windows-10-1507.yml
@@ -35,7 +35,6 @@ sections:
       
-      

 
Platform/Portal
-Register devices?
-Create/Assign profile
-Acceptable DeviceID
+Platform/PortalRegister devices?Create/Assign profileAcceptable DeviceID
 

 
 
Intermittent issues when printing
The print spooler service may intermittently have issues completing a print job and results print job failure.

See details >		OS Build 10240.18334

September 23, 2019
KB4522009		Resolved
KB4520011		October 08, 2019 
10:00 AM PT

       
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications made using VB6, macros using VBA, and VBScript may stop responding and you may receive an error.

See details >		OS Build 10240.18305

August 13, 2019
KB4512497		Resolved
KB4517276		August 17, 2019 
02:00 PM PT

       
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on certain Windows devices.

See details >		OS Build 10240.18244

June 11, 2019
KB4503291		Resolved External
August 09, 2019 
07:03 PM PT
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may see an error or the app may close.

See details >		OS Build 10240.18244

June 11, 2019
KB4503291		Resolved
KB4507458		July 09, 2019 
10:00 AM PT

       

       "
 
@@ -64,12 +63,3 @@ sections:
       
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503291) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		OS Build 10240.18244

June 11, 2019
KB4503291		Resolved External
Last updated:
August 09, 2019 
07:03 PM PT

Opened:
August 09, 2019 
04:25 PM PT

       

       "
-
-- title: June 2019
-- items:
-  - type: markdown
-    text: "
-      
-      
-      
DetailsOriginating updateStatusHistory
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4507458.

Back to top		OS Build 10240.18244

June 11, 2019
KB4503291		Resolved
KB4507458		Resolved:
July 09, 2019 
10:00 AM PT

Opened:
June 12, 2019 
11:11 AM PT

-      "
diff --git a/windows/release-information/resolved-issues-windows-10-1607.yml b/windows/release-information/resolved-issues-windows-10-1607.yml
index 84bc5ffff2..404538ea70 100644
--- a/windows/release-information/resolved-issues-windows-10-1607.yml
+++ b/windows/release-information/resolved-issues-windows-10-1607.yml
@@ -42,11 +42,6 @@ sections:
       
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on certain Windows devices.

See details >		OS Build 14393.3025

June 11, 2019
KB4503267		Resolved External
August 09, 2019 
07:03 PM PT

       
SCVMM cannot enumerate and manage logical switches deployed on the host
System Center Virtual Machine Manager cannot enumerate and manage logical switches deployed on managed hosts.

See details >		OS Build 14393.2639

November 27, 2018
KB4467684		Resolved
KB4507459		July 16, 2019 
10:00 AM PT

       
Some applications may fail to run as expected on clients of AD FS 2016
Some applications may fail to run as expected on clients of Active Directory Federation Services 2016 (AD FS 2016)

See details >		OS Build 14393.2941

April 25, 2019
KB4493473		Resolved
KB4507459		July 16, 2019 
10:00 AM PT
Devices with Hyper-V enabled may receive BitLocker error 0xC0210000
Some devices with Hyper-V enabled may start into BitLocker recovery with error 0xC0210000.

See details >		OS Build 14393.2969

May 14, 2019
KB4494440		Resolved
KB4507460		July 09, 2019 
10:00 AM PT
Difficulty connecting to some iSCSI-based SANs
Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.

See details >		OS Build 14393.2999

May 23, 2019
KB4499177		Resolved
KB4509475		June 27, 2019 
02:00 PM PT
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may see an error or the app may close.

See details >		OS Build 14393.3025

June 11, 2019
KB4503267		Resolved
KB4503294		June 18, 2019 
02:00 PM PT
Opening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.

See details >		OS Build 14393.2999

May 23, 2019
KB4499177		Resolved
KB4503267		June 11, 2019 
10:00 AM PT
Issue using PXE to start a device from WDS
There may be issues using PXE to start a device from a WDS server configured to use Variable Window Extension.

See details >		OS Build 14393.2848

March 12, 2019
KB4489882		Resolved
KB4503267		June 11, 2019 
10:00 AM PT

       

       "
 
@@ -96,27 +91,6 @@ sections:
     text: "
       
-      
-      
-      
-      
DetailsOriginating updateStatusHistory

       
Some applications may fail to run as expected on clients of AD FS 2016
Some applications may fail to run as expected on clients of Active Directory Federation Services 2016 (AD FS 2016) after installation of KB4493473 on the server. Applications that may exhibit this behavior use an IFRAME during non-interactive authentication requests and receive X-Frame Options set to DENY.

Affected platforms:
  • Server: Windows Server 2016
Resolution: This issue was resolved in KB4507459.

Back to top		OS Build 14393.2941

April 25, 2019
KB4493473		Resolved
KB4507459		Resolved:
July 16, 2019 
10:00 AM PT

Opened:
June 04, 2019 
05:55 PM PT
Difficulty connecting to some iSCSI-based SANs
Devices may have issues connecting to some Storage Area Network (SAN) devices using Internet Small Computer System Interface (iSCSI) after installing KB4499177. You may also receive an error in the System log section of Event Viewer with Event ID 43 from iScsiPrt and a description of “Target failed to respond in time for a login request.”

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
  • Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4509475.

Back to top		OS Build 14393.2999

May 23, 2019
KB4499177		Resolved
KB4509475		Resolved:
June 27, 2019 
02:00 PM PT

Opened:
June 20, 2019 
04:46 PM PT
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503294.

Back to top		OS Build 14393.3025

June 11, 2019
KB4503267		Resolved
KB4503294		Resolved:
June 18, 2019 
02:00 PM PT

Opened:
June 12, 2019 
11:11 AM PT
Opening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4503267.

Back to top		OS Build 14393.2999

May 23, 2019
KB4499177		Resolved
KB4503267		Resolved:
June 11, 2019 
10:00 AM PT

Opened:
June 05, 2019 
05:49 PM PT

-      "
-
-- title: May 2019
-- items:
-  - type: markdown
-    text: "
-      
-      
-      
DetailsOriginating updateStatusHistory
Devices with Hyper-V enabled may receive BitLocker error 0xC0210000
Some devices with Hyper-V enabled may enter BitLocker recovery mode and receive an error, \"0xC0210000\" after installing KB4494440 and restarting.

Affected platforms:
  • Client: Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server 2016
Resolution: This issue was resolved in KB4507460.

Back to top		OS Build 14393.2969

May 14, 2019
KB4494440		Resolved
KB4507460		Resolved:
July 09, 2019 
10:00 AM PT

Opened:
May 21, 2019 
08:50 AM PT

-      "
-
-- title: March 2019
-- items:
-  - type: markdown
-    text: "
-      
-      
DetailsOriginating updateStatusHistory
Issue using PXE to start a device from WDS
After installing KB4489882, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue was resolved in KB4503267.

Back to top		OS Build 14393.2848

March 12, 2019
KB4489882		Resolved
KB4503267		Resolved:
June 11, 2019 
10:00 AM PT

Opened:
March 12, 2019 
10:00 AM PT

       

       "
 
diff --git a/windows/release-information/resolved-issues-windows-10-1709.yml b/windows/release-information/resolved-issues-windows-10-1709.yml
index 35c7f5856c..92e479f7e8 100644
--- a/windows/release-information/resolved-issues-windows-10-1709.yml
+++ b/windows/release-information/resolved-issues-windows-10-1709.yml
@@ -38,9 +38,6 @@ sections:
       
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using PXE images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

See details >		OS Build 16299.1217

June 11, 2019
KB4503284		Resolved
KB4512494		August 16, 2019 
02:00 PM PT

       
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications made using VB6, macros using VBA, and VBScript may stop responding and you may receive an error.

See details >		OS Build 16299.1331

August 13, 2019
KB4512516		Resolved
KB4512494		August 16, 2019 
02:00 PM PT

       
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on certain Windows devices.

See details >		OS Build 16299.1217

June 11, 2019
KB4503284		Resolved External
August 09, 2019 
07:03 PM PT
Difficulty connecting to some iSCSI-based SANs
Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.

See details >		OS Build 16299.1182

May 28, 2019
KB4499147		Resolved
KB4509477		June 26, 2019 
04:00 PM PT
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may see an error or the app may close.

See details >		OS Build 16299.1217

June 11, 2019
KB4503284		Resolved
KB4503281		June 18, 2019 
02:00 PM PT
Opening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.

See details >		OS Build 16299.1182

May 28, 2019
KB4499147		Resolved
KB4503284		June 11, 2019 
10:00 AM PT

       

       "
 
@@ -81,14 +78,3 @@ sections:
       
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503284 on a WDS server.

Affected platforms:
  • Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Resolution: This issue was resolved in KB4512494.

Back to top		OS Build 16299.1217

June 11, 2019
KB4503284		Resolved
KB4512494		Resolved:
August 16, 2019 
02:00 PM PT

Opened:
July 10, 2019 
02:51 PM PT

       

       "
-
-- title: June 2019
-- items:
-  - type: markdown
-    text: "
-      
-      
-      
-      
-      
DetailsOriginating updateStatusHistory
Difficulty connecting to some iSCSI-based SANs
Devices may have issues connecting to some Storage Area Network (SAN) devices using Internet Small Computer System Interface (iSCSI) after installing KB4499147. You may also receive an error in the System log section of Event Viewer with Event ID 43 from iScsiPrt and a description of “Target failed to respond in time for a login request.”

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
  • Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4509477.

Back to top		OS Build 16299.1182

May 28, 2019
KB4499147		Resolved
KB4509477		Resolved:
June 26, 2019 
04:00 PM PT

Opened:
June 20, 2019 
04:46 PM PT
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503281.

Back to top		OS Build 16299.1217

June 11, 2019
KB4503284		Resolved
KB4503281		Resolved:
June 18, 2019 
02:00 PM PT

Opened:
June 12, 2019 
11:11 AM PT
Opening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4503284.

Back to top		OS Build 16299.1182

May 28, 2019
KB4499147		Resolved
KB4503284		Resolved:
June 11, 2019 
10:00 AM PT

Opened:
June 05, 2019 
05:49 PM PT

-      "
diff --git a/windows/release-information/resolved-issues-windows-10-1803.yml b/windows/release-information/resolved-issues-windows-10-1803.yml
index 9aadd14d5a..378576d142 100644
--- a/windows/release-information/resolved-issues-windows-10-1803.yml
+++ b/windows/release-information/resolved-issues-windows-10-1803.yml
@@ -41,9 +41,6 @@ sections:
       
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using PXE images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

See details >OS Build 17134.829

June 11, 2019
KB4503286Resolved
KB4512509August 19, 2019 
02:00 PM PT
       
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications made using VB6, macros using VBA, and VBScript may stop responding and you may receive an error.

See details >OS Build 17134.950

August 13, 2019
KB4512501Resolved
KB4512509August 19, 2019 
02:00 PM PT
       
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on certain Windows devices.

See details >OS Build 17134.829

June 11, 2019
KB4503286Resolved External
August 09, 2019 
07:03 PM PT
-      
Difficulty connecting to some iSCSI-based SANs
Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.

See details >OS Build 17134.799

May 21, 2019
KB4499183Resolved
KB4509478June 26, 2019 
04:00 PM PT
-      
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may see an error or the app may close.

See details >OS Build 17134.829

June 11, 2019
KB4503286Resolved
KB4503288June 18, 2019 
02:00 PM PT
-      
Opening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.

See details >OS Build 17134.799

May 21, 2019
KB4499183Resolved
KB4503286June 11, 2019 
10:00 AM PT
       
       "
 
@@ -93,8 +90,5 @@ sections:
     text: "
       
-      
-      
-      
DetailsOriginating updateStatusHistory

       
Startup to a black screen after installing updates
We are investigating reports that a small number of devices may startup to a black screen during the first logon after installing updates.


Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803
  • Server: Windows Server 2019
Resolution: This issue was resolved in KB4519978.

Back to top		OS Build 17134.829

June 11, 2019
KB4503286		Resolved
KB4519978		Resolved:
October 15, 2019 
10:00 AM PT

Opened:
June 14, 2019 
04:41 PM PT
Difficulty connecting to some iSCSI-based SANs
Devices may have issues connecting to some Storage Area Network (SAN) devices using Internet Small Computer System Interface (iSCSI) after installing KB4499183. You may also receive an error in the System log section of Event Viewer with Event ID 43 from iScsiPrt and a description of “Target failed to respond in time for a login request.”

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
  • Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4509478.

Back to top		OS Build 17134.799

May 21, 2019
KB4499183		Resolved
KB4509478		Resolved:
June 26, 2019 
04:00 PM PT

Opened:
June 20, 2019 
04:46 PM PT
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503288.

Back to top		OS Build 17134.829

June 11, 2019
KB4503286		Resolved
KB4503288		Resolved:
June 18, 2019 
02:00 PM PT

Opened:
June 12, 2019 
11:11 AM PT
Opening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4503286.

Back to top		OS Build 17134.799

May 21, 2019
KB4499183		Resolved
KB4503286		Resolved:
June 11, 2019 
10:00 AM PT

Opened:
June 05, 2019 
05:49 PM PT

       

       "
diff --git a/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml
index f6351c2c0b..82cba46203 100644
--- a/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml
+++ b/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml
@@ -42,12 +42,6 @@ sections:
       
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using PXE images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

See details >OS Build 17763.557

June 11, 2019
KB4503327Resolved
KB4512534August 17, 2019 
02:00 PM PT
       
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications made using VB6, macros using VBA, and VBScript may stop responding and you may receive an error.

See details >OS Build 17763.678

August 13, 2019
KB4511553Resolved
KB4512534August 17, 2019 
02:00 PM PT
       
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on certain Windows devices.

See details >OS Build 17763.557

June 11, 2019
KB4503327Resolved External
August 09, 2019 
07:03 PM PT
-      
Difficulty connecting to some iSCSI-based SANs
Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.

See details >OS Build 17763.529

May 21, 2019
KB4497934Resolved
KB4509479June 26, 2019 
04:00 PM PT
-      
Devices with Realtek Bluetooth radios drivers may not pair or connect as expected
Devices with some Realtek Bluetooth radios drivers may have issues pairing or connecting to devices.

See details >OS Build 17763.503

May 14, 2019
KB4494441Resolved
KB4501371June 18, 2019 
02:00 PM PT
-      
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may see an error or the app may close.

See details >OS Build 17763.557

June 11, 2019
KB4503327Resolved
KB4501371June 18, 2019 
02:00 PM PT
-      
Printing from Microsoft Edge or other UWP apps may result in the error 0x80070007
Attempting to print from Microsoft Edge or other Universal Windows Platform (UWP) apps, you may receive an error.

See details >OS Build 17763.379

March 12, 2019
KB4489899Resolved
KB4501371June 18, 2019 
02:00 PM PT
-      
Opening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.

See details >OS Build 17763.529

May 21, 2019
KB4497934Resolved
KB4503327June 11, 2019 
10:00 AM PT
-      
Issue using PXE to start a device from WDS
Using PXE to start a device from a WDS server configured to use Variable Window Extension may terminate the connection.

See details >OS Build 17763.379

March 12, 2019
KB4489899Resolved
KB4503327June 11, 2019 
10:00 AM PT
       
       "
 
@@ -106,27 +100,5 @@ sections:
     text: "
       
-      
-      
-      
-      
-      
DetailsOriginating updateStatusHistory

       
Startup to a black screen after installing updates
We are investigating reports that a small number of devices may startup to a black screen during the first logon after installing updates.


Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803
  • Server: Windows Server 2019
Resolution: This issue was resolved in KB4520062.

Back to top		OS Build 17763.557

June 11, 2019
KB4503327		Resolved
KB4520062		Resolved:
October 15, 2019 
10:00 AM PT

Opened:
June 14, 2019 
04:41 PM PT
Difficulty connecting to some iSCSI-based SANs
Devices may have issues connecting to some Storage Area Network (SAN) devices using Internet Small Computer System Interface (iSCSI) after installing KB4497934. You may also receive an error in the System log section of Event Viewer with Event ID 43 from iScsiPrt and a description of “Target failed to respond in time for a login request.”

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
  • Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4509479.

Back to top		OS Build 17763.529

May 21, 2019
KB4497934		Resolved
KB4509479		Resolved:
June 26, 2019 
04:00 PM PT

Opened:
June 20, 2019 
04:46 PM PT
Devices with Realtek Bluetooth radios drivers may not pair or connect as expected
In some circumstances, devices with Realtek Bluetooth radios may have issues pairing or connecting to Bluetooth devices due to a driver issue.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
  • Server: Windows Server 2019
Resolution: This issue was resolved in KB4501371.

Back to top		OS Build 17763.503

May 14, 2019
KB4494441		Resolved
KB4501371		Resolved:
June 18, 2019 
02:00 PM PT

Opened:
June 14, 2019 
05:45 PM PT
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4501371.

Back to top		OS Build 17763.557

June 11, 2019
KB4503327		Resolved
KB4501371		Resolved:
June 18, 2019 
02:00 PM PT

Opened:
June 12, 2019 
11:11 AM PT
Opening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4503327.

Back to top		OS Build 17763.529

May 21, 2019
KB4497934		Resolved
KB4503327		Resolved:
June 11, 2019 
10:00 AM PT

Opened:
June 05, 2019 
05:49 PM PT

-      "
-
-- title: May 2019
-- items:
-  - type: markdown
-    text: "
-      
-      
-      
DetailsOriginating updateStatusHistory
Printing from Microsoft Edge or other UWP apps may result in the error 0x80070007
When attempting to print from Microsoft Edge or other Universal Windows Platform (UWP) applications you may receive the error, \"Your printer has experienced an unexpected configuration problem. 0x80070007e.\"
 
Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
  • Server: Windows Server, version 1809; Windows Server 2019
Resolution: This issue was resolved in KB4501371

Back to top		OS Build 17763.379

March 12, 2019
KB4489899		Resolved
KB4501371		Resolved:
June 18, 2019 
02:00 PM PT

Opened:
May 02, 2019 
04:47 PM PT

-      "
-
-- title: March 2019
-- items:
-  - type: markdown
-    text: "
-      
-      
DetailsOriginating updateStatusHistory
Issue using PXE to start a device from WDS
After installing KB4489899, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension. 

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue was resolved in KB4503327.

Back to top		OS Build 17763.379

March 12, 2019
KB4489899		Resolved
KB4503327		Resolved:
June 11, 2019 
10:00 AM PT

Opened:
March 12, 2019 
10:00 AM PT

       

       "
diff --git a/windows/release-information/resolved-issues-windows-10-1903.yml b/windows/release-information/resolved-issues-windows-10-1903.yml
index dffdd5ba5f..f6f7b30864 100644
--- a/windows/release-information/resolved-issues-windows-10-1903.yml
+++ b/windows/release-information/resolved-issues-windows-10-1903.yml
@@ -38,7 +38,6 @@ sections:
       
Updates may fail to install and you may receive Error 0x80073701
Installation of updates may fail and you may receive error code 0x80073701.

See details >OS Build 18362.145

May 29, 2019
KB4497935Resolved
November 12, 2019 
08:11 AM PT
       
Intel Audio displays an intcdaud.sys notification
Devices with a range of Intel Display Audio device drivers may experience battery drain.

See details >OS Build 18362.116

May 21, 2019
KB4505057Resolved External
November 12, 2019 
08:04 AM PT
       
Gamma ramps, color profiles, and night light settings do not apply in some cases
Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.

See details >OS Build 18362.116

May 21, 2019
KB4505057Resolved
KB4505903July 26, 2019 
02:00 PM PT
-      
Cannot launch Camera app 
Microsoft and Intel have identified an issue affecting Intel RealSense SR300 or Intel RealSense S200 camera apps.

See details >OS Build 18362.116

May 21, 2019
KB4505057Resolved
KB4501375June 27, 2019 
10:00 AM PT
       
Unable to discover or connect to Bluetooth devices using some Qualcomm adapters
Microsoft has identified compatibility issues with some versions of Qualcomm Bluetooth radio drivers.

See details >OS Build 18362.116

May 21, 2019
KB4505057Resolved
KB4517389October 08, 2019 
10:00 AM PT
       
Safeguard on certain devices with some Intel and Broadcom Wi-Fi adapters
Some devices with Intel Centrino 6205/6235 and Broadcom 802.11ac Wi-Fi cards may experience compatibility issues.

See details >N/A 

Resolved
KB4522355October 24, 2019 
10:00 AM PT
       
dGPU occasionally disappear from device manager on Surface Book 2
Some apps or games may close or fail to open on Surface Book 2 devices with Nvidia dGPU.

See details >OS Build 18362.145

May 29, 2019
KB4497935Resolved
October 18, 2019 
04:33 PM PT
@@ -57,10 +56,6 @@ sections:
       
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on certain Windows devices.

See details >OS Build 18362.175

June 11, 2019
KB4503293Resolved External
August 09, 2019 
07:03 PM PT
       
Display brightness may not respond to adjustments
Devices configured with certain Intel display drivers may experience a driver compatibility issue.

See details >OS Build 18362.116

May 21, 2019
KB4505057Resolved
KB4505903July 26, 2019 
02:00 PM PT
       
RASMAN service may stop working and result in the error “0xc0000005”
The RASMAN service may stop working with VPN profiles configured as an Always On VPN connection.

See details >OS Build 18362.145

May 29, 2019
KB4497935Resolved
KB4505903July 26, 2019 
02:00 PM PT
-      
Loss of functionality in Dynabook Smartphone Link app
Users who update to Windows 10, version 1903 may experience a loss of functionality with Dynabook Smartphone Link.

See details >OS Build 18362.116

May 21, 2019
KB4505057Resolved
July 11, 2019 
01:54 PM PT
-      
Error attempting to update with external USB device or memory card attached 
PCs with an external USB device or SD memory card attached may get error: \"This PC can't be upgraded to Windows 10.\"

See details >OS Build 18362.116

May 21, 2019
KB4505057Resolved
July 11, 2019 
01:53 PM PT
-      
Audio not working with Dolby Atmos headphones and home theater 
Users may experience audio loss with Dolby Atmos headphones or Dolby Atmos home theater.

See details >OS Build 18362.116

May 21, 2019
KB4505057Resolved
July 11, 2019 
01:53 PM PT
-      
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may see an error or the app may close.

See details >OS Build 18362.175

June 11, 2019
KB4503293Resolved
KB4501375June 27, 2019 
10:00 AM PT
       
       "
 
@@ -127,7 +122,6 @@ sections:
     text: "
       
-      
DetailsOriginating updateStatusHistory

       
RASMAN service may stop working and result in the error “0xc0000005”
The Remote Access Connection Manager (RASMAN) service may stop working and you may receive the error “0xc0000005” on devices where the diagnostic data level is manually configured to the non-default setting of 0. You may also receive an error in the Application section of Windows Logs in Event Viewer with Event ID 1000 referencing “svchost.exe_RasMan” and “rasman.dll”.

This issue only occurs when a VPN profile is configured as an Always On VPN (AOVPN) connection with or without device tunnel. This does not affect manual only VPN profiles or connections.

Affected platforms
  • Client: Windows 10, version 1903
Resolution: This issue was resolved in KB4505903.

Back to top		OS Build 18362.145

May 29, 2019
KB4497935		Resolved
KB4505903		Resolved:
July 26, 2019 
02:00 PM PT

Opened:
June 28, 2019 
05:01 PM PT
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4501375.

Back to top		OS Build 18362.175

June 11, 2019
KB4503293		Resolved
KB4501375		Resolved:
June 27, 2019 
10:00 AM PT

Opened:
June 12, 2019 
11:11 AM PT

       

       "
 
@@ -140,11 +134,7 @@ sections:
       
Unable to discover or connect to Bluetooth devices using some Realtek adapters
Microsoft has identified compatibility issues with some driver versions for Bluetooth radios made by Realtek. To safeguard your update experience, we have applied a compatibility hold on devices with affected driver versions for Realtek Bluetooth radios from being offered Windows 10, version 1903 or Windows Server, version 1903 until the driver has been updated.

Affected platforms:
Resolution: This issue was resolved with an updated driver for the affected Realtek Bluetooth radio and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1909 or Windows 10, version 1903.

Back to topOS Build 18362.116

May 21, 2019
KB4505057Resolved External
Last updated:
November 15, 2019 
05:59 PM PT

Opened:
May 21, 2019 
07:29 AM PT
       
Intel Audio displays an intcdaud.sys notification
Microsoft and Intel have identified an issue with a range of Intel Display Audio device drivers that may result in higher than normal battery drain. If you see an intcdaud.sys notification or “What needs your attention” notification when trying to update to Windows 10, version 1903, you have an affected Intel Audio Display device driver installed on your machine (intcdaud.sys, versions 10.25.0.3 through 10.25.0.8).
  
To safeguard your update experience, we have applied a compatibility hold on devices with drivers from being offered Windows 10, version 1903 until updated device drivers have been installed.

Affected platforms:
Resolution: This issue was resolved with updated drivers from your device manufacturer (OEM) or Intel. The safeguard hold has been removed.

Note If you are still experiencing the issue described, please contact your device manufacturer (OEM).

Back to topOS Build 18362.116

May 21, 2019
KB4505057Resolved External
Last updated:
November 12, 2019 
08:04 AM PT

Opened:
May 21, 2019 
07:22 AM PT
       
Gamma ramps, color profiles, and night light settings do not apply in some cases
Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.

Microsoft has identified some scenarios in which these features may have issues or stop working, for example:
Affected platforms:
Resolution: This issue was resolved in KB4505903 and the safeguard hold has been removed.

Back to topOS Build 18362.116

May 21, 2019
KB4505057Resolved
KB4505903Resolved:
July 26, 2019 
02:00 PM PT

Opened:
May 21, 2019 
07:28 AM PT
-      
Cannot launch Camera app 
Microsoft and Intel have identified an issue affecting Intel RealSense SR300 and Intel RealSense S200 cameras when using the Camera app. After updating to the Windows 10 May 2019 Update and launching the Camera app, you may get an error message stating:
        \"Close other apps, error code: 0XA00F4243.”

To safeguard your update experience, we have applied a protective hold on machines with Intel RealSense SR300 or Intel RealSense S200 cameras installed from being offered Windows 10, version 1903, until this issue is resolved.

Affected platforms:
Resolution: This issue was resolved in KB4501375 and the safeguard hold has been removed.

Back to topOS Build 18362.116

May 21, 2019
KB4505057Resolved
KB4501375Resolved:
June 27, 2019 
10:00 AM PT

Opened:
May 21, 2019 
07:20 AM PT
       
Windows Sandbox may fail to start with error code “0x80070002”
Windows Sandbox may fail to start with \"ERROR_FILE_NOT_FOUND (0x80070002)\" on devices in which the operating system language is changed during the update process when installing Windows 10, version 1903.

Affected platforms:
Resolution: This issue was resolved in KB4512941.

Back to topOS Build 18362.116

May 21, 2019
KB4505057Resolved
KB4512941Resolved:
August 30, 2019 
10:00 AM PT

Opened:
May 24, 2019 
04:20 PM PT
       
Display brightness may not respond to adjustments
Microsoft and Intel have identified a driver compatibility issue on devices configured with certain Intel display drivers. After updating to Windows 10, version 1903, brightness settings may sometime appear as if changes applied took effect, yet the actual display brightness doesn't change.

To safeguard your update experience, we have applied a compatibility hold on devices with certain Intel drivers from being offered Windows 10, version 1903, until this issue is resolved.

Affected platforms:
Resolution: This issue was resolved in KB4505903 and the safeguard hold has been removed. Please ensure you have applied the resolving update before attempting to update to the Windows 10 May 2019 Update (version 1903). Please note, it can take up to 48 hours for the safeguard to be removed.

Back to topOS Build 18362.116

May 21, 2019
KB4505057Resolved
KB4505903Resolved:
July 26, 2019 
02:00 PM PT

Opened:
May 21, 2019 
07:56 AM PT
-      
Loss of functionality in Dynabook Smartphone Link app
Some users may experience a loss of functionality after updating to Windows 10, version 1903 when using the Dynabook Smartphone Link application on Windows devices. Loss of functionality may affect the display of phone numbers in the Call menu and the ability to answer phone calls on the Windows PC.

To safeguard your update experience, we have applied a compatibility hold on devices with Dynabook Smartphone Link from being offered Windows 10, version 1903, until this issue is resolved.

Affected platforms:
Resolution: This issue is now resolved and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to Windows 10, version 1903.

Back to topOS Build 18362.116

May 21, 2019
KB4505057Resolved
Resolved:
July 11, 2019 
01:54 PM PT

Opened:
May 24, 2019 
03:10 PM PT
-      
Error attempting to update with external USB device or memory card attached 
If you have an external USB device or SD memory card attached when installing Windows 10, version 1903, you may get an error message stating \"This PC can't be upgraded to Windows 10.\" This is caused by inappropriate drive reassignment during installation.

Sample scenario: An update to Windows 10, version 1903 is attempted on a computer that has a thumb drive inserted into its USB port. Before the update, the thumb drive is mounted in the system as drive G based on the existing drive configuration. After the feature update is installed; however, the device is reassigned a different drive letter (e.g., drive H).

Note The drive reassignment is not limited to removable drives. Internal hard drives may also be affected.

To safeguard your update experience, we have applied a hold on devices with an external USB device or SD memory card attached from being offered Windows 10, version 1903 until this issue is resolved.

Affected platforms:
Resolution: This issue is now resolved and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to Windows 10, version 1903.

Back to topOS Build 18362.116

May 21, 2019
KB4505057Resolved
Resolved:
July 11, 2019 
01:53 PM PT

Opened:
May 21, 2019 
07:38 AM PT
-      
Audio not working with Dolby Atmos headphones and home theater 
After updating to Windows 10, version 1903, you may experience loss of audio with Dolby Atmos for home theater (free extension) or Dolby Atmos for headphones (paid extension) acquired through the Microsoft Store due to a licensing configuration error.
 
This occurs due to an issue with a Microsoft Store licensing component, where license holders are not able to connect to the Dolby Access app and enable Dolby Atmos extensions.
 
To safeguard your update experience, we have applied protective hold on devices from being offered Windows 10, version 1903 until this issue is resolved. This configuration error will not result in loss of access for the acquired license once the problem is resolved.

Affected platforms:
Resolution: This issue is now resolved and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to Windows 10, version 1903.

Back to topOS Build 18362.116

May 21, 2019
KB4505057Resolved
Resolved:
July 11, 2019 
01:53 PM PT

Opened:
May 21, 2019 
07:16 AM PT
       
       "
diff --git a/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml b/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml
index 3ba826b5ad..7401114369 100644
--- a/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml
+++ b/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml
@@ -39,8 +39,6 @@ sections:
       
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications made using VB6, macros using VBA, and VBScript may stop responding and you may receive an error.

See details >August 13, 2019
KB4512506Resolved
KB4517297August 16, 2019 
02:00 PM PT
       
System may be unresponsive after restart with certain McAfee antivirus products
Devices running certain McAfee Endpoint security applications may be slow or unresponsive at startup.

See details >April 09, 2019
KB4493472Resolved External
August 13, 2019 
06:59 PM PT
       
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on certain Windows devices.

See details >June 11, 2019
KB4503292Resolved External
August 09, 2019 
07:03 PM PT
-      
IE11 may stop working when loading or interacting with Power BI reports
Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working.

See details >May 14, 2019
KB4499164Resolved
KB4503277June 20, 2019 
02:00 PM PT
-      
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may see an error or the app may close.

See details >June 11, 2019
KB4503292Resolved
KB4503277June 20, 2019 
02:00 PM PT
       
       "
 
@@ -81,16 +79,6 @@ sections:
       
       "
 
-- title: June 2019
-- items:
-  - type: markdown
-    text: "
-      
-      
-      
-      
DetailsOriginating updateStatusHistory
IE11 may stop working when loading or interacting with Power BI reports
Internet Explorer 11 may stop working when loading or interacting with Power BI reports that have line charts with markers. This issue may also occur when viewing other content that contains Scalable Vector Graphics (SVG) markers.


Affected platforms:
  • Client: Windows 7 SP1; Windows 8.1
  • Server: Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2

Resolution: This issue was resolved in Preview Rollup KB4503277. If you are using the Internet Explorer cumulative updates, this issue was resolved in KB4508646.

Back to top		May 14, 2019
KB4499164		Resolved
KB4503277		Resolved:
June 20, 2019 
02:00 PM PT

Opened:
June 07, 2019 
02:57 PM PT
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503277.  If you are using Security Only updates, see KB4508640 for resolving KB for your platform.

Back to top		June 11, 2019
KB4503292		Resolved
KB4503277		Resolved:
June 20, 2019 
02:00 PM PT

Opened:
June 12, 2019 
11:11 AM PT

-      "
-
 - title: April 2019
 - items:
   - type: markdown
diff --git a/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml b/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml
index be34bac3ce..d7ed2c1633 100644
--- a/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml
+++ b/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml
@@ -39,9 +39,6 @@ sections:
       
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications made using VB6, macros using VBA, and VBScript may stop responding and you may receive an error.

See details >August 13, 2019
KB4512488Resolved
KB4517298August 16, 2019 
02:00 PM PT
       
System may be unresponsive after restart with certain McAfee antivirus products
Devices running certain McAfee Endpoint security applications may be slow or unresponsive at startup.

See details >April 09, 2019
KB4493446Resolved External
August 13, 2019 
06:59 PM PT
       
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on certain Windows devices.

See details >June 11, 2019
KB4503276Resolved External
August 09, 2019 
07:03 PM PT
-      
IE11 may stop working when loading or interacting with Power BI reports
Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working.

See details >May 14, 2019
KB4499151Resolved
KB4503283June 20, 2019 
02:00 PM PT
-      
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may see an error or the app may close.

See details >June 11, 2019
KB4503276Resolved
KB4503283June 20, 2019 
02:00 PM PT
-      
Issue using PXE to start a device from WDS
There may be issues using PXE to start a device from a WDS server configured to use Variable Window Extension.

See details >March 12, 2019
KB4489881Resolved
KB4503276June 11, 2019 
10:00 AM PT
       
       "
 
@@ -90,16 +87,6 @@ sections:
       
       "
 
-- title: June 2019
-- items:
-  - type: markdown
-    text: "
-      
-      
-      
-      
DetailsOriginating updateStatusHistory
IE11 may stop working when loading or interacting with Power BI reports
Internet Explorer 11 may stop working when loading or interacting with Power BI reports that have line charts with markers. This issue may also occur when viewing other content that contains Scalable Vector Graphics (SVG) markers.


Affected platforms:
  • Client: Windows 7 SP1; Windows 8.1
  • Server: Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2

Resolution: This issue was resolved in Preview Rollup KB4503283. If you are using the Internet Explorer cumulative updates, this issue was resolved in KB4508646.

Back to top		May 14, 2019
KB4499151		Resolved
KB4503283		Resolved:
June 20, 2019 
02:00 PM PT

Opened:
June 07, 2019 
02:57 PM PT
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503283.  If you are using Security Only updates, see KB4508640 for resolving KB for your platform.

Back to top		June 11, 2019
KB4503276		Resolved
KB4503283		Resolved:
June 20, 2019 
02:00 PM PT

Opened:
June 12, 2019 
11:11 AM PT

-      "
-
 - title: April 2019
 - items:
   - type: markdown
@@ -108,12 +95,3 @@ sections:
       
System may be unresponsive after restart with certain McAfee antivirus products
Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update. 

Affected platforms:
Resolution: This issue has been resolved. McAfee has released an automatic update to address this issue. Guidance for McAfee customers can be found in the following McAfee support articles:  

Back to topApril 09, 2019
KB4493446Resolved External
Last updated:
August 13, 2019 
06:59 PM PT

Opened:
April 09, 2019 
10:00 AM PT
       
       "
-
-- title: March 2019
-- items:
-  - type: markdown
-    text: "
-      
-      
-      
DetailsOriginating updateStatusHistory
Issue using PXE to start a device from WDS
After installing KB4489881, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.

Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012 
Resolution: This issue was resolved in KB4503276.

Back to top		March 12, 2019
KB4489881		Resolved
KB4503276		Resolved:
June 11, 2019 
10:00 AM PT

Opened:
March 12, 2019 
10:00 AM PT

-      "
diff --git a/windows/release-information/resolved-issues-windows-server-2008-sp2.yml b/windows/release-information/resolved-issues-windows-server-2008-sp2.yml
index c0a8e854fa..18fc3ff189 100644
--- a/windows/release-information/resolved-issues-windows-server-2008-sp2.yml
+++ b/windows/release-information/resolved-issues-windows-server-2008-sp2.yml
@@ -37,7 +37,6 @@ sections:
       
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using PXE images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

See details >June 11, 2019
KB4503273Resolved
KB4512499August 17, 2019 
02:00 PM PT
       
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications made using VB6, macros using VBA, and VBScript may stop responding and you may receive an error.

See details >August 13, 2019
KB4512476Resolved
KB4517301August 16, 2019 
02:00 PM PT
       
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on certain Windows devices.

See details >June 11, 2019
KB4503273Resolved External
August 09, 2019 
07:03 PM PT
-      
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may see an error or the app may close.

See details >June 11, 2019
KB4503273Resolved
KB4503271June 20, 2019 
02:00 PM PT
       
       "
 
@@ -76,12 +75,3 @@ sections:
       
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503273 on a WDS server.

Affected platforms:
Resolution: This issue was resolved in KB4512499.

Back to topJune 11, 2019
KB4503273Resolved
KB4512499Resolved:
August 17, 2019 
02:00 PM PT

Opened:
July 10, 2019 
02:51 PM PT
       
       "
-
-- title: June 2019
-- items:
-  - type: markdown
-    text: "
-      
-      
-      
DetailsOriginating updateStatusHistory
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503271.  If you are using Security Only updates, see KB4508640 for resolving KB for your platform.

Back to top		June 11, 2019
KB4503273		Resolved
KB4503271		Resolved:
June 20, 2019 
02:00 PM PT

Opened:
June 12, 2019 
11:11 AM PT

-      "
diff --git a/windows/release-information/resolved-issues-windows-server-2012.yml b/windows/release-information/resolved-issues-windows-server-2012.yml
index 268770f5d8..c2bef06cf8 100644
--- a/windows/release-information/resolved-issues-windows-server-2012.yml
+++ b/windows/release-information/resolved-issues-windows-server-2012.yml
@@ -37,10 +37,6 @@ sections:
       
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using PXE images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

See details >June 11, 2019
KB4503285Resolved
KB4512512August 17, 2019 
02:00 PM PT
       
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications made using VB6, macros using VBA, and VBScript may stop responding and you may receive an error.

See details >August 13, 2019
KB4512518Resolved
KB4517302August 16, 2019 
02:00 PM PT
       
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on certain Windows devices.

See details >June 11, 2019
KB4503285Resolved External
August 09, 2019 
07:03 PM PT
-      
Some devices and generation 2 Hyper-V VMs may have issues installing updates
Some devices and generation 2 Hyper-V VMs may have issues installing some updates when Secure Boot is enabled.

See details >June 11, 2019
KB4503285Resolved
KB4503295June 21, 2019 
02:00 PM PT
-      
IE11 may stop working when loading or interacting with Power BI reports
Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working.

See details >May 14, 2019
KB4499171Resolved
KB4503295June 21, 2019 
02:00 PM PT
-      
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may see an error or the app may close.

See details >June 11, 2019
KB4503285Resolved
KB4503295June 20, 2019 
02:00 PM PT
-      
Issue using PXE to start a device from WDS
There may be issues using PXE to start a device from a WDS server configured to use Variable Window Extension.

See details >March 12, 2019
KB4489891Resolved
KB4503285June 11, 2019 
10:00 AM PT
       
       "
 
@@ -87,23 +83,3 @@ sections:
       
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503285 on a WDS server.

Affected platforms:
Resolution: This issue was resolved in KB4512512.

Back to topJune 11, 2019
KB4503285Resolved
KB4512512Resolved:
August 17, 2019 
02:00 PM PT

Opened:
July 10, 2019 
02:51 PM PT
       
       "
-
-- title: June 2019
-- items:
-  - type: markdown
-    text: "
-      
-      
-      
-      
-      
DetailsOriginating updateStatusHistory
Some devices and generation 2 Hyper-V VMs may have issues installing updates
Some devices and generation 2 Hyper-V virtual machines (VMs) may have issues installing KB4503285 or later updates when Secure Boot is enabled.

Affected platforms:
  • Server: Windows Server 2012
Resolution: This issue was resolved in KB4503295. If your device is using Security Only updates, this issue was resolved in KB4508776.

Back to top		June 11, 2019
KB4503285		Resolved
KB4503295		Resolved:
June 21, 2019 
02:00 PM PT

Opened:
June 19, 2019 
04:57 PM PT
IE11 may stop working when loading or interacting with Power BI reports
Internet Explorer 11 may stop working when loading or interacting with Power BI reports that have line charts with markers. This issue may also occur when viewing other content that contains Scalable Vector Graphics (SVG) markers.


Affected platforms:
  • Client: Windows 7 SP1; Windows 8.1
  • Server: Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2

Resolution: This issue was resolved in Preview Rollup KB4503295. If you are using the Internet Explorer cumulative updates, this issue was resolved in KB4508646.

Back to top		May 14, 2019
KB4499171		Resolved
KB4503295		Resolved:
June 21, 2019 
02:00 PM PT

Opened:
June 07, 2019 
02:57 PM PT
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503295.  If you are using Security Only updates, see KB4508640 for resolving KB for your platform.

Back to top		June 11, 2019
KB4503285		Resolved
KB4503295		Resolved:
June 20, 2019 
02:00 PM PT

Opened:
June 12, 2019 
11:11 AM PT

-      "
-
-- title: March 2019
-- items:
-  - type: markdown
-    text: "
-      
-      
-      
DetailsOriginating updateStatusHistory
Issue using PXE to start a device from WDS
After installing KB4489891, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.

Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012 
Resolution: This issue was resolved in KB4503285.

Back to top		March 12, 2019
KB4489891		Resolved
KB4503285		Resolved:
June 11, 2019 
10:00 AM PT

Opened:
March 12, 2019 
10:00 AM PT

-      "
diff --git a/windows/release-information/status-windows-10-1507.yml b/windows/release-information/status-windows-10-1507.yml
index 780532c8fb..9891ddf467 100644
--- a/windows/release-information/status-windows-10-1507.yml
+++ b/windows/release-information/status-windows-10-1507.yml
@@ -29,11 +29,11 @@ sections:
     columns: 3
     items:
     
-    - href: https://aka.ms/how-to-get-1909
-      html: Get the update >
+    - href: https://www.microsoft.com/en-us/microsoft-365/blog/2020/01/14/windows-7-support-ends-today-and-windows-10-is-better-than-ever/
+      html: Find out what you need to know >
       image: 
-        src: http://docs.microsoft.com/media/common/i_download-install.svg
-      title: Windows 10, version 1909 now available
+        src: https://docs.microsoft.com/media/common/i_alert.svg
+      title: Windows 7 has reached end of support
     - href: https://aka.ms/1909mechanics
       html: Explore the improvements >
       image: 
diff --git a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml
index b7c13357d2..d38454e785 100644
--- a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml
+++ b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml
@@ -29,11 +29,11 @@ sections:
     columns: 3
     items:
     
-    - href: https://aka.ms/how-to-get-1909
-      html: Get the update >
+    - href: https://www.microsoft.com/en-us/microsoft-365/blog/2020/01/14/windows-7-support-ends-today-and-windows-10-is-better-than-ever/
+      html: Find out what you need to know >
       image: 
-        src: http://docs.microsoft.com/media/common/i_download-install.svg
-      title: Windows 10, version 1909 now available
+        src: https://docs.microsoft.com/media/common/i_alert.svg
+      title: Windows 7 has reached end of support
     - href: https://aka.ms/1909mechanics
       html: Explore the improvements >
       image: 
diff --git a/windows/release-information/status-windows-10-1709.yml b/windows/release-information/status-windows-10-1709.yml
index 20cdc6691b..af729c8f0f 100644
--- a/windows/release-information/status-windows-10-1709.yml
+++ b/windows/release-information/status-windows-10-1709.yml
@@ -29,11 +29,11 @@ sections:
     columns: 3
     items:
     
-    - href: https://aka.ms/how-to-get-1909
-      html: Get the update >
+    - href: https://www.microsoft.com/en-us/microsoft-365/blog/2020/01/14/windows-7-support-ends-today-and-windows-10-is-better-than-ever/
+      html: Find out what you need to know >
       image: 
-        src: http://docs.microsoft.com/media/common/i_download-install.svg
-      title: Windows 10, version 1909 now available
+        src: https://docs.microsoft.com/media/common/i_alert.svg
+      title: Windows 7 has reached end of support
     - href: https://aka.ms/1909mechanics
       html: Explore the improvements >
       image: 
diff --git a/windows/release-information/status-windows-10-1803.yml b/windows/release-information/status-windows-10-1803.yml
index 259b1f258f..397f577291 100644
--- a/windows/release-information/status-windows-10-1803.yml
+++ b/windows/release-information/status-windows-10-1803.yml
@@ -33,11 +33,11 @@ sections:
     columns: 3
     items:
     
-    - href: https://aka.ms/how-to-get-1909
-      html: Get the update >
+    - href: https://www.microsoft.com/en-us/microsoft-365/blog/2020/01/14/windows-7-support-ends-today-and-windows-10-is-better-than-ever/
+      html: Find out what you need to know >
       image: 
-        src: http://docs.microsoft.com/media/common/i_download-install.svg
-      title: Windows 10, version 1909 now available
+        src: https://docs.microsoft.com/media/common/i_alert.svg
+      title: Windows 7 has reached end of support
     - href: https://aka.ms/1909mechanics
       html: Explore the improvements >
       image: 
diff --git a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml
index 88e42ce4a7..51ee30b209 100644
--- a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml
+++ b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml
@@ -33,11 +33,11 @@ sections:
     columns: 3
     items:
     
-    - href: https://aka.ms/how-to-get-1909
-      html: Get the update >
+    - href: https://www.microsoft.com/en-us/microsoft-365/blog/2020/01/14/windows-7-support-ends-today-and-windows-10-is-better-than-ever/
+      html: Find out what you need to know >
       image: 
-        src: http://docs.microsoft.com/media/common/i_download-install.svg
-      title: Windows 10, version 1909 now available
+        src: https://docs.microsoft.com/media/common/i_alert.svg
+      title: Windows 7 has reached end of support
     - href: https://aka.ms/1909mechanics
       html: Explore the improvements >
       image: 
@@ -64,7 +64,6 @@ sections:
   - type: markdown
     text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.


       
-      
@@ -93,7 +92,6 @@ sections:
   - type: markdown
     text: "
       
SummaryOriginating updateStatusLast updated
Microsoft Defender Advanced Threat Protection might stop running
The Microsoft Defender ATP service might stop running and might fail to send reporting data.

See details >		OS Build 17763.832

October 15, 2019
KB4520062		Resolved
KB4523205		November 12, 2019 
10:00 AM PT

       
Unable to create local users in Chinese, Japanese and Korean during device setup
You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.

See details >		OS Build 17763.737

September 10, 2019
KB4512578		Mitigated
November 12, 2019 
08:05 AM PT

       
TLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

See details >		OS Build 17763.805

October 08, 2019
KB4519338		Mitigated External
November 05, 2019 
03:36 PM PT

       
Devices with some Asian language packs installed may receive an error
Devices with Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_FOUND.\"

See details >		OS Build 17763.437

April 09, 2019
KB4493509		Mitigated
May 03, 2019 
10:59 AM PT

-      
DetailsOriginating updateStatusHistory
Microsoft Defender Advanced Threat Protection might stop running
After installing the optional non-security update (KB4520062), the Microsoft Defender Advanced Threat Protection (ATP) service might stop running and might fail to send reporting data. You might also receive a 0xc0000409 error in Event Viewer on MsSense.exe.

Note Microsoft Windows Defender Antivirus is not affected by this issue.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
  • Server: Windows Server, version 1809; Windows Server 2019
Resolution: This issue was resolved in KB4523205.

Back to top		OS Build 17763.832

October 15, 2019
KB4520062		Resolved
KB4523205		Resolved:
November 12, 2019 
10:00 AM PT

Opened:
October 17, 2019 
05:14 PM PT

       
Unable to create local users in Chinese, Japanese and Korean during device setup
When setting up a new Windows device using the Out of Box Experience (OOBE), you might be unable to create a local user when using Input Method Editor (IME). This issue might affect you if you are using the IME for Chinese, Japanese, or Korean languages.

Note This issue does not affect using a Microsoft Account during OOBE.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709
  • Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709
Workaround: To mitigate this issue, set the keyboard language to English during user creation or use a Microsoft Account to complete OOBE. You can set the keyboard language back to your preferred language after user creation. Once the OOBE is done and you are at the desktop, you can rename the current user using these instructions. If you prefer to create a new local user, see KB4026923.

Next steps: We are working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 17763.737

September 10, 2019
KB4512578		Mitigated
Last updated:
November 12, 2019 
08:05 AM PT

Opened:
October 29, 2019 
05:15 PM PT

       

       "
diff --git a/windows/release-information/status-windows-10-1903.yml b/windows/release-information/status-windows-10-1903.yml
index e89546389a..b1bf959c78 100644
--- a/windows/release-information/status-windows-10-1903.yml
+++ b/windows/release-information/status-windows-10-1903.yml
@@ -33,11 +33,11 @@ sections:
     columns: 3
     items:
     
-    - href: https://aka.ms/how-to-get-1909
-      html: Get the update >
+    - href: https://www.microsoft.com/en-us/microsoft-365/blog/2020/01/14/windows-7-support-ends-today-and-windows-10-is-better-than-ever/
+      html: Find out what you need to know >
       image: 
-        src: http://docs.microsoft.com/media/common/i_download-install.svg
-      title: Windows 10, version 1909 now available
+        src: https://docs.microsoft.com/media/common/i_alert.svg
+      title: Windows 7 has reached end of support
     - href: https://aka.ms/1909mechanics
       html: Explore the improvements >
       image: 
@@ -64,14 +64,8 @@ sections:
   - type: markdown
     text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.


       
-      
-      
-      
-      
-      
-      
SummaryOriginating updateStatusLast updated
Unable to create local users in Chinese, Japanese and Korean during device setup
You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.

See details >		OS Build 18362.356

September 10, 2019
KB4515384		Resolved
KB4530684		December 10, 2019 
10:00 AM PT

       
Issues with some older versions of Avast and AVG anti-virus products
Microsoft and Avast has identified compatibility issues with some versions of Avast and AVG Antivirus.

See details >		N/A 

Mitigated External
November 25, 2019 
05:25 PM PT
Intermittent loss of Wi-Fi connectivity
Some older devices may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver. 

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Resolved External
November 22, 2019 
04:10 PM PT
Unable to discover or connect to Bluetooth devices using some Realtek adapters
Microsoft has identified compatibility issues with some versions of Realtek Bluetooth radio drivers.

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Resolved External
November 15, 2019 
05:59 PM PT
Updates may fail to install and you may receive Error 0x80073701
Installation of updates may fail and you may receive error code 0x80073701.

See details >		OS Build 18362.145

May 29, 2019
KB4497935		Resolved
November 12, 2019 
08:11 AM PT

       
TLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

See details >		OS Build 18362.418

October 08, 2019
KB4517389		Mitigated External
November 05, 2019 
03:36 PM PT
Intel Audio displays an intcdaud.sys notification
Devices with a range of Intel Display Audio device drivers may experience battery drain.

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Resolved External
November 12, 2019 
08:04 AM PT
Gamma ramps, color profiles, and night light settings do not apply in some cases
Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Resolved
KB4505903		July 26, 2019 
02:00 PM PT

       

       "
 
@@ -91,33 +85,3 @@ sections:
       
TLS connections might fail or timeout
Updates for Windows released October 8, 2019 or later provide protections, tracked by CVE-2019-1318, against an attack that could allow unauthorized access to information or data within TLS connections. This type of attack is known as a man-in-the-middle exploit. Windows might fail to connect to TLS clients and servers that do not support Extended Master Secret for resumption (RFC 7627). Lack of RFC support might cause one or more of the following errors or logged events:
Affected platforms:

Next Steps: Connections between two devices running any supported version of Windows should not have this issue when fully updated. There is no update for Windows needed for this issue. These changes are required to address a security issue and security compliance. For information, see KB4528489.

Back to topOS Build 18362.418

October 08, 2019
KB4517389Mitigated External
Last updated:
November 05, 2019 
03:36 PM PT

Opened:
November 05, 2019 
03:36 PM PT
       
       "
-
-- title: October 2019
-- items:
-  - type: markdown
-    text: "
-      
-      
-      
DetailsOriginating updateStatusHistory
Unable to create local users in Chinese, Japanese and Korean during device setup
When setting up a new Windows device using the Out of Box Experience (OOBE), you might be unable to create a local user when using Input Method Editor (IME). This issue might affect you if you are using the IME for Chinese, Japanese, or Korean languages.

Note This issue does not affect using a Microsoft Account during OOBE.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709
  • Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709
Resolution: This issue was resolved in KB4530684.

Back to top		OS Build 18362.356

September 10, 2019
KB4515384		Resolved
KB4530684		Resolved:
December 10, 2019 
10:00 AM PT

Opened:
October 29, 2019 
05:15 PM PT

-      "
-
-- title: August 2019
-- items:
-  - type: markdown
-    text: "
-      
-      
-      
DetailsOriginating updateStatusHistory
Updates may fail to install and you may receive Error 0x80073701
Installation of updates may fail and you may receive the error message, \"Updates Failed, There were problems installing some updates, but we'll try again later\" or \"Error 0x80073701\" on the Windows Update dialog or within Update history.

Affected platforms:
  • Client: Windows 10, version 1903
  • Server: Windows Server, version 1903
Resolution: This issue has been resolved for most users. If you are still having issues, please see KB4528159.

Back to top		OS Build 18362.145

May 29, 2019
KB4497935		Resolved
Resolved:
November 12, 2019 
08:11 AM PT

Opened:
August 16, 2019 
01:41 PM PT

-      "
-
-- title: May 2019
-- items:
-  - type: markdown
-    text: "
-      
-      
-      
-      
-      
-      
DetailsOriginating updateStatusHistory
Intermittent loss of Wi-Fi connectivity
Some older devices may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver. An updated Wi-Fi driver should be available from your device manufacturer (OEM).

To safeguard your upgrade experience, we have applied a hold on devices with affected Qualcomm driver from being offered Windows 10, version 1903 or Windows 10, version 1909, until the updated driver is installed.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903
Resolution: This issue was resolved with an updated Qualcomm Wifi driver and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1909 or Windows 10, version 1903.

Back to top		OS Build 18362.116

May 21, 2019
KB4505057		Resolved External
Last updated:
November 22, 2019 
04:10 PM PT

Opened:
May 21, 2019 
07:13 AM PT
Unable to discover or connect to Bluetooth devices using some Realtek adapters
Microsoft has identified compatibility issues with some driver versions for Bluetooth radios made by Realtek. To safeguard your update experience, we have applied a compatibility hold on devices with affected driver versions for Realtek Bluetooth radios from being offered Windows 10, version 1903 or Windows Server, version 1903 until the driver has been updated.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903
  • Server: Windows 10, version 1909; Windows Server, version 1903
Resolution: This issue was resolved with an updated driver for the affected Realtek Bluetooth radio and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1909 or Windows 10, version 1903.

Back to top		OS Build 18362.116

May 21, 2019
KB4505057		Resolved External
Last updated:
November 15, 2019 
05:59 PM PT

Opened:
May 21, 2019 
07:29 AM PT
Intel Audio displays an intcdaud.sys notification
Microsoft and Intel have identified an issue with a range of Intel Display Audio device drivers that may result in higher than normal battery drain. If you see an intcdaud.sys notification or “What needs your attention” notification when trying to update to Windows 10, version 1903, you have an affected Intel Audio Display device driver installed on your machine (intcdaud.sys, versions 10.25.0.3 through 10.25.0.8).
  
To safeguard your update experience, we have applied a compatibility hold on devices with drivers from being offered Windows 10, version 1903 until updated device drivers have been installed.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809
Resolution: This issue was resolved with updated drivers from your device manufacturer (OEM) or Intel. The safeguard hold has been removed.

Note If you are still experiencing the issue described, please contact your device manufacturer (OEM).

Back to top		OS Build 18362.116

May 21, 2019
KB4505057		Resolved External
Last updated:
November 12, 2019 
08:04 AM PT

Opened:
May 21, 2019 
07:22 AM PT
Gamma ramps, color profiles, and night light settings do not apply in some cases
Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.

Microsoft has identified some scenarios in which these features may have issues or stop working, for example:
  • Connecting to (or disconnecting from) an external monitor, dock, or projector
  • Rotating the screen
  • Updating display drivers or making other display mode changes
  • Closing full screen applications
  • Applying custom color profiles
  • Running applications that rely on custom gamma ramps
Affected platforms:
  • Client: Windows 10, version 1903
Resolution: This issue was resolved in KB4505903 and the safeguard hold has been removed.

Back to top		OS Build 18362.116

May 21, 2019
KB4505057		Resolved
KB4505903		Resolved:
July 26, 2019 
02:00 PM PT

Opened:
May 21, 2019 
07:28 AM PT

-      "
diff --git a/windows/release-information/status-windows-10-1909.yml b/windows/release-information/status-windows-10-1909.yml
index a8b1f36597..61f2073d2e 100644
--- a/windows/release-information/status-windows-10-1909.yml
+++ b/windows/release-information/status-windows-10-1909.yml
@@ -33,11 +33,11 @@ sections:
     columns: 3
     items:
     
-    - href: https://aka.ms/how-to-get-1909
-      html: Get the update >
+    - href: https://www.microsoft.com/en-us/microsoft-365/blog/2020/01/14/windows-7-support-ends-today-and-windows-10-is-better-than-ever/
+      html: Find out what you need to know >
       image: 
-        src: http://docs.microsoft.com/media/common/i_download-install.svg
-      title: Windows 10, version 1909 now available
+        src: https://docs.microsoft.com/media/common/i_alert.svg
+      title: Windows 7 has reached end of support
     - href: https://aka.ms/1909mechanics
       html: Explore the improvements >
       image: 
@@ -64,10 +64,7 @@ sections:
   - type: markdown
     text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.


       
-      
-      
-      
SummaryOriginating updateStatusLast updated
Unable to create local users in Chinese, Japanese and Korean during device setup
You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.

See details >		OS Build 18363.476

November 12, 2019
KB4524570		Resolved
KB4530684		December 10, 2019 
10:00 AM PT

       
Issues with some older versions of Avast and AVG anti-virus products
Microsoft and Avast has identified compatibility issues with some versions of Avast and AVG Antivirus.

See details >		N/A 

Mitigated External
November 25, 2019 
05:25 PM PT
Intermittent loss of Wi-Fi connectivity
Some older devices may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver. 

See details >		OS Build 18363.476

November 12, 2019
KB4524570		Resolved External
November 22, 2019 
04:10 PM PT
Unable to discover or connect to Bluetooth devices using some Realtek adapters
Microsoft has identified compatibility issues with some versions of Realtek Bluetooth radio drivers.

See details >		OS Build 18363.476

November 12, 2019
KB4524570		Resolved External
November 15, 2019 
05:59 PM PT

       

       "
 
@@ -86,22 +83,3 @@ sections:
       
Issues with some older versions of Avast and AVG anti-virus products
Microsoft and Avast has identified compatibility issues with some older versions of Avast Antivirus and AVG Antivirus that might still be installed by a small number of users. Any application from Avast or AVG that contains Antivirus version 19.5.4444.567 or earlier is affected.

To safeguard your upgrade experience, we have applied a hold on devices with affected Avast and AVG Antivirus from being offered or installing Windows 10, version 1903 or Windows 10, version 1909, until the application is updated.

Affected platforms:
Workaround: Before updating to Windows 10, version 1903 or Windows 10, version 1909, you will need to download and install an updated version of your Avast or AVG application. Guidance for Avast and AVG customers can be found in the following support articles:
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until a new version of your Avast or AVG application has been installed and the Windows 10, version 1903 or Windows 10, version 1909 feature update has been automatically offered to you.

Back to topN/A 

Mitigated External
Last updated:
November 25, 2019 
05:25 PM PT

Opened:
November 22, 2019 
04:10 PM PT
       
       "
-
-- title: October 2019
-- items:
-  - type: markdown
-    text: "
-      
-      
-      
DetailsOriginating updateStatusHistory
Unable to create local users in Chinese, Japanese and Korean during device setup
When setting up a new Windows device using the Out of Box Experience (OOBE), you might be unable to create a local user when using Input Method Editor (IME). This issue might affect you if you are using the IME for Chinese, Japanese, or Korean languages.

Note This issue does not affect using a Microsoft Account during OOBE.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709
  • Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709
Resolution: This issue was resolved in KB4530684.

Back to top		OS Build 18363.476

November 12, 2019
KB4524570		Resolved
KB4530684		Resolved:
December 10, 2019 
10:00 AM PT

Opened:
October 29, 2019 
05:15 PM PT

-      "
-
-- title: May 2019
-- items:
-  - type: markdown
-    text: "
-      
-      
-      
-      
DetailsOriginating updateStatusHistory
Intermittent loss of Wi-Fi connectivity
Some older devices may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver. An updated Wi-Fi driver should be available from your device manufacturer (OEM).

To safeguard your upgrade experience, we have applied a hold on devices with affected Qualcomm driver from being offered Windows 10, version 1903 or Windows 10, version 1909, until the updated driver is installed.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903
Resolution: This issue was resolved with an updated Qualcomm Wifi driver and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1909 or Windows 10, version 1903.

Back to top		OS Build 18363.476

November 12, 2019
KB4524570		Resolved External
Last updated:
November 22, 2019 
04:10 PM PT

Opened:
May 21, 2019 
07:13 AM PT
Unable to discover or connect to Bluetooth devices using some Realtek adapters
Microsoft has identified compatibility issues with some driver versions for Bluetooth radios made by Realtek. To safeguard your update experience, we have applied a compatibility hold on devices with affected driver versions for Realtek Bluetooth radios from being offered Windows 10, version 1903 or Windows Server, version 1903 until the driver has been updated.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903
  • Server: Windows 10, version 1909; Windows Server, version 1903
Resolution: This issue was resolved with an updated driver for the affected Realtek Bluetooth radio and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1909 or Windows 10, version 1903.

Back to top		OS Build 18363.476

November 12, 2019
KB4524570		Resolved External
Last updated:
November 15, 2019 
05:59 PM PT

Opened:
May 21, 2019 
07:29 AM PT

-      "
diff --git a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml
index dadedc3369..574e1ff814 100644
--- a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml
+++ b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml
@@ -29,11 +29,11 @@ sections:
     columns: 3
     items:
     
-    - href: https://aka.ms/how-to-get-1909
-      html: Get the update >
+    - href: https://www.microsoft.com/en-us/microsoft-365/blog/2020/01/14/windows-7-support-ends-today-and-windows-10-is-better-than-ever/
+      html: Find out what you need to know >
       image: 
-        src: http://docs.microsoft.com/media/common/i_download-install.svg
-      title: Windows 10, version 1909 now available
+        src: https://docs.microsoft.com/media/common/i_alert.svg
+      title: Windows 7 has reached end of support
     - href: https://aka.ms/1909mechanics
       html: Explore the improvements >
       image: 
diff --git a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml
index d20fb293cd..388b55fa0a 100644
--- a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml
+++ b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml
@@ -29,11 +29,11 @@ sections:
     columns: 3
     items:
     
-    - href: https://aka.ms/how-to-get-1909
-      html: Get the update >
+    - href: https://www.microsoft.com/en-us/microsoft-365/blog/2020/01/14/windows-7-support-ends-today-and-windows-10-is-better-than-ever/
+      html: Find out what you need to know >
       image: 
-        src: http://docs.microsoft.com/media/common/i_download-install.svg
-      title: Windows 10, version 1909 now available
+        src: https://docs.microsoft.com/media/common/i_alert.svg
+      title: Windows 7 has reached end of support
     - href: https://aka.ms/1909mechanics
       html: Explore the improvements >
       image: 
@@ -60,7 +60,6 @@ sections:
   - type: markdown
     text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.


       
-      
@@ -79,7 +78,6 @@ sections:
   - type: markdown
     text: "
       
SummaryOriginating updateStatusLast updated
Printing from 32-bit apps might fail on a 64-bit OS
When attempting to print, you may receive an error or the application may stop responding or close.

See details >		August 13, 2019
KB4512489		Resolved
KB4525250		November 12, 2019 
10:00 AM PT

       
TLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

See details >		October 08, 2019
KB4520005		Mitigated External
November 05, 2019 
03:36 PM PT

       
Japanese IME doesn't show the new Japanese Era name as a text input option
With previous dictionary updates installed, the Japanese IME doesn't show the new Japanese Era name as an input option.

See details >		April 25, 2019
KB4493443		Mitigated
May 15, 2019 
05:53 PM PT

       
Certain operations performed on a Cluster Shared Volume may fail
Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).

See details >		January 08, 2019
KB4480963		Mitigated
April 25, 2019 
02:00 PM PT

-      
DetailsOriginating updateStatusHistory
Printing from 32-bit apps might fail on a 64-bit OS
When attempting to print from a 32-bit app on a 64-bit operating system (OS), you may receive an error, or the application may stop responding or close. Note This issue only affects the 64-bit Security Only updates listed and does not affect any Monthly Rollup.

Affected platforms:
  • Client: Windows 8.1
  • Server: Windows Server 2012 R2; Windows Server 2012
Resolution: This issue is resolved in KB4525250. However, the issue occurs when you install only KB4512489 (released on August 13, 2019) without installing KB4507457, the previous Security Only update (released July 9, 2019). Reminder When using the Security Only updates, you must install the latest and all previous Security Only updates to ensure that the device contains all resolved security vulnerabilities.

Back to top		August 13, 2019
KB4512489		Resolved
KB4525250		Resolved:
November 12, 2019 
10:00 AM PT

Opened:
November 27, 2019 
04:02 PM PT

       
TLS connections might fail or timeout
Updates for Windows released October 8, 2019 or later provide protections, tracked by CVE-2019-1318, against an attack that could allow unauthorized access to information or data within TLS connections. This type of attack is known as a man-in-the-middle exploit. Windows might fail to connect to TLS clients and servers that do not support Extended Master Secret for resumption (RFC 7627). Lack of RFC support might cause one or more of the following errors or logged events:
  • \"The request was aborted: Could not create SSL/TLS secure Channel\"
  • SCHANNEL event 36887 is logged in the System event log with the description, \"A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.​\"
Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2

Next Steps: Connections between two devices running any supported version of Windows should not have this issue when fully updated. There is no update for Windows needed for this issue. These changes are required to address a security issue and security compliance. For information, see KB4528489.

Back to top		October 08, 2019
KB4520005		Mitigated External
Last updated:
November 05, 2019 
03:36 PM PT

Opened:
November 05, 2019 
03:36 PM PT

       

       "
diff --git a/windows/release-information/status-windows-server-2008-sp2.yml b/windows/release-information/status-windows-server-2008-sp2.yml
index ba7311b1cc..0a5c7ee17d 100644
--- a/windows/release-information/status-windows-server-2008-sp2.yml
+++ b/windows/release-information/status-windows-server-2008-sp2.yml
@@ -29,11 +29,11 @@ sections:
     columns: 3
     items:
     
-    - href: https://aka.ms/how-to-get-1909
-      html: Get the update >
+    - href: https://www.microsoft.com/en-us/microsoft-365/blog/2020/01/14/windows-7-support-ends-today-and-windows-10-is-better-than-ever/
+      html: Find out what you need to know >
       image: 
-        src: http://docs.microsoft.com/media/common/i_download-install.svg
-      title: Windows 10, version 1909 now available
+        src: https://docs.microsoft.com/media/common/i_alert.svg
+      title: Windows 7 has reached end of support
     - href: https://aka.ms/1909mechanics
       html: Explore the improvements >
       image: 
diff --git a/windows/release-information/status-windows-server-2012.yml b/windows/release-information/status-windows-server-2012.yml
index 734e55f864..96c3cad5e2 100644
--- a/windows/release-information/status-windows-server-2012.yml
+++ b/windows/release-information/status-windows-server-2012.yml
@@ -29,11 +29,11 @@ sections:
     columns: 3
     items:
     
-    - href: https://aka.ms/how-to-get-1909
-      html: Get the update >
+    - href: https://www.microsoft.com/en-us/microsoft-365/blog/2020/01/14/windows-7-support-ends-today-and-windows-10-is-better-than-ever/
+      html: Find out what you need to know >
       image: 
-        src: http://docs.microsoft.com/media/common/i_download-install.svg
-      title: Windows 10, version 1909 now available
+        src: https://docs.microsoft.com/media/common/i_alert.svg
+      title: Windows 7 has reached end of support
     - href: https://aka.ms/1909mechanics
       html: Explore the improvements >
       image: 
@@ -60,7 +60,6 @@ sections:
   - type: markdown
     text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.


       
-      
@@ -79,7 +78,6 @@ sections:
   - type: markdown
     text: "
       
SummaryOriginating updateStatusLast updated
Printing from 32-bit apps might fail on a 64-bit OS
When attempting to print, you may receive an error or the application may stop responding or close.

See details >		August 13, 2019
KB4512482		Resolved
KB4525253		November 12, 2019 
10:00 AM PT

       
TLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

See details >		October 08, 2019
KB4520007		Mitigated External
November 05, 2019 
03:36 PM PT

       
Japanese IME doesn't show the new Japanese Era name as a text input option
With previous dictionary updates installed, the Japanese IME doesn't show the new Japanese Era name as an input option.

See details >		April 25, 2019
KB4493462		Mitigated
May 15, 2019 
05:53 PM PT

       
Certain operations performed on a Cluster Shared Volume may fail
Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).

See details >		January 08, 2019
KB4480975		Mitigated
April 25, 2019 
02:00 PM PT

-      
DetailsOriginating updateStatusHistory
Printing from 32-bit apps might fail on a 64-bit OS
When attempting to print from a 32-bit app on a 64-bit operating system (OS), you may receive an error, or the application may stop responding or close. Note This issue only affects the 64-bit Security Only updates listed and does not affect any Monthly Rollup.

Affected platforms:
  • Client: Windows 8.1
  • Server: Windows Server 2012 R2; Windows Server 2012
Resolution: This issue is resolved in KB4525253. However, the issue occurs when you install only KB4512482 (released on August 13, 2019) without installing KB4507447, the previous Security Only update (released July 9, 2019). Reminder When using the Security Only updates, you must install the latest and all previous Security Only updates to ensure that the device contains all resolved security vulnerabilities.

Back to top		August 13, 2019
KB4512482		Resolved
KB4525253		Resolved:
November 12, 2019 
10:00 AM PT

Opened:
November 27, 2019 
04:02 PM PT

       
TLS connections might fail or timeout
Updates for Windows released October 8, 2019 or later provide protections, tracked by CVE-2019-1318, against an attack that could allow unauthorized access to information or data within TLS connections. This type of attack is known as a man-in-the-middle exploit. Windows might fail to connect to TLS clients and servers that do not support Extended Master Secret for resumption (RFC 7627). Lack of RFC support might cause one or more of the following errors or logged events:
  • \"The request was aborted: Could not create SSL/TLS secure Channel\"
  • SCHANNEL event 36887 is logged in the System event log with the description, \"A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.​\"
Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2

Next Steps: Connections between two devices running any supported version of Windows should not have this issue when fully updated. There is no update for Windows needed for this issue. These changes are required to address a security issue and security compliance. For information, see KB4528489.

Back to top		October 08, 2019
KB4520007		Mitigated External
Last updated:
November 05, 2019 
03:36 PM PT

Opened:
November 05, 2019 
03:36 PM PT

       

       "
diff --git a/windows/release-information/windows-message-center.yml b/windows/release-information/windows-message-center.yml
index b3441dc375..ee042491ec 100644
--- a/windows/release-information/windows-message-center.yml
+++ b/windows/release-information/windows-message-center.yml
@@ -23,11 +23,11 @@ sections:
     columns: 2
     items:
     
-    - href: https://aka.ms/how-to-get-1909
-      html: Get the update >
+    - href: https://www.microsoft.com/en-us/microsoft-365/blog/2020/01/14/windows-7-support-ends-today-and-windows-10-is-better-than-ever/
+      html: Find out what you need to know >
       image: 
-        src: http://docs.microsoft.com/media/common/i_download-install.svg
-      title: Windows 10, version 1909 now available
+        src: https://docs.microsoft.com/media/common/i_alert.svg
+      title: Windows 7 has reached end of support
     - href: https://aka.ms/1909mechanics
       html: Explore the improvements >
       image: 
@@ -50,6 +50,9 @@ sections:
     text: "
       
       
+      
+      
+      
diff --git a/windows/security/identity-protection/access-control/security-identifiers.md b/windows/security/identity-protection/access-control/security-identifiers.md
index f8a3185eb0..c8bdc813a2 100644
--- a/windows/security/identity-protection/access-control/security-identifiers.md
+++ b/windows/security/identity-protection/access-control/security-identifiers.md
@@ -289,6 +289,16 @@ Capability Security Identifiers (SIDs) are used to uniquely and immutably identi
 
 All Capability SIDs that the operating system is aware of are stored in the Windows Registry in the path `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities'. Any Capability SID added to Windows by first or third-party applications will be added to this location.
 
+## Examples of registry keys taken from Windows 10, version 1909, 64-bit Enterprise edition
+You may see the following registry keys under AllCachedCapabilities:
+
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_DevUnlock
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_DevUnlock_Internal
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Enterprise
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_General
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Restricted
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Windows
+
 All Capability SIDs are prefixed by S-1-15-3
 
 ## See also
diff --git a/windows/security/identity-protection/configure-s-mime.md b/windows/security/identity-protection/configure-s-mime.md
index 8e823b08e6..0dd5d09a40 100644
--- a/windows/security/identity-protection/configure-s-mime.md
+++ b/windows/security/identity-protection/configure-s-mime.md
@@ -1,6 +1,6 @@
 ---
 title: Configure S/MIME for Windows 10 and Windows 10 Mobile (Windows 10)
-description: In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them.
+description: S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients with a digital ID, aka a certificate, can read them.
 ms.assetid: 7F9C2A99-42EB-4BCC-BB53-41C04FBBBF05
 ms.reviewer: 
 keywords: encrypt, digital signature
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
index 00a4a3e6bb..4eaf65890c 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
@@ -1,6 +1,6 @@
 ---
 title: How Windows Defender Credential Guard works
-description: Using virtualization-based security, Windows Defender Credential Guard features a new component called the isolated LSA process, which stores and protects secrets, isolating them from the rest of the operating system, so that only privileged system software can access them.
+description: Learn how Windows Defender Credential Guard uses virtualization to protect secrets, so that only privileged system software can access them.
 ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
index 3869b97501..69155363d3 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@@ -1,6 +1,6 @@
 ---
 title: Manage Windows Defender Credential Guard (Windows 10)
-description: Deploying and managing Windows Defender Credential Guard using Group Policy, the registry, or the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool.
+description: Learn how to deploy and manage Windows Defender Credential Guard using Group Policy, the registry, or hardware readiness tools.
 ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
@@ -86,6 +86,8 @@ You can do this by using either the Control Panel or the Deployment Image Servic
     ```
     dism /image: /Enable-Feature /FeatureName:IsolatedUserMode
     ```
+> [!NOTE]
+> In Windows 10, version 1607 and later, the Isolated User Mode feature has been integrated into the core operating system. Running the command in step 3 above is therefore no longer required.
 
 > [!NOTE]
 > You can also add these features to an online image by using either DISM or Configuration Manager.
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
index cacd765584..68102f6e49 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
@@ -1,6 +1,6 @@
 ---
 title: Windows Defender Credential Guard Requirements (Windows 10)
-description: Windows Defender Credential Guard baseline hardware, firmware, and software requirements, and additional protections for improved security associated with available hardware and firmware options.
+description: Windows Defender Credential Guard baseline hardware, firmware, and software requirements, and additional protections for improved security.
 ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
diff --git a/windows/security/identity-protection/credential-guard/credential-guard.md b/windows/security/identity-protection/credential-guard/credential-guard.md
index e5422219e7..38bbbfc5cd 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard.md
@@ -1,6 +1,6 @@
 ---
 title: Protect derived domain credentials with Windows Defender Credential Guard (Windows 10)
-description: Introduced in Windows 10 Enterprise, Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
+description: Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
 ms.assetid: 4F1FE390-A166-4A24-8530-EA3369FEB4B1
 ms.reviewer: 
 ms.prod: w10
@@ -35,7 +35,7 @@ By enabling Windows Defender Credential Guard, the following features and soluti
 ## Related topics
 
 - [Isolated User Mode in Windows 10 with Dave Probert (Channel 9)](https://channel9.msdn.com/Blogs/Seth-Juarez/Isolated-User-Mode-in-Windows-10-with-Dave-Probert)
-- [Isolated User Mode Processes and Features in Windows 10 with Logan Gabriel (Channel 9)](http://channel9.msdn.com/Blogs/Seth-Juarez/Isolated-User-Mode-Processes-and-Features-in-Windows-10-with-Logan-Gabriel)
+- [Isolated User Mode Processes and Features in Windows 10 with Logan Gabriel (Channel 9)](https://channel9.msdn.com/Blogs/Seth-Juarez/Isolated-User-Mode-Processes-and-Features-in-Windows-10-with-Logan-Gabriel)
 - [More on Processes and Features in Windows 10 Isolated User Mode with Dave Probert (Channel 9)](https://channel9.msdn.com/Blogs/Seth-Juarez/More-on-Processes-and-Features-in-Windows-10-Isolated-User-Mode-with-Dave-Probert)
 - [Mitigating Credential Theft using the Windows 10 Isolated User Mode (Channel 9)](https://channel9.msdn.com/Blogs/Seth-Juarez/Mitigating-Credential-Theft-using-the-Windows-10-Isolated-User-Mode)
 - [Protecting network passwords with Windows Defender Credential Guard](https://www.microsoft.com/itshowcase/Article/Content/831/Protecting-network-passwords-with-Windows-10-Credential-Guard)
diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
index 18314f3f58..c0e102cb90 100644
--- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
+++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
@@ -1,6 +1,6 @@
 ---
 title: Windows Hello biometrics in the enterprise (Windows 10)
-description: Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition.
+description: Windows Hello uses biometrics to authenticate users and guard against potential spoofing, through fingerprint matching and facial recognition.
 ms.assetid: d3f27d94-2226-4547-86c0-65c84d6df8Bc
 ms.reviewer: 
 keywords: Windows Hello, enterprise biometrics
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
index 72257804e5..d1efe88759 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
@@ -68,3 +68,5 @@ Following are the various deployment guides and models included in this topic:
 
 Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**.
 
+> [!NOTE]
+> You need to allow access to the URL account.microsoft.com to initiate Windows Hello for Business provisioning. This URL launches the subsequent steps in the provisioning process and is required to successfully complete Windows Hello for Business provisioning. This URL does not require any authentication and as such, does not collect any user data.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
index 9874fcd53a..54e4021adc 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
@@ -58,6 +58,9 @@ To resolve this issue, the CRL distribution point must be a location that is acc
 
 If your CRL distribution point does not list an HTTP distribution point, then you need to reconfigure the issuing certificate authority to include an HTTP CRL distribution point, preferably first in the list of distribution points.
 
+> [!NOTE]
+> If your CA has published both the Base and the Delta CRL, please make sure you have included publishing the Delta CRL in the HTTP path. Include web server to fetch the Delta CRL by allowing double escaping in the (IIS) web server.
+
 ### Windows Server 2016 Domain Controllers
 If you are interested in configuring your environment to use the Windows Hello for Business key rather than a certificate, then your environment must have an adequate number of Windows Server 2016 domain controllers.  Only Windows Server 2016 domain controllers are capable of authenticating user with a Windows Hello for Business key.  What do we mean by adequate?  We are glad you asked.  Read [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
 
@@ -335,6 +338,3 @@ Sign-in a workstation with access equivalent to a _domain user_.
 
 If you plan on using certificates for on-premises single-sign on, perform the additional steps in [Using Certificates for On-premises Single-sign On](hello-hybrid-aadj-sso-cert.md). 
  
-
-
-
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
index 8ed6db6fb4..f7a5eed854 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
@@ -118,6 +118,11 @@ Hybrid certificate trust deployments need the device write back feature.  Authen
 > [!NOTE]
 > Windows Hello for Business is tied between a user and a device. Both the user and device need to be synchronized between Azure Active Directory and Active Directory, and therefore the device writeback is used to update the msDS-KeyCredentialLink on the computer object.
 
+## Provisioning
+
+You need to allow access to the URL account.microsoft.com to initiate Windows Hello for Business provisioning. This URL launches the subsequent steps in the provisioning process and is required to successfully complete Windows Hello for Business provisioning. This URL does not require any authentication and as such, does not collect any user data.
+
+
 ### Section Checklist ###
 > [!div class="checklist"]
 > * Azure Active Directory Device writeback
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
index e2d7d4fc9c..16c17aa3f9 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
@@ -31,7 +31,7 @@ In hybrid deployments, users register the public portion of their Windows Hello
 The key-trust model needs Windows Server 2016 domain controllers, which configures the key registration permissions automatically; however, the certificate-trust model does not and requires you to add the permissions manually.
 
 > [!IMPORTANT]
-> If you already have a Windows Server 2016 domain controller in your domain, you can skip **Configure Permissions for Key Synchronization**.
+> If you already have a Windows Server 2016 domain controller in your domain, you can skip **Configure Permissions for Key Synchronization**. In this case, you should use the pre-created group KeyAdmins in step 3 of the "Group Memberships for the Azure AD Connect Service Account" section of this article.
 
 ### Configure Permissions for Key Synchronization
 
@@ -56,9 +56,6 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
 
 1. Open **Active Directory Users and Computers**.
 2. Click the **Users** container in the navigation pane.
-   >[!IMPORTANT]
-   > If you already have a Windows Server 2016 domain controller in your domain, use the Keyadmins group in the next step, otherwise use the KeyCredential admins group you previously created.
-
 3. Right-click either the **KeyAdmins** or **KeyCredential Admins** in the details pane and click **Properties**.
 4. Click the **Members** tab and click **Add**
 5. In the **Enter the object names to select** text box, type the name of the Azure AD Connect service account.  Click **OK**.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
index d2694a48af..d2b1de480f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
@@ -40,7 +40,7 @@ Hybrid Windows Hello for Business needs two directories: on-premises Active Dire
 
 A hybrid Windows Hello for Business deployment needs an Azure Active Directory subscription.  The hybrid key trust deployment, does not need a premium Azure Active Directory subscription.
 
-You can deploy Windows Hello for Business in any environment with Windows Server 2008 R2 or later domain controllers.  However, the key trust deployment needs an ***adequate*** number of Windows Server 2016 domain controllers at each site where users authenticate using Windows Hello for Business.  Read the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
+You can deploy Windows Hello for Business in any environment with Windows Server 2008 R2 or later domain controllers.  However, the key trust deployment needs an ***adequate*** number of Windows Server 2016 or later domain controllers at each site where users authenticate using Windows Hello for Business.  Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
  
 Review these requirements and those from the Windows Hello for Business planning guide and worksheet.  Based on your deployment decisions you may need to upgrade your on-premises Active Directory or your Azure Active Directory subscription to meet your needs.
 
@@ -125,7 +125,11 @@ Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Auth
 ## Device Registration
 
 Organizations wanting to deploy hybrid key trust need their domain joined devices to register to Azure Active Directory.  Just as a computer has an identity in Active Directory, that same computer has an identity in the cloud.  This ensures that only approved computers are used with that Azure Active Directory.  Each computer registers its identity in Azure Active Directory. 
- 
+
+## Provisioning
+
+You need to allow access to the URL account.microsoft.com to initiate Windows Hello for Business provisioning. This URL launches the subsequent steps in the provisioning process and is required to successfully complete Windows Hello for Business provisioning. This URL does not require any authentication and as such, does not collect any user data.
+
 
 ### Section Checklist
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
index 5f6fb9480c..57a2493e4c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
@@ -196,7 +196,7 @@ Alternatively, you can forcefully trigger automatic certificate enrollment using
 Use the event logs to monitor certificate enrollment and archive.  Review the configuration, such as publishing certificate templates to issuing certificate authority and the allow auto enrollment permissions.
 
 
-## Follow the Windows Hello for Business on premises certificate trust deployment guide
+## Follow the Windows Hello for Business on premises key trust deployment guide
 1. [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md)
 2. Validate and Configure Public Key Infrastructure (*You are here*)
 3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-key-trust-adfs.md)
diff --git a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
index 03d90751c8..53ebc5b4f6 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
@@ -1,6 +1,6 @@
 ---
 title: Smart Card Technical Reference (Windows 10)
-description: This technical reference for the IT professional and smart card developer describes the Windows smart card infrastructure for physical smart cards and how smart card-related components work in Windows.
+description: Learn about the Windows smart card infrastructure for physical smart cards, and how smart card-related components work in Windows.
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
index aab4745ee9..0194ee2c80 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
@@ -1,6 +1,6 @@
 ---
 title: Understanding and Evaluating Virtual Smart Cards (Windows 10)
-description: This topic for IT professional provides information about how smart card technology can fit into your authentication design, and provides links to additional topics about virtual smart cards.
+description: Learn how smart card technology can fit into your authentication design. Find links to additional topics about virtual smart cards.
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
diff --git a/windows/security/identity-protection/vpn/vpn-profile-options.md b/windows/security/identity-protection/vpn/vpn-profile-options.md
index 6931c47d7b..0206bbd776 100644
--- a/windows/security/identity-protection/vpn/vpn-profile-options.md
+++ b/windows/security/identity-protection/vpn/vpn-profile-options.md
@@ -1,6 +1,6 @@
 ---
 title: VPN profile options (Windows 10)
-description: Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect.
+description: Windows 10 adds Virtual Private Network (VPN) profile options to help manage how users connect. VPNs give users secure remote access to the company network.
 ms.assetid: E3F99DF9-863D-4E28-BAED-5C1B1B913523
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md
index 15cb20e4f6..7873e99c18 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md
@@ -1,6 +1,6 @@
 ---
 title: BitLocker Upgrading FAQ (Windows 10)
-description: Learn more about upgrading systems that have BitLocker enabled.
+description: Learn more about upgrading systems that have BitLocker enabled. Find frequently asked questions, such as, "Can I upgrade to Windows 10 with BitLocker enabled?"
 ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
diff --git a/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
index cbb074f9fa..60283edd89 100644
--- a/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
+++ b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
@@ -1,6 +1,6 @@
 ---
 title: Unenlightened and enlightened app behavior while using Windows Information Protection (WIP) (Windows 10)
-description: How unenlightened and enlightened apps might behave, based on Windows Information Protection (WIP) networking policies, app configuration, and potentially whether the app connects to network resources directly by using IP addresses or by using hostnames.
+description: Learn how unenlightened and enlightened apps might behave, based on Windows Information Protection (WIP) network policies, app configuration, and other criteria
 keywords: WIP, Enterprise Data Protection, EDP, Windows Information Protection, unenlightened apps, enlightened apps
 ms.prod: w10
 ms.mktglfcycl: explore
diff --git a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md
index 0d7d91e071..78edc9a59e 100644
--- a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md
+++ b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md
@@ -1,6 +1,6 @@
 ---
 title: How to collect Windows Information Protection (WIP) audit event logs (Windows 10)
-description: How to collect and understand your Windows Information Protection audit event logs by using the Reporting configuration service provider (CSP) or the Windows Event Forwarding (for Windows desktop domain-joined devices only).
+description: How to collect & understand Windows Information Protection audit event logs via the Reporting configuration service provider (CSP) or Windows Event Forwarding.
 ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md
index 2e4f0f0749..288347b3aa 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md
@@ -1,9 +1,9 @@
 ---
-title: Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager (Windows 10)
+title: Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager (Windows 10)
 description: Use Configuration Manager to make & deploy a Windows Information Protection (WIP) policy. Choose protected apps, WIP-protection level, and find enterprise data.
 ms.assetid: 85b99c20-1319-4aa3-8635-c1a87b244529
 ms.reviewer: 
-keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, SCCM, System Center Configuration Manager, Configuration Manager
+keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, SCCM, System Center Configuration Manager, Configuration Manager, MEMCM, Microsoft Endpoint Configuration Manager
 ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
@@ -15,26 +15,29 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 05/13/2019
+ms.date: 01/09/2020
 ---
 
-# Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager
+# Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager
 **Applies to:**
 
 - Windows 10, version 1607 and later
 - Windows 10 Mobile, version 1607 and later
-- System Center Configuration Manager
+- Microsoft Endpoint Configuration Manager
 
-System Center Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network.
+Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network.
 
 ## Add a WIP policy
-After you’ve installed and set up System Center Configuration Manager for your organization, you must create a configuration item for WIP, which in turn becomes your WIP policy.
+After you’ve installed and set up Configuration Manager for your organization, you must create a configuration item for WIP, which in turn becomes your WIP policy.
+
+>[!TIP]
+> Review the [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) article before creating a new configuration item to avoid common issues.
 
 **To create a configuration item for WIP**
 
-1.  Open the System Center Configuration Manager console, click the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node.
+1.  Open the Configuration Manager console, click the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node.
 
-    ![System Center Configuration Manager, Configuration Items screen](images/wip-sccm-addpolicy.png)
+    ![Configuration Manager, Configuration Items screen](images/wip-sccm-addpolicy.png)
 
 2.  Click the **Create Configuration Item** button.

 The **Create Configuration Item Wizard** starts.
@@ -43,7 +46,7 @@ The **Create Configuration Item Wizard** starts.
 
 3.  On the **General Information screen**, type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
 
-4.  In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use System Center Configuration Manager for device management, and then click **Next**.
+4.  In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use Configuration Manager for device management, and then click **Next**.
 
     -   **Settings for devices managed with the Configuration Manager client:** Windows 10
 
@@ -62,7 +65,7 @@ The **Create Configuration Item Wizard** starts.
 The **Configure Windows Information Protection settings** page appears, where you'll configure your policy for your organization.
 
 ## Add app rules to your policy
-During the policy-creation process in System Center Configuration Manager, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
+During the policy-creation process in Configuration Manager, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
 
 The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file.
 
@@ -295,9 +298,9 @@ For this example, we’re going to add an AppLocker XML file to the **App Rules*
         
     
     ```
-12. After you’ve created your XML file, you need to import it by using System Center Configuration Manager.
+12. After you’ve created your XML file, you need to import it by using Configuration Manager.
 
-**To import your Applocker policy file app rule using System Center Configuration Manager**
+**To import your Applocker policy file app rule using Configuration Manager**
 1.  From the **App rules** area, click **Add**.
 
     The **Add app rule** box appears.
@@ -506,3 +509,5 @@ After you’ve created your WIP policy, you'll need to deploy it to your organiz
 - [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md)
 
 - [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
+
+- [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md)
diff --git a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
index 93a5d00470..37be2ff41c 100644
--- a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
+++ b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
@@ -1,6 +1,6 @@
 ---
 title: List of enlightened Microsoft apps for use with Windows Information Protection (WIP) (Windows 10)
-description: Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list.
+description: Learn the difference between enlightened and unenlightened apps. Find out which enlightened apps are provided by Microsoft. Learn how to allow-list them.
 ms.assetid: 17c85ea3-9b66-4b80-b511-8f277cb4345f
 ms.reviewer: 
 keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection
diff --git a/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md b/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md
index f9e51d4cb9..576fe7cf71 100644
--- a/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md
+++ b/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md
@@ -1,6 +1,6 @@
 ---
 title: General guidance and best practices for Windows Information Protection (WIP) (Windows 10)
-description: This section includes info about the enlightened Microsoft apps, including how to add them to your Protected Apps list in Microsoft Intune. It also includes some testing scenarios that we recommend running through with Windows Information Protection (WIP).
+description: Find resources about apps that can work with Windows Information Protection (WIP) to protect data. Enlightened apps can tell corporate and personal data apart.
 ms.assetid: aa94e733-53be-49a7-938d-1660deaf52b0
 ms.reviewer: 
 keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection
diff --git a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-sccm.md b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-sccm.md
index 40ab9e148d..e8ad475fda 100644
--- a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-sccm.md
+++ b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-sccm.md
@@ -1,6 +1,6 @@
 ---
 title: Create a Windows Information Protection (WIP) policy using System Center Configuration Manager (Windows 10)
-description: System Center Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
+description: System Center Configuration Manager helps you create & deploy your enterprise data protection (WIP) policy.
 ms.assetid: d2059e74-94bd-4e54-ab59-1a7b9b52bdc6
 ms.reviewer: 
 ms.prod: w10
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index a483760fe8..84f646914b 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -42,6 +42,7 @@
 #### [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md)
 
 ### [Next generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
+#### [Better together: Windows Defender Antivirus and Microsoft Defender ATP](windows-defender-antivirus/why-use-microsoft-antivirus.md)
 
 ### [Endpoint detection and response]()
 #### [Endpoint detection and response overview](microsoft-defender-atp/overview-endpoint-detection-response.md)
@@ -114,21 +115,22 @@
 #### [Advanced hunting schema reference]()
 ##### [Understand the schema](microsoft-defender-atp/advanced-hunting-schema-reference.md)
 ##### [AlertEvents](microsoft-defender-atp/advanced-hunting-alertevents-table.md)
-##### [FileCreationEvents](microsoft-defender-atp/advanced-hunting-filecreationevents-table.md)
-##### [ImageLoadEvents](microsoft-defender-atp/advanced-hunting-imageloadevents-table.md)
-##### [LogonEvents](microsoft-defender-atp/advanced-hunting-logonevents-table.md)
-##### [MachineInfo](microsoft-defender-atp/advanced-hunting-machineinfo-table.md)
-##### [MachineNetworkInfo](microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md)
-##### [MiscEvents](microsoft-defender-atp/advanced-hunting-miscevents-table.md)
-##### [NetworkCommunicationEvents](microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md)
-##### [ProcessCreationEvents](microsoft-defender-atp/advanced-hunting-processcreationevents-table.md)
-##### [RegistryEvents](microsoft-defender-atp/advanced-hunting-registryevents-table.md)
+##### [DeviceFileEvents](microsoft-defender-atp/advanced-hunting-devicefileevents-table.md)
+##### [DeviceImageLoadEvents](microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md)
+##### [DeviceLogonEvents](microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md)
+##### [DeviceInfo](microsoft-defender-atp/advanced-hunting-deviceinfo-table.md)
+##### [DeviceNetworkInfo](microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md)
+##### [DeviceEvents](microsoft-defender-atp/advanced-hunting-deviceevents-table.md)
+##### [DeviceFileCertificateInfoBeta](microsoft-defender-atp/advanced-hunting-devicefilecertificateinfobeta-table.md)
+##### [DeviceNetworkEvents](microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md)
+##### [DeviceProcessEvents](microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md)
+##### [DeviceRegistryEvents](microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md)
 ##### [DeviceTvmSoftwareInventoryVulnerabilities](microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md)
 ##### [DeviceTvmSoftwareVulnerabilitiesKB](microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md)
 ##### [DeviceTvmSecureConfigurationAssessment](microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md)
 ##### [DeviceTvmSecureConfigurationAssessmentKB](microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md)
 #### [Apply query best practices](microsoft-defender-atp/advanced-hunting-best-practices.md)
-#### [Stream Advanced hunting events to Azure Event Hubs](microsoft-defender-atp/raw-data-export-event-hub.md)
+
 
 #### [Custom detections]()
 ##### [Understand custom detection rules](microsoft-defender-atp/overview-custom-detections.md)
@@ -136,8 +138,6 @@
 
 ### [Management and APIs]()
 #### [Overview of management and APIs](microsoft-defender-atp/management-apis.md)
-#### [Understand threat intelligence concepts](microsoft-defender-atp/threat-indicator-concepts.md)
-#### [Managed security service provider support](microsoft-defender-atp/mssp-support.md)
 
 ### [Integrations]()
 #### [Microsoft Defender ATP integrations](microsoft-defender-atp/threat-protection-integration.md)
@@ -153,6 +153,15 @@
 ### [Portal overview](microsoft-defender-atp/portal-overview.md)
 ### [Microsoft Defender ATP for US Government Community Cloud High customers](microsoft-defender-atp/commercial-gov.md)
 
+
+## [Deployment guide]()
+### [Product brief](microsoft-defender-atp/product-brief.md)
+### [Prepare deployment](microsoft-defender-atp/prepare-deployment.md)
+### [Evaluate capabilities](microsoft-defender-atp/evaluation-lab.md)
+### [Production deployment](microsoft-defender-atp/production-deployment.md)
+### [Helpful resources](microsoft-defender-atp/helpful-resources.md)
+
+
 ## [Get started]()
 ### [What's new in Microsoft Defender ATP](microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md)
 ### [Minimum requirements](microsoft-defender-atp/minimum-requirements.md)
@@ -361,14 +370,15 @@
 ###### [Troubleshoot subscription and portal access issues](microsoft-defender-atp/troubleshoot-onboarding-error-messages.md)
 
 #### [Microsoft Defender ATP API]()
-##### [Microsoft Defender ATP API license and terms](microsoft-defender-atp/api-terms-of-use.md)
 ##### [Get started with Microsoft Defender ATP APIs]()
-###### [Introduction](microsoft-defender-atp/apis-intro.md)
+###### [Microsoft Defender ATP API license and terms](microsoft-defender-atp/api-terms-of-use.md)
+###### [Access the Microsoft Defender ATP APIs](microsoft-defender-atp/apis-intro.md)
 ###### [Hello World](microsoft-defender-atp/api-hello-world.md)
 ###### [Get access with application context](microsoft-defender-atp/exposed-apis-create-app-webapp.md)
 ###### [Get access with user context](microsoft-defender-atp/exposed-apis-create-app-nativeapp.md)
+###### [Get partner application access](microsoft-defender-atp/exposed-apis-create-app-partners.md)
 
-##### [APIs]()
+##### [Microsoft Defender ATP APIs Schema]()
 ###### [Supported Microsoft Defender ATP APIs](microsoft-defender-atp/exposed-apis-list.md)
 ###### [Advanced Hunting](microsoft-defender-atp/run-advanced-query-api.md)
 
@@ -406,7 +416,12 @@
 ####### [Run antivirus scan](microsoft-defender-atp/run-av-scan.md)
 ####### [Offboard machine](microsoft-defender-atp/offboard-machine-api.md)
 ####### [Stop and quarantine file](microsoft-defender-atp/stop-and-quarantine-file.md)
-####### [Initiate investigation (preview)](microsoft-defender-atp/initiate-autoir-investigation.md)
+
+###### [Automated Investigation]()
+####### [Investigation methods and properties](microsoft-defender-atp/investigation.md)
+####### [List Investigation](microsoft-defender-atp/get-investigation-collection.md)
+####### [Get Investigation](microsoft-defender-atp/get-investigation-object.md)
+####### [Start Investigation](microsoft-defender-atp/initiate-autoir-investigation.md)
 
 ###### [Indicators]()
 ####### [Indicators methods and properties](microsoft-defender-atp/ti-indicator.md)
@@ -442,14 +457,14 @@
 ###### [Advanced Hunting using PowerShell](microsoft-defender-atp/run-advanced-query-sample-powershell.md)
 ###### [Using OData Queries](microsoft-defender-atp/exposed-apis-odata-samples.md)
 
-#### [Windows updates (KB) info]()
-##### [Get KbInfo collection](microsoft-defender-atp/get-kbinfo-collection.md)
+#### [Raw data streaming API]()
+##### [Raw data streaming (preview)](microsoft-defender-atp/raw-data-export.md)
+##### [Stream advanced hunting events to Azure Events hub](microsoft-defender-atp/raw-data-export-event-hub.md)
+##### [Stream advanced hunting events to your storage account](microsoft-defender-atp/raw-data-export-storage.md)
+ 
 
-#### [Common Vulnerabilities and Exposures (CVE) to KB map]()
-##### [Get CVE-KB map](microsoft-defender-atp/get-cvekbmap-collection.md)
-
-
-#### [Pull detections to your SIEM tools]()
+#### [SIEM integration]()
+##### [Understand threat intelligence concepts](microsoft-defender-atp/threat-indicator-concepts.md)
 ##### [Learn about different ways to pull detections](microsoft-defender-atp/configure-siem.md)
 ##### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md)
 ##### [Configure Splunk to pull detections](microsoft-defender-atp/configure-splunk.md)
@@ -458,6 +473,7 @@
 ##### [Pull detections using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api.md)
 ##### [Troubleshoot SIEM tool integration issues](microsoft-defender-atp/troubleshoot-siem.md)
 
+
 #### [Reporting]()
 ##### [Power BI - How to use API - Samples](microsoft-defender-atp/api-power-bi.md)
 ##### [Create and build Power BI reports using Microsoft Defender ATP data connectors (deprecated)](microsoft-defender-atp/powerbi-reports.md)
@@ -484,45 +500,55 @@
 ###### [Using machine groups](microsoft-defender-atp/machine-groups.md)
 ###### [Create and manage machine tags](microsoft-defender-atp/machine-tags.md)
 
-#### [Configure managed security service provider (MSSP) support](microsoft-defender-atp/configure-mssp-support.md)
+#### [Configure managed security service provider (MSSP) integration](microsoft-defender-atp/configure-mssp-support.md)
+
+## [Partner integration scenarios]()
+### [Technical partner opportunities](microsoft-defender-atp/partner-integration.md)
+### [Managed security service provider opportunity](microsoft-defender-atp/mssp-support.md)
+### [Become a Microsoft Defender ATP partner](microsoft-defender-atp/get-started-partner-integration.md)
+
+
+## [Configure Microsoft threat protection integration]()
+### [Configure conditional access](microsoft-defender-atp/configure-conditional-access.md)
+### [Configure Microsoft Cloud App Security integration](microsoft-defender-atp/microsoft-cloud-app-security-config.md)
+### [Configure information protection in Windows](microsoft-defender-atp/information-protection-in-windows-config.md)
+
+## [Configure portal settings]()
+### [Set up preferences](microsoft-defender-atp/preferences-setup.md)
+### [General]()
+#### [Update data retention settings](microsoft-defender-atp/data-retention-settings.md)
+#### [Configure alert notifications](microsoft-defender-atp/configure-email-notifications.md)
+#### [Enable and create Power BI reports using Windows Defender Security center data](microsoft-defender-atp/powerbi-reports.md)
+#### [Enable Secure score security controls](microsoft-defender-atp/enable-secure-score.md)
+#### [Configure advanced features](microsoft-defender-atp/advanced-features.md)
+
+### [Permissions]()
+#### [Use basic permissions to access the portal](microsoft-defender-atp/basic-permissions.md)
+#### [Manage portal access using RBAC](microsoft-defender-atp/rbac.md)
+##### [Create and manage roles](microsoft-defender-atp/user-roles.md)
+##### [Create and manage machine groups](microsoft-defender-atp/machine-groups.md)
+###### [Create and manage machine tags](microsoft-defender-atp/machine-tags.md)
+
+### [APIs]()
+#### [Enable Threat intel (Deprecated)](microsoft-defender-atp/enable-custom-ti.md)
+#### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md)
+ 
+### [Rules]()
+#### [Manage suppression rules](microsoft-defender-atp/manage-suppression-rules.md)
+#### [Manage indicators](microsoft-defender-atp/manage-indicators.md)
+#### [Manage automation file uploads](microsoft-defender-atp/manage-automation-file-uploads.md)
+#### [Manage automation folder exclusions](microsoft-defender-atp/manage-automation-folder-exclusions.md)
+ 
+### [Machine management]()
+#### [Onboarding machines](microsoft-defender-atp/onboard-configure.md)
+#### [Offboarding machines](microsoft-defender-atp/offboard-machines.md)
+ 
+### [Configure Microsoft Defender Security Center time zone settings](microsoft-defender-atp/time-settings.md)
 
 
-### [Configure Microsoft threat protection integration]()
-#### [Configure conditional access](microsoft-defender-atp/configure-conditional-access.md)
-#### [Configure Microsoft Cloud App Security integration](microsoft-defender-atp/microsoft-cloud-app-security-config.md)
-#### [Configure information protection in Windows](microsoft-defender-atp/information-protection-in-windows-config.md)
 
-### [Configure portal settings]()
-#### [Set up preferences](microsoft-defender-atp/preferences-setup.md)
-#### [General]()
-##### [Update data retention settings](microsoft-defender-atp/data-retention-settings.md)
-##### [Configure alert notifications](microsoft-defender-atp/configure-email-notifications.md)
-##### [Enable and create Power BI reports using Windows Defender Security center data](microsoft-defender-atp/powerbi-reports.md)
-##### [Enable Secure score security controls](microsoft-defender-atp/enable-secure-score.md)
-##### [Configure advanced features](microsoft-defender-atp/advanced-features.md)
 
-#### [Permissions]()
-##### [Use basic permissions to access the portal](microsoft-defender-atp/basic-permissions.md)
-##### [Manage portal access using RBAC](microsoft-defender-atp/rbac.md)
-###### [Create and manage roles](microsoft-defender-atp/user-roles.md)
-###### [Create and manage machine groups](microsoft-defender-atp/machine-groups.md)
-####### [Create and manage machine tags](microsoft-defender-atp/machine-tags.md)
 
-#### [APIs]()
-##### [Enable Threat intel (Deprecated)](microsoft-defender-atp/enable-custom-ti.md)
-##### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md)
-  
-#### [Rules]()
-##### [Manage suppression rules](microsoft-defender-atp/manage-suppression-rules.md)
-##### [Manage indicators](microsoft-defender-atp/manage-indicators.md)
-##### [Manage automation file uploads](microsoft-defender-atp/manage-automation-file-uploads.md)
-##### [Manage automation folder exclusions](microsoft-defender-atp/manage-automation-folder-exclusions.md)
-  
-#### [Machine management]()
-##### [Onboarding machines](microsoft-defender-atp/onboard-configure.md)
-##### [Offboarding machines](microsoft-defender-atp/offboard-machines.md)
-  
-#### [Configure Microsoft Defender Security Center time zone settings](microsoft-defender-atp/time-settings.md)
 
 
 ## [Troubleshoot Microsoft Defender ATP]()
diff --git a/windows/security/threat-protection/auditing/audit-account-lockout.md b/windows/security/threat-protection/auditing/audit-account-lockout.md
index 34e1304ce4..1ea3e878e6 100644
--- a/windows/security/threat-protection/auditing/audit-account-lockout.md
+++ b/windows/security/threat-protection/auditing/audit-account-lockout.md
@@ -1,6 +1,6 @@
 ---
 title: Audit Account Lockout (Windows 10)
-description: This topic for the IT professional describes the advanced security audit policy setting, Audit Account Lockout, which enables you to audit security events that are generated by a failed attempt to log on to an account that is locked out.
+description: The policy setting, Audit Account Lockout, enables you to audit security events  generated by a failed attempt to log on to an account that is locked out.
 ms.assetid: da68624b-a174-482c-9bc5-ddddab38e589
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-application-group-management.md b/windows/security/threat-protection/auditing/audit-application-group-management.md
index 96f7a50301..8dce282dfa 100644
--- a/windows/security/threat-protection/auditing/audit-application-group-management.md
+++ b/windows/security/threat-protection/auditing/audit-application-group-management.md
@@ -1,6 +1,6 @@
 ---
 title: Audit Application Group Management (Windows 10)
-description: This topic for the IT professional describes the advanced security audit policy setting, Audit Application Group Management, which determines whether the operating system generates audit events when application group management tasks are performed.
+description: The policy setting, Audit Application Group Management, determines if audit events are generated when application group management tasks are performed.
 ms.assetid: 1bcaa41e-5027-4a86-96b7-f04eaf1c0606
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-authentication-policy-change.md b/windows/security/threat-protection/auditing/audit-authentication-policy-change.md
index 8020663eb5..4a6f754c01 100644
--- a/windows/security/threat-protection/auditing/audit-authentication-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-authentication-policy-change.md
@@ -1,6 +1,6 @@
 ---
 title: Audit Authentication Policy Change (Windows 10)
-description: This topic for the IT professional describes this Advanced Security Audit policy setting, Audit Authentication Policy Change, which determines whether the operating system generates audit events when changes are made to authentication policy.
+description: The Advanced Security Audit policy setting, Audit Authentication Policy Change, determines if audit events are generated when authentication policy is changed.
 ms.assetid: aa9cea7a-aadf-47b7-b704-ac253b8e79be
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-authorization-policy-change.md b/windows/security/threat-protection/auditing/audit-authorization-policy-change.md
index af4339ce53..bb4d048a5f 100644
--- a/windows/security/threat-protection/auditing/audit-authorization-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-authorization-policy-change.md
@@ -1,6 +1,6 @@
 ---
 title: Audit Authorization Policy Change (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Authorization Policy Change, which determines whether the operating system generates audit events when specific changes are made to the authorization policy.
+description: The policy setting, Audit Authorization Policy Change, determines if audit events are generated when specific changes are made to the authorization policy.
 ms.assetid: ca0587a2-a2b3-4300-aa5d-48b4553c3b36
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-certification-services.md b/windows/security/threat-protection/auditing/audit-certification-services.md
index 4214420b03..a1e50c1538 100644
--- a/windows/security/threat-protection/auditing/audit-certification-services.md
+++ b/windows/security/threat-protection/auditing/audit-certification-services.md
@@ -1,6 +1,6 @@
 ---
 title: Audit Certification Services (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Certification Services, which determines whether the operating system generates events when Active Directory Certificate Services (ADÂ CS) operations are performed.
+description: The policy setting, Audit Certification Services, decides if events are generated when Active Directory Certificate Services (ADA CS) operations are performed.
 ms.assetid: cdefc34e-fb1f-4eff-b766-17713c5a1b03
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-computer-account-management.md b/windows/security/threat-protection/auditing/audit-computer-account-management.md
index d0d902a868..ab838fd042 100644
--- a/windows/security/threat-protection/auditing/audit-computer-account-management.md
+++ b/windows/security/threat-protection/auditing/audit-computer-account-management.md
@@ -1,6 +1,6 @@
 ---
 title: Audit Computer Account Management (Windows 10)
-description: This topic for the IT professional describes the advanced security audit policy setting, Audit Computer Account Management, which determines whether the operating system generates audit events when a computer account is created, changed, or deleted.
+description: The policy setting, Audit Computer Account Management, determines if audit events are generated when a computer account is created, changed, or deleted.
 ms.assetid: 6c406693-57bf-4411-bb6c-ff83ce548991
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-credential-validation.md b/windows/security/threat-protection/auditing/audit-credential-validation.md
index feac5d138b..9ce3b5aa5b 100644
--- a/windows/security/threat-protection/auditing/audit-credential-validation.md
+++ b/windows/security/threat-protection/auditing/audit-credential-validation.md
@@ -1,6 +1,6 @@
 ---
 title: Audit Credential Validation (Windows 10)
-description: This topic for the IT professional describes the advanced security audit policy setting, Audit Credential Validation, which determines whether the operating system generates audit events on credentials that are submitted for a user account logon request.
+description: The policy setting, Audit Credential Validation, determines if audit events are generated when user account logon request credentials are submitted.
 ms.assetid: 6654b33a-922e-4a43-8223-ec5086dfc926
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md b/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md
index 2b345207d2..859859fc2b 100644
--- a/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md
+++ b/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md
@@ -1,6 +1,6 @@
 ---
 title: Audit Detailed Directory Service Replication (Windows 10)
-description: This topic for the IT professional describes the advanced security audit policy setting, Audit Detailed Directory Service Replication, which determines whether the operating system generates audit events that contain detailed tracking information about data that is replicated between domain controllers.
+description: The Audit Detailed Directory Service Replication setting decides if audit events contain detailed tracking info about data replicated between domain controllers
 ms.assetid: 1b89c8f5-bce7-4b20-8701-42585c7ab993
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-detailed-file-share.md b/windows/security/threat-protection/auditing/audit-detailed-file-share.md
index 41ed83320d..69a9d636c7 100644
--- a/windows/security/threat-protection/auditing/audit-detailed-file-share.md
+++ b/windows/security/threat-protection/auditing/audit-detailed-file-share.md
@@ -1,6 +1,6 @@
 ---
 title: Audit Detailed File Share (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Detailed File Share, which allows you to audit attempts to access files and folders on a shared folder.
+description: The Advanced Security Audit policy setting, Audit Detailed File Share, allows you to audit attempts to access files and folders on a shared folder.
 ms.assetid: 60310104-b820-4033-a1cb-022a34f064ae
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-directory-service-access.md b/windows/security/threat-protection/auditing/audit-directory-service-access.md
index ae15d23652..0a13f90a87 100644
--- a/windows/security/threat-protection/auditing/audit-directory-service-access.md
+++ b/windows/security/threat-protection/auditing/audit-directory-service-access.md
@@ -1,6 +1,6 @@
 ---
 title: Audit Directory Service Access (Windows 10)
-description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Access, which determines whether the operating system generates audit events when an Active Directory Domain Services (ADÂ DS) object is accessed.
+description: The policy setting Audit Directory Service Access determines if audit events are generated when an Active Directory Domain Services (ADA DS) object is accessed.
 ms.assetid: ba2562ba-4282-4588-b87c-a3fcb771c7d0
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-dpapi-activity.md b/windows/security/threat-protection/auditing/audit-dpapi-activity.md
index 835e1fd7f3..fc94d79d95 100644
--- a/windows/security/threat-protection/auditing/audit-dpapi-activity.md
+++ b/windows/security/threat-protection/auditing/audit-dpapi-activity.md
@@ -1,6 +1,6 @@
 ---
 title: Audit DPAPI Activity (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit DPAPI Activity, which determines whether the operating system generates audit events when encryption or decryption calls are made into the data protection application interface (DPAPI).
+description: The policy setting, Audit DPAPI Activity, decides if encryption/decryption calls  to the data protection application interface (DPAPI) generate audit events.
 ms.assetid: be4d4c83-c857-4e3d-a84e-8bcc3f2c99cd
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-file-share.md b/windows/security/threat-protection/auditing/audit-file-share.md
index 512ae2084a..ccab879b4f 100644
--- a/windows/security/threat-protection/auditing/audit-file-share.md
+++ b/windows/security/threat-protection/auditing/audit-file-share.md
@@ -1,6 +1,6 @@
 ---
 title: Audit File Share (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit File Share, which determines whether the operating system generates audit events when a file share is accessed.
+description: The Advanced Security Audit policy setting, Audit File Share, determines if the operating system generates audit events when a file share is accessed.
 ms.assetid: 9ea985f8-8936-4b79-abdb-35cbb7138f78
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-file-system.md b/windows/security/threat-protection/auditing/audit-file-system.md
index fe21575b2b..57ea7bc917 100644
--- a/windows/security/threat-protection/auditing/audit-file-system.md
+++ b/windows/security/threat-protection/auditing/audit-file-system.md
@@ -1,6 +1,6 @@
 ---
 title: Audit File System (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit File System, which determines whether the operating system generates audit events when users attempt to access file system objects.
+description: The Advanced Security Audit policy setting, Audit File System, determines if audit events are generated when users attempt to access file system objects.
 ms.assetid: 6a71f283-b8e5-41ac-b348-0b7ec6ea0b1f
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md b/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md
index 734f231b24..52475e4276 100644
--- a/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md
+++ b/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md
@@ -1,6 +1,6 @@
 ---
 title: Audit Filtering Platform Connection (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Filtering Platform Connection, which determines whether the operating system generates audit events when connections are allowed or blocked by the Windows Filtering Platform.
+description: The policy setting, Audit Filtering Platform Connection, decides if audit events are generated when connections are allow/blocked by Windows Filtering Platform.
 ms.assetid: d72936e9-ff01-4d18-b864-a4958815df59
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-group-membership.md b/windows/security/threat-protection/auditing/audit-group-membership.md
index 18b2e9556d..e9047b6c8a 100644
--- a/windows/security/threat-protection/auditing/audit-group-membership.md
+++ b/windows/security/threat-protection/auditing/audit-group-membership.md
@@ -1,6 +1,6 @@
 ---
 title: Audit Group Membership (Windows 10)
-description: This topic for the IT professional describes the advanced security audit policy setting, Audit Group Membership, which enables you to audit group memberships when they are enumerated on the client PC.
+description: The advanced security audit policy setting, Audit Group Membership, enables you to audit group memberships when they are enumerated on the client PC.
 ms.assetid: 1CD7B014-FBD9-44B9-9274-CC5715DE58B9
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-handle-manipulation.md b/windows/security/threat-protection/auditing/audit-handle-manipulation.md
index 3802d34249..64fd2edce2 100644
--- a/windows/security/threat-protection/auditing/audit-handle-manipulation.md
+++ b/windows/security/threat-protection/auditing/audit-handle-manipulation.md
@@ -1,6 +1,6 @@
 ---
 title: Audit Handle Manipulation (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Handle Manipulation, which determines whether the operating system generates audit events when a handle to an object is opened or closed.
+description: The Advanced Security Audit policy setting, Audit Handle Manipulation, determines if audit events are generated when a handle to an object is opened or closed.
 ms.assetid: 1fbb004a-ccdc-4c80-b3da-a4aa7a9f4091
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-ipsec-driver.md b/windows/security/threat-protection/auditing/audit-ipsec-driver.md
index 0f0a9fa7b5..d396f0ed40 100644
--- a/windows/security/threat-protection/auditing/audit-ipsec-driver.md
+++ b/windows/security/threat-protection/auditing/audit-ipsec-driver.md
@@ -1,6 +1,6 @@
 ---
 title: Audit IPsec Driver (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit IPsec Driver, which determines whether the operating system generates audit events for the activities of the IPsec driver.
+description: The Advanced Security Audit policy setting, Audit IPsec Driver, determines if audit events are generated for the activities of the IPsec driver.
 ms.assetid: c8b8c02f-5ad0-4ee5-9123-ea8cdae356a5
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md
index af3502ddce..37421d3b3e 100644
--- a/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md
+++ b/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md
@@ -1,6 +1,6 @@
 ---
 title: Audit IPsec Extended Mode (Windows 10)
-description: This topic for the IT professional describes the advanced security audit policy setting, Audit IPsec Extended Mode, which determines whether the operating system generates audit events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations.
+description: The setting, Audit IPsec Extended Mode, determines if audit events are generated for the results of IKE protocol and AuthIP during Extended Mode negotiations.
 ms.assetid: 2b4fee9e-482a-4181-88a8-6a79d8fc8049
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md
index 54e46c85cd..290c41687a 100644
--- a/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md
+++ b/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md
@@ -1,6 +1,6 @@
 ---
 title: Audit IPsec Quick Mode (Windows 10)
-description: This topic for the IT professional describes the advanced security audit policy setting, Audit IPsec Quick Mode, which determines whether the operating system generates audit events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations.
+description: The policy setting, Audit IPsec Quick Mode, decides if audit events are generated for the results of the IKE protocol and AuthIP during Quick Mode negotiations.
 ms.assetid: 7be67a15-c2ce-496a-9719-e25ac7699114
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md b/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md
index f8bacdd852..27a1d4a933 100644
--- a/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md
+++ b/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md
@@ -1,6 +1,6 @@
 ---
 title: Audit Kerberos Service Ticket Operations (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Kerberos Service Ticket Operations, which determines whether the operating system generates security audit events for Kerberos service ticket requests.
+description: The policy setting, Audit Kerberos Service Ticket Operations, determines if security audit events are generated for Kerberos service ticket requests.
 ms.assetid: ddc0abef-ac7f-4849-b90d-66700470ccd6
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-kernel-object.md b/windows/security/threat-protection/auditing/audit-kernel-object.md
index 44049a109f..60f0a374d8 100644
--- a/windows/security/threat-protection/auditing/audit-kernel-object.md
+++ b/windows/security/threat-protection/auditing/audit-kernel-object.md
@@ -1,6 +1,6 @@
 ---
 title: Audit Kernel Object (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Kernel Object, which determines whether the operating system generates audit events when users attempt to access the system kernel, which includes mutexes and semaphores.
+description: The policy setting, Audit Kernel Object, decides if user attempts to access the system kernel (which includes mutexes and semaphores) generate audit events.
 ms.assetid: 75619d8b-b1eb-445b-afc9-0f9053be97fb
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-logoff.md b/windows/security/threat-protection/auditing/audit-logoff.md
index 45e9abeb45..c4d6606795 100644
--- a/windows/security/threat-protection/auditing/audit-logoff.md
+++ b/windows/security/threat-protection/auditing/audit-logoff.md
@@ -1,6 +1,6 @@
 ---
 title: Audit Logoff (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Logoff, which determines whether the operating system generates audit events when logon sessions are terminated.
+description: The Advanced Security Audit policy setting, Audit Logoff, determines if audit events are generated when logon sessions are terminated.
 ms.assetid: 681e51f2-ba06-46f5-af8c-d9c48d515432
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-logon.md b/windows/security/threat-protection/auditing/audit-logon.md
index 3742607eba..711c16301c 100644
--- a/windows/security/threat-protection/auditing/audit-logon.md
+++ b/windows/security/threat-protection/auditing/audit-logon.md
@@ -1,6 +1,6 @@
 ---
 title: Audit Logon (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Logon, which determines whether the operating system generates audit events when a user attempts to log on to a computer.
+description: The Advanced Security Audit policy setting, Audit Logon, determines if audit events are generated when a user attempts to log on to a computer.
 ms.assetid: ca968d03-7d52-48c4-ba0e-2bcd2937231b
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-other-account-management-events.md b/windows/security/threat-protection/auditing/audit-other-account-management-events.md
index cd054ab132..2795a0bb73 100644
--- a/windows/security/threat-protection/auditing/audit-other-account-management-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-account-management-events.md
@@ -1,6 +1,6 @@
 ---
 title: Audit Other Account Management Events (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Account Management Events, which determines whether the operating system generates user account management audit events.
+description: The Advanced Security Audit policy setting, Audit Other Account Management Events, determines if user account management audit events are generated.
 ms.assetid: 4ce22eeb-a96f-4cf9-a46d-6642961a31d5
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md b/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md
index b10a5106ba..9265129828 100644
--- a/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md
@@ -1,6 +1,6 @@
 ---
 title: Audit Other Logon/Logoff Events (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Logon/Logoff Events, which determines whether Windows generates audit events for other logon or logoff events.
+description: The Advanced Security Audit policy setting, Audit Other Logon/Logoff Events, determines if Windows generates audit events for other logon or logoff events.
 ms.assetid: 76d987cd-1917-4907-a739-dd642609a458
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-other-object-access-events.md b/windows/security/threat-protection/auditing/audit-other-object-access-events.md
index 3bfc786df1..54b132e114 100644
--- a/windows/security/threat-protection/auditing/audit-other-object-access-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-object-access-events.md
@@ -1,6 +1,6 @@
 ---
 title: Audit Other Object Access Events (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Object Access Events, which determines whether the operating system generates audit events for the management of Task Scheduler jobs or COM+ objects.
+description: The policy setting, Audit Other Object Access Events, determines if audit events are generated for the management of Task Scheduler jobs or COM+ objects.
 ms.assetid: b9774595-595d-4199-b0c5-8dbc12b6c8b2
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-other-policy-change-events.md b/windows/security/threat-protection/auditing/audit-other-policy-change-events.md
index e156529bf1..2ceacf7bd7 100644
--- a/windows/security/threat-protection/auditing/audit-other-policy-change-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-policy-change-events.md
@@ -1,6 +1,6 @@
 ---
 title: Audit Other Policy Change Events (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Policy Change Events, which determines whether the operating system generates audit events for security policy changes that are not otherwise audited in the Policy Change category.
+description: The policy setting, Audit Other Policy Change Events, determines if audit events are generated for security policy changes that are not otherwise audited.
 ms.assetid: 8618502e-c21c-41cc-8a49-3dc1eb359e60
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-other-system-events.md b/windows/security/threat-protection/auditing/audit-other-system-events.md
index 839166429b..314723a738 100644
--- a/windows/security/threat-protection/auditing/audit-other-system-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-system-events.md
@@ -1,6 +1,6 @@
 ---
 title: Audit Other System Events (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other System Events, which determines whether the operating system audits various system events.
+description: The Advanced Security Audit policy setting, Audit Other System Events, determines if the operating system audits various system events.
 ms.assetid: 2401e4cc-d94e-41ec-82a7-e10914295f8b
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-pnp-activity.md b/windows/security/threat-protection/auditing/audit-pnp-activity.md
index 6e2ce1aa93..2d1298584a 100644
--- a/windows/security/threat-protection/auditing/audit-pnp-activity.md
+++ b/windows/security/threat-protection/auditing/audit-pnp-activity.md
@@ -1,6 +1,6 @@
 ---
 title: Audit PNP Activity (Windows 10)
-description: This topic for the IT professional describes the advanced security audit policy setting, Audit PNP Activity, which determines when plug and play detects an external device.
+description: The advanced security audit policy setting, Audit PNP Activity, determines when plug and play detects an external device.
 ms.assetid: A3D87B3B-EBBE-442A-953B-9EB75A5F600E
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-security-state-change.md b/windows/security/threat-protection/auditing/audit-security-state-change.md
index f002a9938a..c10e8072f7 100644
--- a/windows/security/threat-protection/auditing/audit-security-state-change.md
+++ b/windows/security/threat-protection/auditing/audit-security-state-change.md
@@ -1,6 +1,6 @@
 ---
 title: Audit Security State Change (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Security State Change, which determines whether Windows generates audit events for changes in the security state of a system.
+description: The policy setting, Audit Security State Change, which determines whether Windows generates audit events for changes in the security state of a system.
 ms.assetid: decb3218-a67d-4efa-afc0-337c79a89a2d
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-special-logon.md b/windows/security/threat-protection/auditing/audit-special-logon.md
index cae080c72b..ec7e84c990 100644
--- a/windows/security/threat-protection/auditing/audit-special-logon.md
+++ b/windows/security/threat-protection/auditing/audit-special-logon.md
@@ -1,6 +1,6 @@
 ---
 title: Audit Special Logon (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Special Logon, which determines whether the operating system generates audit events under special sign on (or log on) circumstances.
+description: The Advanced Security Audit policy setting, Audit Special Logon, determines if  audit events are generated under special sign in (or logon) circumstances.
 ms.assetid: e1501bac-1d09-4593-8ebb-f311231567d3
 ms.reviewer: 
 manager: dansimp
@@ -37,9 +37,9 @@ This subcategory allows you to audit events generated by special logons such as
 
 | Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
 |-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | Yes             | No              | Yes              | No               | This subcategory is very important because of [Special Groups](http://blogs.technet.com/b/askds/archive/2008/03/11/special-groups-auditing-via-group-policy-preferences.aspx) related events, you must enable this subcategory for Success audit if you use this feature.
At the same time this subcategory allows you to track account logon sessions to which sensitive privileges were assigned.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Member Server     | Yes             | No              | Yes              | No               | This subcategory is very important because of [Special Groups](http://blogs.technet.com/b/askds/archive/2008/03/11/special-groups-auditing-via-group-policy-preferences.aspx) related events, you must enable this subcategory for Success audit if you use this feature.
At the same time this subcategory allows you to track account logon sessions to which sensitive privileges were assigned.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Workstation       | Yes             | No              | Yes              | No               | This subcategory is very important because of [Special Groups](http://blogs.technet.com/b/askds/archive/2008/03/11/special-groups-auditing-via-group-policy-preferences.aspx) related events, you must enable this subcategory for Success audit if you use this feature.
At the same time this subcategory allows you to track account logon sessions to which sensitive privileges were assigned.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Domain Controller | Yes             | No              | Yes              | No               | This subcategory is very important because of [Special Groups](https://blogs.technet.com/b/askds/archive/2008/03/11/special-groups-auditing-via-group-policy-preferences.aspx) related events, you must enable this subcategory for Success audit if you use this feature.
At the same time this subcategory allows you to track account logon sessions to which sensitive privileges were assigned.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Member Server     | Yes             | No              | Yes              | No               | This subcategory is very important because of [Special Groups](https://blogs.technet.com/b/askds/archive/2008/03/11/special-groups-auditing-via-group-policy-preferences.aspx) related events, you must enable this subcategory for Success audit if you use this feature.
At the same time this subcategory allows you to track account logon sessions to which sensitive privileges were assigned.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Workstation       | Yes             | No              | Yes              | No               | This subcategory is very important because of [Special Groups](https://blogs.technet.com/b/askds/archive/2008/03/11/special-groups-auditing-via-group-policy-preferences.aspx) related events, you must enable this subcategory for Success audit if you use this feature.
At the same time this subcategory allows you to track account logon sessions to which sensitive privileges were assigned.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
 
 **Events List:**
 
diff --git a/windows/security/threat-protection/auditing/audit-system-integrity.md b/windows/security/threat-protection/auditing/audit-system-integrity.md
index 606b78493e..89d27ff3cb 100644
--- a/windows/security/threat-protection/auditing/audit-system-integrity.md
+++ b/windows/security/threat-protection/auditing/audit-system-integrity.md
@@ -1,6 +1,6 @@
 ---
 title: Audit System Integrity (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit System Integrity, which determines whether the operating system audits events that violate the integrity of the security subsystem.
+description: The policy setting, Audit System Integrity, determines if the operating system audits events that violate the integrity of the security subsystem.
 ms.assetid: 942a9a7f-fa31-4067-88c7-f73978bf2034
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/security/threat-protection/auditing/basic-audit-object-access.md b/windows/security/threat-protection/auditing/basic-audit-object-access.md
index 438dd850c9..b6b09ddae8 100644
--- a/windows/security/threat-protection/auditing/basic-audit-object-access.md
+++ b/windows/security/threat-protection/auditing/basic-audit-object-access.md
@@ -1,6 +1,6 @@
 ---
 title: Audit object access (Windows 10)
-description: Determines whether to audit the event of a user accessing an object--for example, a file, folder, registry key, printer, and so forth--that has its own system access control list (SACL) specified.
+description: The policy setting, Audit object access, determines whether to audit the event generated when a user accesses an object that has its own SACL specified.
 ms.assetid: D15B6D67-7886-44C2-9972-3F192D5407EA
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/auditing/event-4771.md b/windows/security/threat-protection/auditing/event-4771.md
index 10876a5671..f97c972551 100644
--- a/windows/security/threat-protection/auditing/event-4771.md
+++ b/windows/security/threat-protection/auditing/event-4771.md
@@ -184,6 +184,7 @@ The most common values:
 | 2    | PA-ENC-TIMESTAMP       | This is a normal type for standard password authentication.                                                                                                                                                                                                                                                                                                                                                      |
 | 11   | PA-ETYPE-INFO          | The ETYPE-INFO pre-authentication type is sent by the KDC in a KRB-ERROR indicating a requirement for additional pre-authentication. It is usually used to notify a client of which key to use for the encryption of an encrypted timestamp for the purposes of sending a PA-ENC-TIMESTAMP pre-authentication value.
Never saw this Pre-Authentication Type in Microsoft Active Directory environment.  |
 | 15   | PA-PK-AS-REP\_OLD      | Used for Smart Card logon authentication.                                                                                                                                                                                                                                                                                                                                                                        |
+| 16   | PA-PK-AS-REQ           | Request sent to KDC in Smart Card authentication scenarios.|
 | 17   | PA-PK-AS-REP           | This type should also be used for Smart Card authentication, but in certain Active Directory environments, it is never seen.                                                                                                                                                                                                                                                                                     |
 | 19   | PA-ETYPE-INFO2         | The ETYPE-INFO2 pre-authentication type is sent by the KDC in a KRB-ERROR indicating a requirement for additional pre-authentication. It is usually used to notify a client of which key to use for the encryption of an encrypted timestamp for the purposes of sending a PA-ENC-TIMESTAMP pre-authentication value.
Never saw this Pre-Authentication Type in Microsoft Active Directory environment. |
 | 20   | PA-SVR-REFERRAL-INFO   | Used in KDC Referrals tickets.                                                                                                                                                                                                                                                                                                                                                                                   |
diff --git a/windows/security/threat-protection/auditing/event-4912.md b/windows/security/threat-protection/auditing/event-4912.md
index 06ffbee5b0..4e98d50f44 100644
--- a/windows/security/threat-protection/auditing/event-4912.md
+++ b/windows/security/threat-protection/auditing/event-4912.md
@@ -126,8 +126,9 @@ This event is always logged regardless of the "Audit Policy Change" sub-category
 
 -   **Subcategory** \[Type = UnicodeString\]**:** the name of auditing subcategory which state was changed. Possible values:
 
-| Audit Credential Validation              | Audit Process Termination                    | Audit Other Logon/Logoff Events      |
+| Value              | Value                    | Value      |
 |------------------------------------------|----------------------------------------------|--------------------------------------|
+| Audit Credential Validation              | Audit Process Termination                    | Audit Other Logon/Logoff Events      |
 | Audit Kerberos Authentication Service    | Audit RPC Events                             | Audit Special Logon                  |
 | Audit Kerberos Service Ticket Operations | Audit Detailed Directory Service Replication | Audit Application Generated          |
 | Audit Other Logon/Logoff Events          | Audit Directory Service Access               | Audit Certification Services         |
@@ -145,7 +146,7 @@ This event is always logged regardless of the "Audit Policy Change" sub-category
 | Audit Policy Change                      | Audit Non-Sensitive Privilege Use            | Audit System Integrity               |
 | Audit Authentication Policy Change       | Audit Sensitive Privilege Use                | Audit PNP Activity                   |
 | Audit Authorization Policy Change        | Audit Other Privilege Use Events             |                                      |
-| Group Membership                         | Audit Network Policy Server                  |                                      |
+| Audit Group Membership                         | Audit Network Policy Server                  |                                      |
 
 -   **Subcategory GUID** \[Type = GUID\]**:** the unique GUID of changed subcategory.
 
diff --git a/windows/security/threat-protection/auditing/event-4952.md b/windows/security/threat-protection/auditing/event-4952.md
index dd7bb7d69d..0bd8a3b9b6 100644
--- a/windows/security/threat-protection/auditing/event-4952.md
+++ b/windows/security/threat-protection/auditing/event-4952.md
@@ -1,6 +1,6 @@
 ---
 title: 4952(F) Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. (Windows 10)
-description: Describes security event 4952(F) Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.
+description: Security event 4952(F) Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall.
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-5027.md b/windows/security/threat-protection/auditing/event-5027.md
index 326fc606d7..23bf6e5c30 100644
--- a/windows/security/threat-protection/auditing/event-5027.md
+++ b/windows/security/threat-protection/auditing/event-5027.md
@@ -1,6 +1,6 @@
 ---
 title: 5027(F) The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy. (Windows 10)
-description: Describes security event 5027(F) The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.
+description: Details on security event 5027(F) The Windows Firewall Service was unable to retrieve the security policy from the local storage. 
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-5148.md b/windows/security/threat-protection/auditing/event-5148.md
index 7206b6d8af..6787ac6329 100644
--- a/windows/security/threat-protection/auditing/event-5148.md
+++ b/windows/security/threat-protection/auditing/event-5148.md
@@ -1,6 +1,6 @@
 ---
 title: 5148(F) The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded. (Windows 10)
-description: Describes security event 5148(F) The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.
+description: Details on Security event 5148(F), The Windows Filtering Platform has detected a DoS attack and entered a defensive mode.
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md b/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md
index 782e49e3bc..c9d3a1c9ba 100644
--- a/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md
+++ b/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md
@@ -1,6 +1,6 @@
 ---
 title: File System (Global Object Access Auditing) (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, File System (Global Object Access Auditing), which enables you to configure a global system access control list (SACL) on the file system for an entire computer.
+description: The policy setting, File System (Global Object Access Auditing), enables you to configure a global system access control list (SACL) for an entire computer.
 ms.assetid: 4f215d61-0e23-46e4-9e58-08511105d25b
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md b/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md
index 6251ca7c4f..ba4901004c 100644
--- a/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md
+++ b/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md
@@ -1,6 +1,6 @@
 ---
 title: Monitor central access policy and rule definitions (Windows 10)
-description: This topic for the IT professional describes how to monitor changes to central access policy and central access rule definitions when you use advanced security auditing options to monitor dynamic access control objects.
+description: Learn how to use advanced security auditing options to monitor changes to central access policy and central access rule definitions.
 ms.assetid: 553f98a6-7606-4518-a3c5-347a33105130
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/auditing/monitor-claim-types.md b/windows/security/threat-protection/auditing/monitor-claim-types.md
index 3504ca7a55..d2369fe778 100644
--- a/windows/security/threat-protection/auditing/monitor-claim-types.md
+++ b/windows/security/threat-protection/auditing/monitor-claim-types.md
@@ -1,6 +1,6 @@
 ---
 title: Monitor claim types (Windows 10)
-description: This topic for the IT professional describes how to monitor changes to claim types that are associated with dynamic access control when you are using advanced security auditing options.
+description: Learn how to monitor changes to claim types that are associated with dynamic access control when you are using advanced security auditing options.
 ms.assetid: 426084da-4eef-44af-aeec-e7ab4d4e2439
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md b/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md
index 943eff5d1e..14dccc71b4 100644
--- a/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md
+++ b/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md
@@ -1,6 +1,6 @@
 ---
 title: Monitor resource attribute definitions (Windows 10)
-description: This topic for the IT professional describes how to monitor changes to resource attribute definitions when you are using advanced security auditing options to monitor dynamic access control objects.
+description: Learn how to monitor changes to resource attribute definitions when you are using advanced security auditing options to monitor dynamic access control objects.
 ms.assetid: aace34b0-123a-4b83-9e09-f269220e79de
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md b/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md
index 9e48a92f25..e1418e2ad9 100644
--- a/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md
+++ b/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md
@@ -1,6 +1,6 @@
 ---
 title: Monitor the resource attributes on files and folders (Windows 10)
-description: This topic for the IT professional describes how to monitor attempts to change settings to the resource attributes on files when you are using advanced security auditing options to monitor dynamic access control objects.
+description: Learn how to use advanced security auditing options to monitor attempts to change settings on the resource attributes of files.
 ms.assetid: 4944097b-320f-44c7-88ed-bf55946a358b
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md
index b163b7b6f6..18d2e3d8c2 100644
--- a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md
+++ b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md
@@ -1,6 +1,6 @@
 ---
 title: Monitor the use of removable storage devices (Windows 10)
-description: This topic for the IT professional describes how to monitor attempts to use removable storage devices to access network resources. It describes how to use advanced security auditing options to monitor dynamic access control objects.
+description: Learn how advanced security auditing options can be used to monitor attempts to use removable storage devices to access network resources.
 ms.assetid: b0a9e4a5-b7ff-41c6-96ff-0228d4ba5da8
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md b/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md
index 1964224c17..606e073432 100644
--- a/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md
+++ b/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md
@@ -1,6 +1,6 @@
 ---
 title: Monitor user and device claims during sign-in (Windows 10)
-description: This topic for the IT professional describes how to monitor user and device claims that are associated with a user’s security token when you are using advanced security auditing options to monitor dynamic access control objects.
+description: Learn how to monitor user and device claims that are associated with a user’s security token. This advice assumes you have deployed Dynamic Access Control.
 ms.assetid: 71796ea9-5fe4-4183-8475-805c3c1f319f
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md b/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md
index fb3c6e1a6f..c21ba65a4c 100644
--- a/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md
+++ b/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md
@@ -1,6 +1,6 @@
 ---
 title: Planning and deploying advanced security audit policies (Windows 10)
-description: This topic for the IT professional explains the options that security policy planners must consider and the tasks they must complete to deploy an effective security audit policy in a network that includes advanced security audit policies.
+description: Learn which options to consider and tasks to complete, to deploy an effective security audit policy in a network that includes advanced security audit policies.
 ms.assetid: 7428e1db-aba8-407b-a39e-509671e5a442
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/auditing/security-auditing-overview.md b/windows/security/threat-protection/auditing/security-auditing-overview.md
index 512168ee42..8859ea5f7e 100644
--- a/windows/security/threat-protection/auditing/security-auditing-overview.md
+++ b/windows/security/threat-protection/auditing/security-auditing-overview.md
@@ -1,6 +1,6 @@
 ---
 title: Security auditing (Windows 10)
-description: Topics in this section are for IT professionals and describes the security auditing features in Windows and how your organization can benefit from using these technologies to enhance the security and manageability of your network.
+description: Learn about security auditing features in Windows, and how your organization can benefit from using them to make your network more secure and easily managed.
 ms.assetid: 2d9b8142-49bd-4a33-b246-3f0c2a5f32d4
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md b/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md
index 919b779ce8..91e999ee6e 100644
--- a/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md
+++ b/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md
@@ -1,6 +1,6 @@
 ---
 title: Using advanced security auditing options to monitor dynamic access control objects (Windows 10)
-description: This guide explains the process of setting up advanced security auditing capabilities that are made possible through settings and events that were introduced in Windows 8 and Windows Server 2012.
+description: Domain admins can set up advanced security audit options in Windows 10 to target specific users, or monitor potentially significant activity on multiple devices
 ms.assetid: 0d2c28ea-bdaf-47fd-bca2-a07dce5fed37
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/images/securityrecs-tamperprotect.jpg b/windows/security/threat-protection/images/securityrecs-tamperprotect.jpg
new file mode 100644
index 0000000000..e79d2b057d
Binary files /dev/null and b/windows/security/threat-protection/images/securityrecs-tamperprotect.jpg differ
diff --git a/windows/security/threat-protection/intelligence/criteria.md b/windows/security/threat-protection/intelligence/criteria.md
index fbedd10908..1ec28a4e93 100644
--- a/windows/security/threat-protection/intelligence/criteria.md
+++ b/windows/security/threat-protection/intelligence/criteria.md
@@ -1,7 +1,7 @@
 ---
 title: How Microsoft identifies malware and potentially unwanted applications
 ms.reviewer: 
-description: Learn how Microsoft reviews software for unwanted behavior, advertising, privacy violations, and negative consumer opinion to determine if it is malware (malicious software) or potentially unwanted applications.
+description: Learn how Microsoft reviews software for privacy violations and other negative behavior, to determine if it is malware or a potentially unwanted application.
 keywords: security, malware, virus research threats, research malware, device protection, computer infection, virus infection, descriptions, remediation, latest threats, MMdevice, Microsoft Malware Protection Center, PUA, potentially unwanted applications
 ms.prod: w10
 ms.mktglfcycl: secure
diff --git a/windows/security/threat-protection/intelligence/prevent-malware-infection.md b/windows/security/threat-protection/intelligence/prevent-malware-infection.md
index 7bce69882c..3313e1d680 100644
--- a/windows/security/threat-protection/intelligence/prevent-malware-infection.md
+++ b/windows/security/threat-protection/intelligence/prevent-malware-infection.md
@@ -17,9 +17,9 @@ search.appverid: met150
 ---
 # Prevent malware infection
 
-Malware authors are always looking for new ways to infect computers. Follow the simple tips below to stay protected and minimize threats to your data and accounts.
+Malware authors are always looking for new ways to infect computers. Follow the tips below to stay protected and minimize threats to your data and accounts.
 
-## Keep software up-to-date
+## Keep software up to date
 
 [Exploits](exploits-malware.md) typically use vulnerabilities in popular software such as web browsers, Java, Adobe Flash Player, and Microsoft Office to infect devices. Software updates patch vulnerabilities so they aren't available to exploits anymore.
 
@@ -27,7 +27,7 @@ To keep Microsoft software up to date, ensure that [automatic Microsoft Updates]
 
 ## Be wary of links and attachments
 
-Email and other messaging tools are a few of the most common ways your device can get infected. Attachments or links in messages can open malware directly or can stealthily trigger a download. Some emails will give instructions to allow macros or other executable content designed to make it easier for malware to infect your devices.
+Email and other messaging tools are a few of the most common ways your device can get infected. Attachments or links in messages can open malware directly or can stealthily trigger a download. Some emails give instructions to allow macros or other executable content designed to make it easier for malware to infect your devices.
 
 * Use an email service that provides protection against malicious attachments, links, and abusive senders. [Microsoft Office 365](https://support.office.com/article/Anti-spam-and-anti-malware-protection-in-Office-365-5ce5cf47-2120-4e51-a403-426a13358b7e) has built-in antimalware, link protection, and spam filtering.
 
@@ -35,7 +35,7 @@ For more information, see [phishing](phishing.md).
 
 ## Watch out for malicious or compromised websites
 
-By visiting malicious or compromised sites, your device can get infected with malware automatically or you can get tricked into downloading and installing malware.  See [exploits and exploit kits](exploits-malware.md) as an example of how some of these sites can automatically install malware to visiting computers.
+When you visit malicious or compromised sites, your device can get infected with malware automatically or you can get tricked into downloading and installing malware. See [exploits and exploit kits](exploits-malware.md) as an example of how some of these sites can automatically install malware to visiting computers.
 
 To identify potentially harmful websites, keep the following in mind:
 
@@ -43,7 +43,7 @@ To identify potentially harmful websites, keep the following in mind:
 
 * Sites that aggressively open popups and display misleading buttons often trick users into accepting content through constant popups or mislabeled buttons.
 
-To block malicious websites, use a modern web browser like [Microsoft Edge](https://www.microsoft.com/windows/microsoft-edge?ocid=cx-wdsi-articles) which identifies phishing and malware websites and checks downloads for malware.
+To block malicious websites, use a modern web browser like [Microsoft Edge](https://www.microsoft.com/windows/microsoft-edge?ocid=cx-wdsi-articles) that identifies phishing and malware websites and checks downloads for malware.
 
 If you encounter an unsafe site, click **More […] > Send feedback** on Microsoft Edge. You can also [report unsafe sites directly to Microsoft](https://www.microsoft.com/wdsi/support/report-unsafe-site).
 
@@ -53,11 +53,11 @@ Using pirated content is not only illegal, it can also expose your device to mal
 
 Users do not openly discuss visits to these sites, so any untoward experience are more likely to stay unreported.
 
-To stay safe, download movies, music, and apps from official publisher websites or stores. Consider running a streamlined OS such as [Windows 10 Pro SKU S Mode](https://www.microsoft.com/windows/s-mode?ocid=cx-wdsi-articles), which ensures that only vetted apps from the Windows Store are installed.
+To stay safe, download movies, music, and apps from official publisher websites or stores. Consider running a streamlined OS such as [Windows 10 Pro SKU S Mode](https://www.microsoft.com/windows/s-mode), which ensures that only vetted apps from the Windows Store are installed.
 
 ## Don't attach unfamiliar removable drives
 
-Some types of malware can spread by copying themselves to USB flash drives or other removable drives. There are malicious individuals that intentionally prepare and distribute infected drives—leaving these drives in public places to victimize unsuspecting individuals.
+Some types of malware spread by copying themselves to USB flash drives or other removable drives. There are malicious individuals that intentionally prepare and distribute infected drives by leaving them in public places for unsuspecting individuals.
 
 Only use removable drives that you are familiar with or that come from a trusted source. If a drive has been used in publicly accessible devices, like computers in a café or a library, make sure you have antimalware running on your computer before you use the drive. Avoid opening unfamiliar files you find on suspect drives, including Office and PDF documents and executable files.
 
@@ -65,7 +65,7 @@ Only use removable drives that you are familiar with or that come from a trusted
 
 At the time they are launched, whether inadvertently by a user or automatically, most malware run under the same privileges as the active user. This means that by limiting account privileges, you can prevent malware from making consequential changes any devices.
 
-By default, Windows uses [User Account Control (UAC)](https://docs.microsoft.com/windows/access-protection/user-account-control/user-account-control-overview) to provide automatic, granular control of privileges—it temporarily restricts privileges and prompts the active user every time an application attempts to make potentially consequential changes to the system. Although UAC helps limit the privileges of admin users, users can simply override this restriction when prompted. As a result, it is quite easy for an admin user to inadvertently allow malware to run.
+By default, Windows uses [User Account Control (UAC)](https://docs.microsoft.com/windows/security/identity-protection/user-account-control/user-account-control-overview) to provide automatic, granular control of privileges—it temporarily restricts privileges and prompts the active user every time an application attempts to make potentially consequential changes to the system. Although UAC helps limit the privileges of admin users, users can override this restriction when prompted. As a result, it is quite easy for an admin user to inadvertently allow malware to run.
 
 To help ensure that everyday activities do not result in malware infection and other potentially catastrophic changes, it is recommended that you use a non-administrator account for regular use. By using a non-administrator account, you can prevent installation of unauthorized apps and prevent inadvertent changes to system settings. Avoid browsing the web or checking email using an account with administrator privileges.
 
@@ -75,9 +75,9 @@ Whenever necessary, log in as an administrator to install apps or make configura
 
 ## Other safety tips
 
-To further ensure that data is protected from malware as well as other threats:
+To further ensure that data is protected from malware and other threats:
 
-* Backup files. Follow the 3-2-1 rule: make **3 copies**, store in at least **2 locations**, with at least **1 offline copy**. Use [OneDrive](https://onedrive.live.com/about/?ocid=cx-wdsi-articles) for reliable cloud-based copies that allows access to files from multiple devices and helps recover damaged or lost files, including files locked by ransomware.
+* Backup files. Follow the 3-2-1 rule: make **3 copies**, store in at least **2 locations**, with at least **1 offline copy**. Use [OneDrive](https://onedrive.live.com/about) for reliable cloud-based copies that allow access to files from multiple devices and helps recover damaged or lost files, including files locked by ransomware.
 
 * Be wary when connecting to public hotspots, particularly those that do not require authentication.
 
@@ -91,9 +91,9 @@ To further ensure that data is protected from malware as well as other threats:
 
 Microsoft provides comprehensive security capabilities that help protect against threats. We recommend:
 
-* [Automatic Microsoft updates](https://support.microsoft.com/help/12373/windows-update-faq) keeps software up-to-date to get the latest protections.
+* [Automatic Microsoft updates](https://support.microsoft.com/help/12373/windows-update-faq) keeps software up to date to get the latest protections.
 
-* [Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard) stops ransomware in its tracks by preventing unauthorized access to your important files. Controlled folder access locks down folders, allowing only authorized apps to access files. Unauthorized apps, including ransomware and other malicious executable files, DLLs, and scripts are denied access.
+* [Controlled folder access](../microsoft-defender-atp/enable-controlled-folders.md) stops ransomware in its tracks by preventing unauthorized access to your important files. Controlled folder access locks down folders, allowing only authorized apps to access files. Unauthorized apps, including ransomware and other malicious executable files, DLLs, and scripts are denied access.
 
 * [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/index) browser protects against threats such as ransomware by preventing exploit kits from running. By using [Windows Defender SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/index), Microsoft Edge blocks access to malicious websites.
 
@@ -101,13 +101,13 @@ Microsoft provides comprehensive security capabilities that help protect against
 
 * [Microsoft Safety Scanner](safety-scanner-download.md) helps remove malicious software from computers. NOTE: This tool does not replace your antimalware product.
 
-* [Microsoft 365](https://docs.microsoft.com/microsoft-365/enterprise/#pivot=itadmin&panel=it-security) includes Office 365, Windows 10, and Enterprise Mobility + Security. These resources power productivity while providing intelligent security across users, devices, and data.
+* [Microsoft 365](https://docs.microsoft.com/microsoft-365/enterprise/) includes Office 365, Windows 10, and Enterprise Mobility + Security. These resources power productivity while providing intelligent security across users, devices, and data.
 
-* [Office 365 Advanced Threat Protection](https://technet.microsoft.com/library/exchange-online-advanced-threat-protection-service-description.aspx) includes machine learning capabilities that block dangerous emails, including millions of emails carrying ransomware downloaders.
+* [Office 365 Advanced Threat Protection](https://docs.microsoft.com/office365/servicedescriptions/office-365-advanced-threat-protection-service-description) includes machine learning capabilities that block dangerous emails, including millions of emails carrying ransomware downloaders.
 
 * [OneDrive for Business](https://support.office.com/article/restore-a-previous-version-of-a-file-in-onedrive-159cad6d-d76e-4981-88ef-de6e96c93893?ui=en-US&rs=en-US&ad=US) can back up files, which you would then use to restore files in the event of an infection.
 
-* [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) provides comprehensive endpoint protection, detection, and response capabilities to help prevent ransomware. In the event of a breach, Microsoft Defender ATP alerts security operations teams about suspicious activities and automatically attempts to resolve the problem. This includes alerts for suspicious PowerShell commands, connecting to a TOR website, launching self-replicated copies, and deletion of volume shadow copies. Try Microsoft Defender ATP free of charge.
+* [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) provides comprehensive endpoint protection, detection, and response capabilities to help prevent ransomware. In the event of a breach, Microsoft Defender ATP alerts security operations teams about suspicious activities and automatically attempts to resolve the problem. This includes alerts for suspicious PowerShell commands, connecting to a TOR website, launching self-replicated copies, and deletion of volume shadow copies. Try Microsoft Defender ATP free of charge.
 
 * [Windows Hello for Business](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-identity-verification) replaces passwords with strong two-factor authentication on your devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN. It lets user authenticate to an Active Directory or Azure Active Directory account.
 
@@ -117,6 +117,6 @@ Microsoft provides comprehensive security capabilities that help protect against
 
 ## What to do with a malware infection
 
-Microsoft Defender ATP antivirus capabilities helps reduce the chances of infection and will automatically remove threats that it detects.
+Microsoft Defender ATP antivirus capabilities help reduce the chances of infection and will automatically remove threats that it detects.
 
 In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://support.microsoft.com/help/4466982/windows-10-troubleshoot-problems-with-detecting-and-removing-malware).
diff --git a/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md b/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md
index cfda4379ca..5aded1e416 100644
--- a/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md
+++ b/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md
@@ -1,7 +1,7 @@
 ---
 title: Virus Information Alliance
 ms.reviewer: 
-description: The Microsoft Virus Information Alliance (VIA) is an antimalware collaboration program for security software and service providers, antimalware testing organizations, and other organizations involved in fighting cybercrime.
+description: The Microsoft Virus Information Alliance (VIA) is a collaborative antimalware program for organizations fighting cybercrime.
 keywords: security, malware, Microsoft, MMPC, Microsoft Malware Protection Center, partners, sharing, samples, vendor exchange, CSS, alliance, WDSI
 ms.prod: w10
 ms.mktglfcycl: secure
diff --git a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md b/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md
index d619963f4f..0e8ba41a5c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md
@@ -18,10 +18,19 @@ ms.topic: article
 
 # Add or Remove Machine Tags API
 
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+
+
+## API description
+Adds or remove tag to a specific [Machine](machine.md).
+
+
+## Limitations
+1. You can post on machines last seen in the past 30 days.
+2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
 
-This API adds or remove tag to a specific machine.
 
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
@@ -77,34 +86,4 @@ Content-type: application/json
   "Action": "Add"
 }
 
-```
-**Response**
-
-Here is an example of the response.
-
-```
-HTTP/1.1 200 Ok
-Content-type: application/json
-{
-    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machine/$entity",
-    "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
-    "computerDnsName": "mymachine1.contoso.com",
-    "firstSeen": "2018-08-02T14:55:03.7791856Z",
-	"lastSeen": "2018-08-02T14:55:03.7791856Z",
-    "osPlatform": "Windows10",
-    "osVersion": "10.0.0.0",
-    "lastIpAddress": "172.17.230.209",
-    "lastExternalIpAddress": "167.220.196.71",
-    "agentVersion": "10.5830.18209.1001",
-    "osBuild": 18209,
-    "healthStatus": "Active",
-    "rbacGroupId": 140,
-	"rbacGroupName": "The-A-Team",
-    "riskScore": "Low",
-    "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
-	"machineTags": [ "test tag 1", "test tag 2" ]
-}
-
-```
-
 - To remove machine tag, set the Action to 'Remove' instead of 'Add' in the request body.
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md
index 84eb799e45..c7fd28fc75 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md
@@ -1,7 +1,7 @@
 ---
-title: AlertEvents table in the Advanced hunting schema
-description: Learn about alert generation events in the AlertEvents table of the Advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, alertevents, alert, severity, category
+title: AlertEvents table in the advanced hunting schema
+description: Learn about alert generation events in the AlertEvents table of the advanced hunting schema
+keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, alertevents, alert, severity, category
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
@@ -26,25 +26,25 @@ ms.date: 10/08/2019
 
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 
-The AlertEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about alerts on Microsoft Defender Security Center. Use this reference to construct queries that return information from the table.
+The `AlertEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about alerts in Microsoft Defender Security Center. Use this reference to construct queries that return information from the table.
 
-For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md).
+For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
 
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
-| AlertId | string | Unique identifier for the alert |
-| EventTime | datetime | Date and time when the event was recorded |
-| MachineId | string | Unique identifier for the machine in the service |
-| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
-| Severity | string | Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert |
-| Category | string | Type of threat indicator or breach activity identified by the alert |
-| Title | string | Title of the alert |
-| FileName | string | Name of the file that the recorded action was applied to |
-| SHA1 | string | SHA-1 of the file that the recorded action was applied to |
-| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to |
-| RemoteIP | string | IP address that was being connected to |
-| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
-| Table | string | Table that contains the details of the event |
+| `AlertId` | string | Unique identifier for the alert |
+| `Timestamp` | datetime | Date and time when the event was recorded |
+| `DeviceId` | string | Unique identifier for the machine in the service |
+| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
+| `Severity` | string | Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert |
+| `Category` | string | Type of threat indicator or breach activity identified by the alert |
+| `Title` | string | Title of the alert |
+| `FileName` | string | Name of the file that the recorded action was applied to |
+| `SHA1` | string | SHA-1 of the file that the recorded action was applied to |
+| `RemoteUrl` | string | URL or fully qualified domain name (FQDN) that was being connected to |
+| `RemoteIP` | string | IP address that was being connected to |
+| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
+| `Table` | string | Table that contains the details of the event |
 
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
index bb1e594c49..7ce887afa8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
@@ -1,7 +1,7 @@
 ---
-title: Query best practices for Advanced hunting
-description: Learn how to construct fast, efficient, and error-free threat hunting queries when using Advanced hunting
-keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, custom detections, schema, kusto, avoid timeout, command lines, process id
+title: Query best practices for advanced hunting
+description: Learn how to construct fast, efficient, and error-free threat hunting queries when using advanced hunting
+keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, avoid timeout, command lines, process id
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
@@ -41,14 +41,14 @@ Apply these recommendations to get results faster and avoid timeouts while runni
 ## Query tips and pitfalls
 
 ### Queries with process IDs
-Process IDs (PIDs) are recycled in Windows and reused for new processes. On their own, they can't serve as unique identifiers for specific processes. To get a unique identifier for a process on a specific machine, use the process ID together with the process creation time. When you join or summarize data around processes, include columns for the machine identifier (either `MachineId` or `ComputerName`), the process ID (`ProcessId` or `InitiatingProcessId`), and the process creation time (`ProcessCreationTime` or `InitiatingProcessCreationTime`).
+Process IDs (PIDs) are recycled in Windows and reused for new processes. On their own, they can't serve as unique identifiers for specific processes. To get a unique identifier for a process on a specific machine, use the process ID together with the process creation time. When you join or summarize data around processes, include columns for the machine identifier (either `DeviceId` or `DeviceName`), the process ID (`ProcessId` or `InitiatingProcessId`), and the process creation time (`ProcessCreationTime` or `InitiatingProcessCreationTime`).
 
 The following example query finds processes that access more than 10 IP addresses over port 445 (SMB), possibly scanning for file shares.
 
-```
-NetworkCommunicationEvents
-| where RemotePort == 445 and EventTime > ago(12h) and InitiatingProcessId !in (0, 4)
-| summarize RemoteIPCount=dcount(RemoteIP) by ComputerName, InitiatingProcessId, InitiatingProcessCreationTime, InitiatingProcessFileName
+```kusto
+DeviceNetworkEvents
+| where RemotePort == 445 and Timestamp > ago(12h) and InitiatingProcessId !in (0, 4)
+| summarize RemoteIPCount=dcount(RemoteIP) by DeviceName, InitiatingProcessId, InitiatingProcessCreationTime, InitiatingProcessFileName
 | where RemoteIPCount > 10
 ```
 
@@ -68,19 +68,19 @@ To create more durable queries using command lines, apply the following practice
 
 The following examples show various ways to construct a query that looks for the file *net.exe* to stop the Windows Defender Firewall service:
 
-```
+```kusto
 // Non-durable query - do not use
-ProcessCreationEvents
+DeviceProcessEvents
 | where ProcessCommandLine == "net stop MpsSvc"
 | limit 10
 
 // Better query - filters on filename, does case-insensitive matches
-ProcessCreationEvents
-| where EventTime > ago(7d) and FileName in~ ("net.exe", "net1.exe") and ProcessCommandLine contains "stop" and ProcessCommandLine contains "MpsSvc" 
+DeviceProcessEvents
+| where Timestamp > ago(7d) and FileName in~ ("net.exe", "net1.exe") and ProcessCommandLine contains "stop" and ProcessCommandLine contains "MpsSvc" 
 
 // Best query also ignores quotes
-ProcessCreationEvents
-| where EventTime > ago(7d) and FileName in~ ("net.exe", "net1.exe")
+DeviceProcessEvents
+| where Timestamp > ago(7d) and FileName in~ ("net.exe", "net1.exe")
 | extend CanonicalCommandLine=replace("\"", "", ProcessCommandLine)
 | where CanonicalCommandLine contains "stop" and CanonicalCommandLine contains "MpsSvc" 
 ```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md
new file mode 100644
index 0000000000..9134afc574
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md
@@ -0,0 +1,86 @@
+---
+title: DeviceEvents table in the advanced hunting schema
+description: Learn about antivirus, firewall, and other event types in the miscellaneous device events (DeviceEvents) table of the advanced hunting schema
+keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, security events, antivirus, firewall, exploit guard, MiscEvents
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: lomayor
+author: lomayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+ms.date: 10/08/2019
+---
+
+# DeviceEvents
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+
+The miscellaneous device events or `DeviceEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about various event types, including events triggered by security controls, such as Windows Defender Antivirus and exploit protection. Use this reference to construct queries that return information from the table.
+
+For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| `Timestamp` | datetime | Date and time when the event was recorded |
+| `DeviceId` | string | Unique identifier for the machine in the service |
+| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
+| `ActionType` | string | Type of activity that triggered the event |
+| `FileName` | string | Name of the file that the recorded action was applied to |
+| `FolderPath` | string | Folder containing the file that the recorded action was applied to |
+| `SHA1` | string | SHA-1 of the file that the recorded action was applied to |
+| `SHA256` | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available |
+| `MD5` | string | MD5 hash of the file that the recorded action was applied to |
+| `AccountDomain` | string | Domain of the account |
+| `AccountName` |string | User name of the account |
+| `AccountSid` | string | Security Identifier (SID) of the account |
+| `RemoteUrl` | string | URL or fully qualified domain name (FQDN) that was being connected to |
+| `RemoteDeviceName` | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information |
+| `ProcessId` | int | Process ID (PID) of the newly created process |
+| `ProcessCommandLine` | string | Command line used to create the new process |
+| `ProcessCreationTime` | datetime | Date and time the process was created |
+| `ProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process |
+| `LogonId` | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts |
+| `RegistryKey` | string | Registry key that the recorded action was applied to |
+| `RegistryValueName` | string | Name of the registry value that the recorded action was applied to |
+| `RegistryValueData` | string | Data of the registry value that the recorded action was applied to |
+| `RemoteIP` | string | IP address that was being connected to |
+| `RemotePort` | int | TCP port on the remote device that was being connected to |
+| `LocalIP` | string | IP address assigned to the local machine used during communication |
+| `LocalPort` | int | TCP port on the local machine used during communication |
+| `FileOriginUrl` | string | URL where the file was downloaded from |
+| `FileOriginIP` | string | IP address where the file was downloaded from |
+| `AdditionalFields` | string | Additional information about the event in JSON array format |
+| `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
+| `InitiatingProcessSHA256` | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available |
+| `InitiatingProcessFileName` | string | Name of the process that initiated the event |
+| `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
+| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
+| `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
+| `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
+| `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
+| `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
+| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
+| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
+| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
+| `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
+| `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
+| `InitiatingProcessLogonId` | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts |
+| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
+| `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
+
+
+## Related topics
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [Learn the query language](advanced-hunting-query-language.md)
+- [Understand the schema](advanced-hunting-schema-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfobeta-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfobeta-table.md
new file mode 100644
index 0000000000..f386c93d96
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfobeta-table.md
@@ -0,0 +1,60 @@
+---
+title: DeviceFileCertificateInfoBeta table in the advanced hunting schema
+description: Learn about file signing information in the DeviceFileCertificateInfoBeta table of the advanced hunting schema
+keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, digital signature, certificate, file signing, DeviceFileCertificateInfoBeta
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: lomayor
+author: lomayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+ms.date: 01/14/2020
+---
+
+# DeviceFileCertificateInfoBeta
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+The `DeviceFileCertificateInfoBeta` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about file signing certificates. This table uses data obtained from certificate verification activities regularly performed on files on endpoints.
+
+For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| `Timestamp` | datetime | Date and time when the event was recorded |
+| `DeviceId` | string | Unique identifier for the machine in the service |
+| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
+| `SHA1` | string | SHA-1 of the file that the recorded action was applied to |
+| `IsSigned` | boolean | Indicates whether the file is signed |
+| `SignatureType` | string | Indicates whether signature information was read as embedded content in the file itself or read from an external catalog file |
+| `Signer` | string | Information about the signer of the file |
+| `SignerHash` | string | Unique hash value identifying the signer |
+| `Issuer` | string | Information about the issuing certificate authority (CA) |
+| `IssuerHash` | string | Unique hash value identifying issuing certificate authority (CA) |
+| `CertificateSerialNumber` | string | Identifier for the certificate that is unique to the issuing certificate authority (CA) |
+| `CrlDistributionPointUrls` | string |  JSON array listing the URLs of network shares that contain certificates and certificate revocation lists (CRLs) |
+| `CertificateCreationTime` | datetime | Date and time the certificate was created |
+| `CertificateExpirationTime` | datetime | Date and time the certificate is set to expire |
+| `CertificateCountersignatureTime` | datetime | Date and time the certificate was countersigned |
+| `IsTrusted` | boolean | Indicates whether the file is trusted based on the results of the WinVerifyTrust function, which checks for unknown root certificate information, invalid signatures, revoked certificates, and other questionable attributes |
+| `IsRootSignerMicrosoft` | boolean | Indicates whether the signer of the root certificate is Microsoft |
+| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. |
+
+
+## Related topics
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [Learn the query language](advanced-hunting-query-language.md)
+- [Understand the schema](advanced-hunting-schema-reference.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md
new file mode 100644
index 0000000000..82bc19d642
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md
@@ -0,0 +1,78 @@
+---
+title: DeviceFileEvents table in the advanced hunting schema 
+description: Learn about file-related events in the DeviceFileEvents table of the advanced hunting schema
+keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, devicefileevents, files, path, hash, sha1, sha256, md5, FileCreationEvents
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: lomayor
+author: lomayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+ms.date: 10/08/2019
+---
+
+# DeviceFileEvents
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+
+The `DeviceFileEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about file creation, modification, and other file system events. Use this reference to construct queries that return information from the table.
+
+For information on other tables in the advanced hunting schema, see  [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| `Timestamp` | datetime | Date and time when the event was recorded |
+| `DeviceId` | string | Unique identifier for the machine in the service |
+| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
+| `ActionType` | string | Type of activity that triggered the event |
+| `FileName` | string | Name of the file that the recorded action was applied to |
+| `FolderPath` | string | Folder containing the file that the recorded action was applied to |
+| `SHA1` | string | SHA-1 of the file that the recorded action was applied to |
+| `SHA256` | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available |
+| `MD5` | string | MD5 hash of the file that the recorded action was applied to |
+| `FileOriginUrl` | string | URL where the file was downloaded from |
+| `FileOriginReferrerUrl` | string | URL of the web page that links to the downloaded file |
+| `FileOriginIP` | string | IP address where the file was downloaded from |
+| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
+| `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
+| `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
+| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
+| `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
+| `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
+| `InitiatingProcessFileName` | string | Name of the process that initiated the event |
+| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
+| `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
+| `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
+| `InitiatingProcessIntegrityLevel` | string | integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
+| `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
+| `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
+| `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
+| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
+| `RequestProtocol` | string | Network protocol, if applicable, used to initiate the activity: Unknown, Local, SMB, or NFS |
+| `ShareName` | string | Name of shared folder containing the file |
+| `RequestSourceIP` | string | IPv4 or IPv6 address of the remote device that initiated the activity |
+| `RequestSourcePort` | string | Source port on the remote device that initiated the activity |
+| `RequestAccountName` | string | User name of account used to remotely initiate the activity |
+| `RequestAccountDomain` | string | Domain of the account used to remotely initiate the activity |
+| `RequestAccountSid` | string | Security Identifier (SID) of the account to remotely initiate the activity |
+| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns |
+| `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
+| `SensitivityLabel` | string | Label applied to an email, file, or other content to classify it for information protection |
+| `SensitivitySubLabel` | string | Sublabel applied to an email, file, or other content to classify it for information protection; sensitivity sublabels are grouped under sensitivity labels but are treated independently |
+| `IsAzureInfoProtectionApplied` | boolean | Indicates whether the file is encrypted by Azure Information Protection |
+
+## Related topics
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [Learn the query language](advanced-hunting-query-language.md)
+- [Understand the schema](advanced-hunting-schema-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md
new file mode 100644
index 0000000000..d57a965bcf
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md
@@ -0,0 +1,64 @@
+---
+title: DeviceImageLoadEvents table in the advanced hunting schema
+description: Learn about DLL loading events in the DeviceImageLoadEvents table of the advanced hunting schema
+keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, deviceimageloadevents, DLL loading, library, file image, ImageLoadEvents
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: lomayor
+author: lomayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+ms.date: 10/08/2019
+---
+
+# DeviceImageLoadEvents
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+
+The `DeviceImageLoadEvents table` in the [advanced hunting](advanced-hunting-overview.md) schema contains information about DLL loading events. Use this reference to construct queries that return information from the table.
+
+For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| `Timestamp` | datetime | Date and time when the event was recorded |
+| `DeviceId` | string | Unique identifier for the machine in the service |
+| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
+| `ActionType` | string | Type of activity that triggered the event |
+| `FileName` | string | Name of the file that the recorded action was applied to |
+| `FolderPath` | string | Folder containing the file that the recorded action was applied to |
+| `SHA1` | string | SHA-1 of the file that the recorded action was applied to |
+| `MD5` | string | MD5 hash of the file that the recorded action was applied to |
+| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
+| `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
+| `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
+| `InitiatingProcessIntegrityLevel` | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
+| `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
+| `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
+| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
+| `InitiatingProcessFileName` | string | Name of the process that initiated the event |
+| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
+| `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
+| `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
+| `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
+| `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
+| `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
+| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
+| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
+| `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
+
+## Related topics
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [Learn the query language](advanced-hunting-query-language.md)
+- [Understand the schema](advanced-hunting-schema-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md
new file mode 100644
index 0000000000..f05d8d0382
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md
@@ -0,0 +1,53 @@
+---
+title: DeviceInfo table in the advanced hunting schema
+description: Learn about OS, computer name, and other machine information in the DeviceInfo table of the advanced hunting schema
+keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, deviceinfo, device, machine, OS, platform, users, MachineInfo 
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: lomayor
+author: lomayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+ms.date: 10/08/2019
+---
+
+# DeviceInfo
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+
+The `DeviceInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about machines in the organization, including their OS version, active users, and computer name. Use this reference to construct queries that return information from the table.
+
+For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| `Timestamp` | datetime | Date and time when the event was recorded |
+| `DeviceId` | string | Unique identifier for the machine in the service |
+| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
+| `ClientVersion` | string | Version of the endpoint agent or sensor running on the machine |
+| `PublicIP` | string | Public IP address used by the onboarded machine to connect to the Microsoft Defender ATP service. This could be the IP address of the machine itself, a NAT device, or a proxy |
+| `OSArchitecture` | string | Architecture of the operating system running on the machine |
+| `OSPlatform` | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7 |
+| `OSBuild` | string | Build version of the operating system running on the machine |
+| `IsAzureADJoined` | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory |
+| `LoggedOnUsers` | string | List of all users that are logged on the machine at the time of the event in JSON array format |
+| `RegistryDeviceTag` | string | Machine tag added through the registry |
+| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns |
+| `OSVersion` | string | Version of the operating system running on the machine |
+| `MachineGroup` | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine |
+
+## Related topics
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [Learn the query language](advanced-hunting-query-language.md)
+- [Understand the schema](advanced-hunting-schema-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md
new file mode 100644
index 0000000000..689d68d6e6
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md
@@ -0,0 +1,72 @@
+---
+title: DeviceLogonEvents table in the advanced hunting schema
+description: Learn about authentication or sign-in events in the DeviceLogonEvents table of the advanced hunting schema
+keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, devicelogonevents, authentication, logon, sign in, LogonEvents
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: lomayor
+author: lomayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+ms.date: 10/08/2019
+---
+
+# DeviceLogonEvents
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+
+The `DeviceLogonEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about user logons and other authentication events. Use this reference to construct queries that return information from the table.
+
+For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| `Timestamp` | datetime | Date and time when the event was recorded |
+| `DeviceId` | string | Unique identifier for the machine in the service |
+| `DeviceName` | string	| Fully qualified domain name (FQDN) of the machine |
+| `ActionType` | string |Type of activity that triggered the event |
+| `AccountDomain` | string | Domain of the account |
+| `AccountName` | string | User name of the account |
+| `AccountSid` | string | Security Identifier (SID) of the account |
+| `LogonType` | string | Type of logon session, specifically:

 - **Interactive** - User physically interacts with the machine using the local keyboard and screen

 - **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients

 - **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed

 - **Batch** - Session initiated by scheduled tasks

 - **Service** - Session initiated by services as they start
 |
+| `LogonId` | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts |
+| `RemoteDeviceName` | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name  or a host name without domain information |
+| `RemoteIP` | string | IP address that was being connected to |
+| `RemoteIPType` | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
+| `RemotePort` | int | TCP port on the remote device that was being connected to |
+| `AdditionalFields` | string | Additional information about the event in JSON array format |
+| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
+| `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
+| `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
+| `InitiatingProcessIntegrityLevel` | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
+| `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
+| `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
+| `InitiatingProcessSHA256` | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available |
+| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
+| `InitiatingProcessFileName` | string | Name of the process that initiated the event |
+| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
+| `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
+| `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
+| `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
+| `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
+| `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
+| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
+| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
+| `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
+| `IsLocalAdmin` | boolean | Boolean indicator of whether the user is a local administrator on the machine |
+
+## Related topics
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [Learn the query language](advanced-hunting-query-language.md)
+- [Understand the schema](advanced-hunting-schema-reference.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md
new file mode 100644
index 0000000000..fb91c21fd2
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md
@@ -0,0 +1,68 @@
+---
+title: DeviceNetworkEvents table in the advanced hunting schema
+description: Learn about network connection events you can query from the DeviceNetworkEvents table of the advanced hunting schema
+keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, devicenetworkevents, network connection, remote ip, local ip, NetworkCommunicationEvents
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: lomayor
+author: lomayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+ms.date: 10/08/2019
+---
+
+# DeviceNetworkEvents
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+
+The `DeviceNetworkEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about network connections and related events. Use this reference to construct queries that return information from the table.
+
+For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| `Timestamp` | datetime | Date and time when the event was recorded |
+| `DeviceId` | string | Unique identifier for the machine in the service |
+| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
+| `ActionType` | string | Type of activity that triggered the event |
+| `RemoteIP` | string | IP address that was being connected to |
+| `RemotePort` | int | TCP port on the remote device that was being connected to |
+| `RemoteUrl` | string | URL or fully qualified domain name (FQDN) that was being connected to |
+| `LocalIP` | string | IP address assigned to the local machine used during communication |
+| `LocalPort` | int | TCP port on the local machine used during communication |
+| `Protocol` | string | IP protocol used, whether TCP or UDP |
+| `LocalIPType` | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
+| `RemoteIPType` | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
+| `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
+| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
+| `InitiatingProcessFileName` | string | Name of the process that initiated the event |
+| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
+| `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
+| `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
+| `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
+| `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
+| `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
+| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
+| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
+| `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
+| `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
+| `InitiatingProcessIntegrityLevel` | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
+| `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
+| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
+| `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
+
+## Related topics
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [Learn the query language](advanced-hunting-query-language.md)
+- [Understand the schema](advanced-hunting-schema-reference.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md
new file mode 100644
index 0000000000..ba7cf147bf
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md
@@ -0,0 +1,54 @@
+---
+title: DeviceNetworkInfo table in the advanced hunting schema
+description: Learn about network configuration information in the DeviceNetworkInfo table of the advanced hunting schema
+keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, devicenetworkinfo, device, machine, mac, ip, adapter, dns, dhcp, gateway, tunnel, MachineNetworkInfo
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: lomayor
+author: lomayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+ms.date: 10/08/2019
+---
+
+# DeviceNetworkInfo
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+
+The `DeviceNetworkInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about networking configuration of machines, including network adapters, IP and MAC addresses, and connected networks or domains. Use this reference to construct queries that return information from the table.
+
+For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| `Timestamp` | datetime | Date and time when the event was recorded |
+| `DeviceId` | string | Unique identifier for the machine in the service |
+| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
+| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
+| `NetworkAdapterName` | string | Name of the network adapter |
+| `MacAddress` | string | MAC address of the network adapter |
+| `NetworkAdapterType` | string | Network adapter type. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.networkinterfacetype?view=netframework-4.7.2) |
+| `NetworkAdapterStatus` | string | Operational status of the network adapter. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.operationalstatus?view=netframework-4.7.2) |
+| `TunnelType` | string | Tunneling protocol, if the interface is used for this purpose, for example 6to4, Teredo, ISATAP, PPTP, SSTP, and SSH |
+| `ConnectedNetworks` | string | Networks that the adapter is connected to. Each JSON array contains the network name, category (public, private or domain), a description, and a flag indicating if it's connected publicly to the internet |
+| `DnsAddresses` | string | DNS server addresses in JSON array format |
+| `IPv4Dhcp` | string | IPv4 address of DHCP server |
+| `IPv6Dhcp` | string | IPv6 address of DHCP server |
+| `DefaultGateways` | string | Default gateway addresses in JSON array format |
+| `IPAddresses` | string | JSON array containing all the IP addresses assigned to the adapter, along with their respective subnet prefix and IP address space, such as public, private, or link-local |
+
+## Related topics
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [Learn the query language](advanced-hunting-query-language.md)
+- [Understand the schema](advanced-hunting-schema-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md
new file mode 100644
index 0000000000..7b656947ec
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md
@@ -0,0 +1,76 @@
+---
+title: DeviceProcessEvents table in the advanced hunting schema
+description: Learn about the process spawning or creation events in the DeviceProcessEvents table of the advanced hunting schema
+keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, deviceprocessevents, process id, command line, ProcessCreationEvents
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: lomayor
+author: lomayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+ms.date: 10/08/2019
+---
+
+# DeviceProcessEvents
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+
+The `DeviceProcessEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about process creation and related events. Use this reference to construct queries that return information from the table.
+
+For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| `Timestamp` | datetime | Date and time when the event was recorded |
+| `DeviceId` | string | Unique identifier for the machine in the service |
+| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
+| `ActionType` | string | Type of activity that triggered the event |
+| `FileName` | string | Name of the file that the recorded action was applied to |
+| `FolderPath` | string | Folder containing the file that the recorded action was applied to |
+| `SHA1` | string | SHA-1 of the file that the recorded action was applied to |
+| `SHA256` | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available. |
+| `MD5` | string | MD5 hash of the file that the recorded action was applied to |
+| `ProcessId` | int | Process ID (PID) of the newly created process |
+| `ProcessCommandLine` | string | Command line used to create the new process |
+| `ProcessIntegrityLevel` | string | Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources |
+| `ProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process |
+| `ProcessCreationTime` | datetime | Date and time the process was created |
+| `AccountDomain` | string | Domain of the account |
+| `AccountName` | string | User name of the account |
+| `AccountSid` | string | Security Identifier (SID) of the account |
+| `LogonId` | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts |
+| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
+| `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
+| `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
+| `InitiatingProcessLogonId` | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts. |
+| `InitiatingProcessIntegrityLevel` | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
+| `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
+| `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
+| `InitiatingProcessSHA256` | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available |
+| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
+| `InitiatingProcessFileName` | string | Name of the process that initiated the event |
+| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
+| `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
+| `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
+| `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
+| `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
+| `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
+| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
+| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
+| `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
+
+## Related topics
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [Learn the query language](advanced-hunting-query-language.md)
+- [Understand the schema](advanced-hunting-schema-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md
new file mode 100644
index 0000000000..8dfc835e93
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md
@@ -0,0 +1,66 @@
+---
+title: DeviceRegistryEvents table in the advanced hunting schema
+description: Learn about registry events you can query from the DeviceRegistryEvents table of the advanced hunting schema
+keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, deviceregistryevents, registry, key, subkey, value, RegistryEvents
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: lomayor
+author: lomayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+ms.date: 10/08/2019
+---
+
+# DeviceRegistryEvents
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+
+The `DeviceRegistryEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about the creation and modification of registry entries. Use this reference to construct queries that return information from the table.
+
+For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| `Timestamp` | datetime | Date and time when the event was recorded |
+| `DeviceId` | string | Unique identifier for the machine in the service |
+| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
+| `ActionType` | string | Type of activity that triggered the event |
+| `RegistryKey` | string | Registry key that the recorded action was applied to |
+| `RegistryValueType` | string | Data type, such as binary or string, of the registry value that the recorded action was applied to |
+| `RegistryValueName` | string | Name of the registry value that the recorded action was applied to |
+| `RegistryValueData` | string | Data of the registry value that the recorded action was applied to |
+| `PreviousRegistryValueName` | string | Original name of the registry value before it was modified |
+| `PreviousRegistryValueData` | string | Original data of the registry value before it was modified |
+| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
+| `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
+| `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
+| `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
+| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
+| `InitiatingProcessFileName` | string | Name of the process that initiated the event |
+| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
+| `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
+| `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
+| `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
+| `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
+| `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
+| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
+| `InitiatingProcessIntegrityLevel` | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
+| `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
+| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
+| `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
+
+## Related topics
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [Learn the query language](advanced-hunting-query-language.md)
+- [Understand the schema](advanced-hunting-schema-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md
deleted file mode 100644
index 957282b72c..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md
+++ /dev/null
@@ -1,78 +0,0 @@
----
-title: FileCreationEvents table in the Advanced hunting schema 
-description: Learn about file-related events in the FileCreationEvents table of the Advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, filecreationevents, files, path, hash, sha1, sha256, md5
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance 
-ms.topic: article
-ms.date: 10/08/2019
----
-
-# FileCreationEvents
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
-The FileCreationEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about file creation, modification, and other file system events. Use this reference to construct queries that return information from the table.
-
-For information on other tables in the Advanced hunting schema, see  [the Advanced hunting schema reference](advanced-hunting-schema-reference.md).
-
-| Column name | Data type | Description |
-|-------------|-----------|-------------|
-| EventTime | datetime | Date and time when the event was recorded |
-| MachineId | string | Unique identifier for the machine in the service |
-| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
-| ActionType | string | Type of activity that triggered the event |
-| FileName | string | Name of the file that the recorded action was applied to |
-| FolderPath | string | Folder containing the file that the recorded action was applied to |
-| SHA1 | string | SHA-1 of the file that the recorded action was applied to |
-| SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available |
-| MD5 | string | MD5 hash of the file that the recorded action was applied to |
-| FileOriginUrl | string | URL where the file was downloaded from |
-| FileOriginReferrerUrl | string | URL of the web page that links to the downloaded file |
-| FileOriginIP | string | IP address where the file was downloaded from |
-| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
-| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
-| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
-| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
-| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
-| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
-| InitiatingProcessFileName | string | Name of the process that initiated the event |
-| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
-| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
-| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
-| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
-| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
-| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
-| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
-| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
-| RequestProtocol | string | Network protocol, if applicable, used to initiate the activity: Unknown, Local, SMB, or NFS |
-| ShareName | string | Name of shared folder containing the file |
-| RequestSourceIP | string | IPv4 or IPv6 address of the remote device that initiated the activity |
-| RequestSourcePort | string | Source port on the remote device that initiated the activity |
-| RequestAccountName | string | User name of account used to remotely initiate the activity |
-| RequestAccountDomain | string | Domain of the account used to remotely initiate the activity |
-| RequestAccountSid | string | Security Identifier (SID) of the account to remotely initiate the activity |
-| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
-| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
-| SensitivityLabel | string | Label applied to an email, file, or other content to classify it for information protection |
-| SensitivitySubLabel | string | Sublabel applied to an email, file, or other content to classify it for information protection; sensitivity sublabels are grouped under sensitivity labels but are treated independently |
-| IsAzureInfoProtectionApplied | boolean | Indicates whether the file is encrypted by Azure Information Protection |
-
-## Related topics
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md
deleted file mode 100644
index 68ceff1055..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md
+++ /dev/null
@@ -1,64 +0,0 @@
----
-title: ImageLoadEvents table in the Advanced hunting schema
-description: Learn about DLL loading events in the ImageLoadEvents table of the Advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, imageloadevents, DLL loading, library, file image
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance 
-ms.topic: article
-ms.date: 10/08/2019
----
-
-# ImageLoadEvents
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
-The ImageLoadEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about DLL loading events. Use this reference to construct queries that return information from the table.
-
-For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md).
-
-| Column name | Data type | Description |
-|-------------|-----------|-------------|
-| EventTime | datetime | Date and time when the event was recorded |
-| MachineId | string | Unique identifier for the machine in the service |
-| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
-| ActionType | string | Type of activity that triggered the event |
-| FileName | string | Name of the file that the recorded action was applied to |
-| FolderPath | string | Folder containing the file that the recorded action was applied to |
-| SHA1 | string | SHA-1 of the file that the recorded action was applied to |
-| MD5 | string | MD5 hash of the file that the recorded action was applied to |
-| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
-| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
-| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
-| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
-| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
-| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
-| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
-| InitiatingProcessFileName | string | Name of the process that initiated the event |
-| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
-| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
-| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
-| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
-| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
-| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
-| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
-| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
-| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
-
-## Related topics
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md
deleted file mode 100644
index eb6044fda7..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md
+++ /dev/null
@@ -1,72 +0,0 @@
----
-title: LogonEvents table in the Advanced hunting schema
-description: Learn about authentication or sign-in events in the LogonEvents table of the Advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, logonevents, authentication, logon, sign in
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance 
-ms.topic: article
-ms.date: 10/08/2019
----
-
-# LogonEvents
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
-The LogonEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about user logons and other authentication events. Use this reference to construct queries that return information from the table.
-
-For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md).
-
-| Column name | Data type | Description |
-|-------------|-----------|-------------|
-| EventTime | datetime | Date and time when the event was recorded |
-| MachineId | string | Unique identifier for the machine in the service |
-| ComputerName | string	| Fully qualified domain name (FQDN) of the machine |
-| ActionType | string |Type of activity that triggered the event |
-| AccountDomain | string | Domain of the account |
-| AccountName | string | User name of the account |
-| AccountSid | string | Security Identifier (SID) of the account |
-| LogonType | string | Type of logon session, specifically:

 - **Interactive** - User physically interacts with the machine using the local keyboard and screen

 - **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients

 - **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed

 - **Batch** - Session initiated by scheduled tasks

 - **Service** - Session initiated by services as they start
 |
-| LogonId | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts |
-| RemoteComputerName | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name  or a host name without domain information |
-| RemoteIP | string | IP address that was being connected to |
-| RemoteIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
-| RemotePort | int | TCP port on the remote device that was being connected to |
-| AdditionalFields | string | Additional information about the event in JSON array format |
-| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
-| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
-| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
-| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
-| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
-| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
-| InitiatingProcessSHA256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available |
-| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
-| InitiatingProcessFileName | string | Name of the process that initiated the event |
-| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
-| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
-| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
-| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
-| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
-| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
-| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
-| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
-| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
-| IsLocalAdmin | boolean | Boolean indicator of whether the user is a local administrator on the machine |
-
-## Related topics
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md
deleted file mode 100644
index a986602549..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md
+++ /dev/null
@@ -1,53 +0,0 @@
----
-title: MachineInfo table in the Advanced hunting schema
-description: Learn about OS, computer name, and other machine information in the MachineInfo table of the Advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, machineinfo, device, machine, OS, platform, users
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance 
-ms.topic: article
-ms.date: 10/08/2019
----
-
-# MachineInfo
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
-The MachineInfo table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about machines in the organization, including their OS version, active users, and computer name. Use this reference to construct queries that return information from the table.
-
-For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md).
-
-| Column name | Data type | Description |
-|-------------|-----------|-------------|
-| EventTime | datetime | Date and time when the event was recorded |
-| MachineId | string | Unique identifier for the machine in the service |
-| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
-| ClientVersion | string | Version of the endpoint agent or sensor running on the machine |
-| PublicIP | string | Public IP address used by the onboarded machine to connect to the Microsoft Defender ATP service. This could be the IP address of the machine itself, a NAT device, or a proxy |
-| OSArchitecture | string | Architecture of the operating system running on the machine |
-| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7 |
-| OSBuild | string | Build version of the operating system running on the machine |
-| IsAzureADJoined | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory |
-| LoggedOnUsers | string | List of all users that are logged on the machine at the time of the event in JSON array format |
-| RegistryMachineTag | string | Machine tag added through the registry |
-| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
-| OSVersion | string | Version of the operating system running on the machine |
-| MachineGroup | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine |
-
-## Related topics
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md
deleted file mode 100644
index a09d2619f2..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md
+++ /dev/null
@@ -1,54 +0,0 @@
----
-title: MachineNetworkInfo table in the Advanced hunting schema
-description: Learn about network configuration information in the MachineNetworkInfo table of the Advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, machinenetworkinfo, device, machine, mac, ip, adapter, dns, dhcp, gateway, tunnel
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance 
-ms.topic: article
-ms.date: 10/08/2019
----
-
-# MachineNetworkInfo
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
-The MachineNetworkInfo table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about networking configuration of machines, including network adapters, IP and MAC addresses, and connected networks or domains. Use this reference to construct queries that return information from the table.
-
-For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md).
-
-| Column name | Data type | Description |
-|-------------|-----------|-------------|
-| EventTime | datetime | Date and time when the event was recorded |
-| MachineId | string | Unique identifier for the machine in the service |
-| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
-| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
-| NetworkAdapterName | string | Name of the network adapter |
-| MacAddress | string | MAC address of the network adapter |
-| NetworkAdapterType | string | Network adapter type. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.networkinterfacetype?view=netframework-4.7.2) |
-| NetworkAdapterStatus | string | Operational status of the network adapter. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.operationalstatus?view=netframework-4.7.2) |
-| TunnelType | string | Tunneling protocol, if the interface is used for this purpose, for example 6to4, Teredo, ISATAP, PPTP, SSTP, and SSH |
-| ConnectedNetworks | string | Networks that the adapter is connected to. Each JSON array contains the network name, category (public, private or domain), a description, and a flag indicating if it's connected publicly to the internet |
-| DnsAddresses | string | DNS server addresses in JSON array format |
-| IPv4Dhcp | string | IPv4 address of DHCP server |
-| IPv6Dhcp | string | IPv6 address of DHCP server |
-| DefaultGateways | string | Default gateway addresses in JSON array format |
-| IPAddresses | string | JSON array containing all the IP addresses assigned to the adapter, along with their respective subnet prefix and IP address space, such as public, private, or link-local |
-
-## Related topics
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md
deleted file mode 100644
index 2e6c3ad70f..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md
+++ /dev/null
@@ -1,85 +0,0 @@
----
-title: MiscEvents table in the advanced hunting schema
-description: Learn about antivirus, firewall, and other event types in the miscellaneous events (MiscEvents) table of the Advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, security events, antivirus, firewall, exploit guard
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance 
-ms.topic: article
-ms.date: 10/08/2019
----
-
-# MiscEvents
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
-The miscellaneous events or MiscEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about various event types, including events triggered by security controls, such as Windows Defender Antivirus and exploit protection. Use this reference to construct queries that return information from the table.
-
-For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md).
-
-| Column name | Data type | Description |
-|-------------|-----------|-------------|
-| EventTime | datetime | Date and time when the event was recorded |
-| MachineId | string | Unique identifier for the machine in the service |
-| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
-| ActionType | string | Type of activity that triggered the event |
-| FileName | string | Name of the file that the recorded action was applied to |
-| FolderPath | string | Folder containing the file that the recorded action was applied to |
-| SHA1 | string | SHA-1 of the file that the recorded action was applied to |
-| SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available |
-| MD5 | string | MD5 hash of the file that the recorded action was applied to |
-| AccountDomain | string | Domain of the account |
-| AccountName |string | User name of the account |
-| AccountSid | string | Security Identifier (SID) of the account |
-| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to |
-| RemoteComputerName | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information |
-| ProcessId | int | Process ID (PID) of the newly created process |
-| ProcessCommandLine | string | Command line used to create the new process |
-| ProcessCreationTime | datetime | Date and time the process was created |
-| ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process |
-| LogonId | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts |
-| RegistryKey | string | Registry key that the recorded action was applied to |
-| RegistryValueName | string | Name of the registry value that the recorded action was applied to |
-| RegistryValueData | string | Data of the registry value that the recorded action was applied to |
-| RemoteIP | string | IP address that was being connected to |
-| RemotePort | int | TCP port on the remote device that was being connected to |
-| LocalIP | string | IP address assigned to the local machine used during communication |
-| LocalPort | int | TCP port on the local machine used during communication |
-| FileOriginUrl | string | URL where the file was downloaded from |
-| FileOriginIP | string | IP address where the file was downloaded from |
-| AdditionalFields | string | Additional information about the event in JSON array format |
-| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
-| InitiatingProcessSHA256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available |
-| InitiatingProcessFileName | string | Name of the process that initiated the event |
-| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
-| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
-| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
-| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
-| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
-| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
-| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
-| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
-| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
-| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
-| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
-| InitiatingProcessLogonId | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts |
-| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
-| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
-
-## Related topics
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md
deleted file mode 100644
index 5485d2b86e..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md
+++ /dev/null
@@ -1,68 +0,0 @@
----
-title: NetworkCommunicationEvents table in the Advanced hunting schema
-description: Learn about network connection events you can query from the NetworkCommunicationEvents table of the Advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, networkcommunicationevents, network connection, remote ip, local ip
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance 
-ms.topic: article
-ms.date: 10/08/2019
----
-
-# NetworkCommunicationEvents
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
-The NetworkCommunicationEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about network connections and related events. Use this reference to construct queries that return information from the table.
-
-For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md).
-
-| Column name | Data type | Description |
-|-------------|-----------|-------------|
-| EventTime | datetime | Date and time when the event was recorded |
-| MachineId | string | Unique identifier for the machine in the service |
-| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
-| ActionType | string | Type of activity that triggered the event |
-| RemoteIP | string | IP address that was being connected to |
-| RemotePort | int | TCP port on the remote device that was being connected to |
-| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to |
-| LocalIP | string | IP address assigned to the local machine used during communication |
-| LocalPort | int | TCP port on the local machine used during communication |
-| Protocol | string | IP protocol used, whether TCP or UDP |
-| LocalIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
-| RemoteIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
-| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
-| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
-| InitiatingProcessFileName | string | Name of the process that initiated the event |
-| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
-| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
-| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
-| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
-| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
-| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
-| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
-| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
-| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
-| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
-| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
-| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
-| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
-| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
-
-## Related topics
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md
index 33df9bb93f..73a0af658e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md
@@ -1,7 +1,7 @@
 ---
-title: Overview of Advanced hunting
+title: Overview of advanced hunting
 description: Use threat hunting capabilities in Microsoft Defender ATP to build queries that find threats and weaknesses in your network
-keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, custom detections, schema, kusto
+keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, custom detections, schema, kusto
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
@@ -18,7 +18,7 @@ ms.topic: article
 ms.date: 10/08/2019
 ---
 
-# Proactively hunt for threats with Advanced hunting
+# Proactively hunt for threats with advanced hunting
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
@@ -28,9 +28,9 @@ Advanced hunting is a query-based threat-hunting tool that lets you explore up t
 
 You can use the same threat-hunting queries to build custom detection rules. These rules run automatically to check for and respond to various events and system states, including suspected breach activity and misconfigured machines.
 
-## Get started with Advanced hunting
+## Get started with advanced hunting
 
-We recommend going through several steps to quickly get up and running with Advanced hunting.
+We recommend going through several steps to quickly get up and running with advanced hunting.
 
 | Learning goal | Description | Resource |
 |--|--|--|
@@ -41,7 +41,7 @@ We recommend going through several steps to quickly get up and running with Adva
 
 ## Get help as you write queries
 Take advantage of the following functionality to write queries faster:
-- **Autosuggest** — as you write queries, Advanced hunting provides suggestions. 
+- **Autosuggest** — as you write queries, advanced hunting provides suggestions. 
 - **Schema reference** — a schema reference that includes the list of tables and their columns is provided next to your working area. For more information, hover over an item. Double-click an item to insert it to the query editor.
 
 ## Drilldown from query results
@@ -54,14 +54,14 @@ Right-click a value in the result set to quickly enhance your query. You can use
 - Exclude the selected value from the query (`!=`)
 - Get more advanced operators for adding the value to your query, such as `contains`, `starts with` and `ends with` 
 
-![Image of Microsoft Defender ATP Advanced hunting result set](images/atp-advanced-hunting-results-filter.png)
+![Image of Microsoft Defender ATP advanced hunting result set](images/atp-advanced-hunting-results-filter.png)
 
 ## Filter the query results
 The filters displayed to the right provide a summary of the result set. Each column has its own section that lists the distinct values found for that column and the number of instances.
 
 Refine your query by selecting the "+" or "-" buttons next to the values that you want to include or exclude.
 
-![Image of Advanced hunting filter](images/atp-filter-advanced-hunting.png)
+![Image of advanced hunting filter](images/atp-filter-advanced-hunting.png)
 
 Once you apply the filter to modify the query and then run the query, the results are updated accordingly.
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md
deleted file mode 100644
index 43746ac557..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md
+++ /dev/null
@@ -1,76 +0,0 @@
----
-title: ProcessCreationEvents table in the Advanced hunting schema
-description: Learn about the process spawning or creation events in the ProcessCreationEvents table of the Advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, processcreationevents, process id, command line
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance 
-ms.topic: article
-ms.date: 10/08/2019
----
-
-# ProcessCreationEvents
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
-The ProcessCreationEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about process creation and related events. Use this reference to construct queries that return information from the table.
-
-For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md).
-
-| Column name | Data type | Description |
-|-------------|-----------|-------------|
-| EventTime | datetime | Date and time when the event was recorded |
-| MachineId | string | Unique identifier for the machine in the service |
-| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
-| ActionType | string | Type of activity that triggered the event |
-| FileName | string | Name of the file that the recorded action was applied to |
-| FolderPath | string | Folder containing the file that the recorded action was applied to |
-| SHA1 | string | SHA-1 of the file that the recorded action was applied to |
-| SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available. |
-| MD5 | string | MD5 hash of the file that the recorded action was applied to |
-| ProcessId | int | Process ID (PID) of the newly created process |
-| ProcessCommandLine | string | Command line used to create the new process |
-| ProcessIntegrityLevel | string | Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources |
-| ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process |
-| ProcessCreationTime | datetime | Date and time the process was created |
-| AccountDomain | string | Domain of the account |
-| AccountName | string | User name of the account |
-| AccountSid | string | Security Identifier (SID) of the account |
-| LogonId | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts |
-| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
-| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
-| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
-| InitiatingProcessLogonId | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts. |
-| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
-| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
-| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
-| InitiatingProcessSHA256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available |
-| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
-| InitiatingProcessFileName | string | Name of the process that initiated the event |
-| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
-| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
-| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
-| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
-| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
-| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
-| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
-| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
-| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
-
-## Related topics
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md
index 0fa6f9bfc2..85f9a0c799 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md
@@ -1,7 +1,7 @@
 ---
-title: Learn the Advanced hunting query language
-description: Create your first threat hunting query and learn about common operators and other aspects of the Advanced hunting query language
-keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, language, learn, first query, telemetry, events, telemetry, custom detections, schema, kusto, operators, data types
+title: Learn the advanced hunting query language
+description: Create your first threat hunting query and learn about common operators and other aspects of the advanced hunting query language
+keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, language, learn, first query, telemetry, events, telemetry, custom detections, schema, kusto, operators, data types
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
@@ -18,14 +18,14 @@ ms.topic: article
 ms.date: 10/08/2019
 ---
 
-# Learn the Advanced hunting query language
+# Learn the advanced hunting query language
 
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
 
-Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/azure/kusto/query/). You can use Kusto syntax and operators to construct queries that locate information in the [schema](advanced-hunting-schema-reference.md) specifically structured for Advanced hunting. To understand these concepts better, run your first query.
+Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/azure/kusto/query/). You can use Kusto syntax and operators to construct queries that locate information in the [schema](advanced-hunting-schema-reference.md) specifically structured for advanced hunting. To understand these concepts better, run your first query.
 
 ## Try your first query
 
@@ -33,37 +33,37 @@ In Microsoft Defender Security Center, go to **Advanced hunting** to run your fi
 
 ```kusto
 // Finds PowerShell execution events that could involve a download.
-ProcessCreationEvents  
-| where EventTime > ago(7d)
+DeviceProcessEvents  
+| where Timestamp > ago(7d)
 | where FileName in ("powershell.exe", "POWERSHELL.EXE", "powershell_ise.exe", "POWERSHELL_ISE.EXE") 
 | where ProcessCommandLine has "Net.WebClient"
         or ProcessCommandLine has "DownloadFile"
         or ProcessCommandLine has "Invoke-WebRequest"
         or ProcessCommandLine has "Invoke-Shellcode"
         or ProcessCommandLine contains "http:"
-| project EventTime, ComputerName, InitiatingProcessFileName, FileName, ProcessCommandLine
-| top 100 by EventTime
+| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine
+| top 100 by Timestamp
 ```
 
-This is how it will look like in Advanced hunting.
+This is how it will look like in advanced hunting.
 
-![Image of Microsoft Defender ATP Advanced hunting query](images/advanced-hunting-query-example.png)
+![Image of Microsoft Defender ATP advanced hunting query](images/advanced-hunting-query-example.png)
 
 ### Describe the query and specify the table to search
 The query starts with a short comment describing what it is for. This helps if you later decide to save your query and share it with others in your organization.
 
 ```kusto
 // Finds PowerShell execution events that could involve a download.
-ProcessCreationEvents
+DeviceProcessEvents
 ```
 
-The query itself will typically start with a table name followed by a series of elements started by a pipe (`|`). In this example, we start by adding  with the table name `ProcessCreationEvents` and add piped elements as needed.
+The query itself will typically start with a table name followed by a series of elements started by a pipe (`|`). In this example, we start by adding  with the table name `DeviceProcessEvents` and add piped elements as needed.
 
 ### Set the time range
 The first piped element is a time filter scoped within the previous seven days. Keeping the time range as narrow as possible ensures that queries perform well, return manageable results, and don't time out.
 
 ```kusto
-| where EventTime > ago(7d)
+| where Timestamp > ago(7d)
 ```
 ### Search for specific executable files
 The time range is immediately followed by a search for files representing the PowerShell application.
@@ -85,48 +85,48 @@ Afterwards, the query looks for command lines that are typically used with Power
 Now that your query clearly identifies the data you want to locate, you can add elements that define what the results look like. `project` returns specific columns and `top` limits the number of results, making the results well-formatted and reasonably large and easy to process.
 
 ```kusto
-| project EventTime, ComputerName, InitiatingProcessFileName, FileName, ProcessCommandLine
-| top 100 by EventTime
+| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine
+| top 100 by Timestamp
 ```
 
 Click **Run query** to see the results. You can expand the screen view so you can focus on your hunting query and the results.
 
-## Learn common query operators for Advanced hunting
+## Learn common query operators for advanced hunting
 
-Now that you've run your first query and have a general idea of its components, it's time to backtrack a little bit and learn some basics. The Kusto query language used by Advanced hunting supports a range of operators, including the following common ones.
+Now that you've run your first query and have a general idea of its components, it's time to backtrack a little bit and learn some basics. The Kusto query language used by advanced hunting supports a range of operators, including the following common ones.
 
 | Operator | Description and usage |
 |--|--|
-| **`where`** | Filter a table to the subset of rows that satisfy a predicate. |
-| **`summarize`** | Produce a table that aggregates the content of the input table. |
-| **`join`** | Merge the rows of two tables to form a new table by matching values of the specified column(s) from each table. |
-| **`count`** | Return the number of records in the input record set. |
-| **`top`** | Return the first N records sorted by the specified columns. |
-| **`limit`** | Return up to the specified number of rows. |
-| **`project`** | Select the columns to include, rename or drop, and insert new computed columns. |
-| **`extend`** | Create calculated columns and append them to the result set. |
-| **`makeset`** |  Return a dynamic (JSON) array of the set of distinct values that Expr takes in the group. |
-| **`find`** | Find rows that match a predicate across a set of tables. |
+| `where` | Filter a table to the subset of rows that satisfy a predicate. |
+| `summarize` | Produce a table that aggregates the content of the input table. |
+| `join` | Merge the rows of two tables to form a new table by matching values of the specified column(s) from each table. |
+| `count` | Return the number of records in the input record set. |
+| `top` | Return the first N records sorted by the specified columns. |
+| `limit` | Return up to the specified number of rows. |
+| `project` | Select the columns to include, rename or drop, and insert new computed columns. |
+| `extend` | Create calculated columns and append them to the result set. |
+| `makeset` |  Return a dynamic (JSON) array of the set of distinct values that Expr takes in the group. |
+| `find` | Find rows that match a predicate across a set of tables. |
 
-To see a live example of these operators, run them from the **Get started** section of the Advanced hunting page.
+To see a live example of these operators, run them from the **Get started** section of the advanced hunting page.
 
 ## Understand data types
 
-Data in Advanced hunting tables are generally classified into the following data types.
+Data in advanced hunting tables are generally classified into the following data types.
 
 | Data type | Description and query implications |
 |--|--|
-| **datetime** | Data and time information typically representing event timestamps |
-| **string** | Character string |
-| **bool** | True or false |
-| **int** | 32-bit numeric value  |
-| **long** | 64-bit numeric value |
+| `datetime` | Data and time information typically representing event timestamps |
+| `string` | Character string |
+| `bool` | True or false |
+| `int` | 32-bit numeric value  |
+| `long` | 64-bit numeric value |
 
 ## Use sample queries
 
 The **Get started** section provides a few simple queries using commonly used operators. Try running these queries and making small modifications to them.
 
-![Image of Advanced hunting window](images/atp-advanced-hunting.png)
+![Image of advanced hunting window](images/atp-advanced-hunting.png)
 
 > [!NOTE]
 > Apart from the basic query samples, you can also access [shared queries](advanced-hunting-shared-queries.md) for specific threat hunting scenarios. Explore the shared queries on the left side of the page or the GitHub query repository.
@@ -140,4 +140,4 @@ For detailed information about the query language, see [Kusto query language doc
 - [Understand the schema](advanced-hunting-schema-reference.md)
 - [Apply query best practices](advanced-hunting-best-practices.md)
 
-> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-belowfoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-belowfoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md
deleted file mode 100644
index 05c6b7386b..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md
+++ /dev/null
@@ -1,66 +0,0 @@
----
-title: RegistryEvents table in the Advanced hunting schema
-description: Learn about registry events you can query from the RegistryEvents table of the Advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, registryevents, registry, key, subkey, value
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance 
-ms.topic: article
-ms.date: 10/08/2019
----
-
-# RegistryEvents
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
-The RegistryEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about the creation and modification of registry entries. Use this reference to construct queries that return information from the table.
-
-For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md).
-
-| Column name | Data type | Description |
-|-------------|-----------|-------------|
-| EventTime | datetime | Date and time when the event was recorded |
-| MachineId | string | Unique identifier for the machine in the service |
-| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
-| ActionType | string | Type of activity that triggered the event |
-| RegistryKey | string | Registry key that the recorded action was applied to |
-| RegistryValueType | string | Data type, such as binary or string, of the registry value that the recorded action was applied to |
-| RegistryValueName | string | Name of the registry value that the recorded action was applied to |
-| RegistryValueData | string | Data of the registry value that the recorded action was applied to |
-| PreviousRegistryValueName | string | Original name of the registry value before it was modified |
-| PreviousRegistryValueData | string | Original data of the registry value before it was modified |
-| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
-| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
-| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
-| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
-| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
-| InitiatingProcessFileName | string | Name of the process that initiated the event |
-| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
-| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
-| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
-| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
-| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
-| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
-| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
-| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
-| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
-| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
-| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
-
-## Related topics
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
index 3f8acdb5d6..8eb7542ce5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
@@ -1,7 +1,7 @@
 ---
 title: Advanced hunting schema reference
-description: Learn about the tables in the Advanced hunting schema to understand the data you can run threat hunting queries on 
-keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, data
+description: Learn about the tables in the advanced hunting schema to understand the data you can run threat hunting queries on 
+keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, data
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
@@ -15,10 +15,10 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 10/08/2019
+ms.date: 01/14/2020
 ---
 
-# Understand the Advanced hunting schema
+# Understand the advanced hunting schema
 
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -27,26 +27,27 @@ ms.date: 10/08/2019
 
 [!include[Prerelease information](../../includes/prerelease.md)]
 
-The [Advanced hunting](advanced-hunting-overview.md) schema is made up of multiple tables that provide either event information or information about machines and other entities. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the Advanced hunting schema.
+The [advanced hunting](advanced-hunting-overview.md) schema is made up of multiple tables that provide either event information or information about machines and other entities. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the advanced hunting schema.
 
 ## Schema tables
 
-The following reference lists all the tables in the Advanced hunting schema. Each table name links to a page describing the column names for that table.
+The following reference lists all the tables in the advanced hunting schema. Each table name links to a page describing the column names for that table.
 
-Table and column names are also listed within the Microsoft Defender Security Center, in the schema representation on the Advanced hunting screen.
+Table and column names are also listed within the Microsoft Defender Security Center, in the schema representation on the advanced hunting screen.
 
 | Table name | Description |
 |------------|-------------|
 | **[AlertEvents](advanced-hunting-alertevents-table.md)** | Alerts on Microsoft Defender Security Center |
-| **[MachineInfo](advanced-hunting-machineinfo-table.md)** | Machine information, including OS information |
-| **[MachineNetworkInfo](advanced-hunting-machinenetworkinfo-table.md)** | Network properties of machines, including adapters, IP and MAC addresses, as well as connected networks and domains |
-| **[ProcessCreationEvents](advanced-hunting-processcreationevents-table.md)** | Process creation and related events |
-| **[NetworkCommunicationEvents](advanced-hunting-networkcommunicationevents-table.md)** | Network connection and related events |
-| **[FileCreationEvents](advanced-hunting-filecreationevents-table.md)** | File creation, modification, and other file system events |
-| **[RegistryEvents](advanced-hunting-registryevents-table.md)** | Creation and modification of registry entries |
-| **[LogonEvents](advanced-hunting-logonevents-table.md)** | Sign-ins and other authentication events |
-| **[ImageLoadEvents](advanced-hunting-imageloadevents-table.md)** | DLL loading events |
-| **[MiscEvents](advanced-hunting-miscevents-table.md)** | Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection |
+| **[DeviceInfo](advanced-hunting-deviceinfo-table.md)** | Machine information, including OS information |
+| **[DeviceNetworkInfo](advanced-hunting-devicenetworkinfo-table.md)** | Network properties of machines, including adapters, IP and MAC addresses, as well as connected networks and domains |
+| **[DeviceProcessEvents](advanced-hunting-deviceprocessevents-table.md)** | Process creation and related events |
+| **[DeviceNetworkEvents](advanced-hunting-devicenetworkevents-table.md)** | Network connection and related events |
+| **[DeviceFileEvents](advanced-hunting-devicefileevents-table.md)** | File creation, modification, and other file system events |
+| **[DeviceRegistryEvents](advanced-hunting-deviceregistryevents-table.md)** | Creation and modification of registry entries |
+| **[DeviceLogonEvents](advanced-hunting-devicelogonevents-table.md)** | Sign-ins and other authentication events |
+| **[DeviceImageLoadEvents](advanced-hunting-deviceimageloadevents-table.md)** | DLL loading events |
+| **[DeviceEvents](advanced-hunting-deviceevents-table.md)** | Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection |
+| **[DeviceFileCertificateInfoBeta](advanced-hunting-devicefilecertificateinfobeta-table.md)** | Certificate information of signed files obtained from certificate verification events on endpoints |
 | **[DeviceTvmSoftwareInventoryVulnerabilities](advanced-hunting-tvm-softwareinventory-table.md)** | Inventory of software on devices as well as any known vulnerabilities in these software products |
 | **[DeviceTvmSoftwareVulnerabilitiesKB ](advanced-hunting-tvm-softwarevulnerability-table.md)** | Knowledge base of publicly disclosed vulnerabilities, including whether exploit code is publicly available |
 | **[DeviceTvmSecureConfigurationAssessment](advanced-hunting-tvm-configassessment-table.md)** | Threat & Vulnerability Management assessment events, indicating the status of various security configurations on devices |
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md
index d32a485fd7..b24bb4db00 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md
@@ -1,7 +1,7 @@
 ---
-title: Use shared queries in Advanced hunting
+title: Use shared queries in advanced hunting
 description: Start threat hunting immediately with predefined and shared queries. Share your queries to the public or to your organization.
-keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, custom detections, schema, kusto, github repo, my queries, shared queries
+keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, github repo, my queries, shared queries
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
@@ -18,7 +18,7 @@ ms.topic: article
 ms.date: 10/08/2019
 ---
 
-# Use shared queries in Advanced hunting
+# Use shared queries in advanced hunting
 
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -54,10 +54,10 @@ You can save a new or existing query so that it is only accessible to you or sha
 2. Select **Delete** and confirm deletion. Or select **Rename** and provide a new name for the query.
 
 ## Access queries in the GitHub repository  
-Microsoft security researchers regularly share Advanced hunting queries in a [designated public repository on GitHub](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). This repository is open to contributions. To contribute, [join GitHub for free](https://github.com/). 
+Microsoft security researchers regularly share advanced hunting queries in a [designated public repository on GitHub](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). This repository is open to contributions. To contribute, [join GitHub for free](https://github.com/). 
 
 >[!TIP]
->Microsoft security researchers also provide Advanced hunting queries that you can use to locate activities and indicators associated with emerging threats. These queries are provided as part of the [threat analytics](threat-analytics.md) reports in Microsoft Defender Security Center.
+>Microsoft security researchers also provide advanced hunting queries that you can use to locate activities and indicators associated with emerging threats. These queries are provided as part of the [threat analytics](threat-analytics.md) reports in Microsoft Defender Security Center.
 
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md
index 736db7d11f..7900a4dce4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md
@@ -1,7 +1,7 @@
 ---
-title: DeviceTvmSecureConfigurationAssessment table in the Advanced hunting schema
+title: DeviceTvmSecureConfigurationAssessment table in the advanced hunting schema
 description: Learn about Threat & Vulnerability Management security assessment events in the DeviceTvmSecureConfigurationAssessment table of the Advanced hunting schema. These events provide machine information as well as security configuration details, impact, and compliance information. 
-keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, DeviceTvmSecureConfigurationAssessment  
+keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, DeviceTvmSecureConfigurationAssessment  
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
@@ -28,21 +28,21 @@ ms.date: 11/12/2019
 
 [!include[Prerelease information](../../includes/prerelease.md)]
 
-Each row in the DeviceTvmSecureConfigurationAssessment table contains an assessment event for a specific security configuration from [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md). Use this reference to check the latest assessment results and determine whether devices are compliant.
+Each row in the `DeviceTvmSecureConfigurationAssessment` table contains an assessment event for a specific security configuration from [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md). Use this reference to check the latest assessment results and determine whether devices are compliant.
 
-For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
+For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md).
 
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
-| MachineId | string | Unique identifier for the machine in the service |
-| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
-| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7.|
-| Timestamp | datetime |Date and time when the record was generated |
-| ConfigurationId | string | Unique identifier for a specific configuration |
-| ConfigurationCategory | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls |
-| ConfigurationSubcategory | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. |
-| ConfigurationImpact | string | Rated impact of the configuration to the overall configuration score (1-10) |
-| IsCompliant | boolean | Indicates whether the configuration or policy is properly configured |
+| `DeviceId` | string | Unique identifier for the machine in the service |
+| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
+| `OSPlatform` | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7.|
+| `Timestamp` | datetime |Date and time when the record was generated |
+| `ConfigurationId` | string | Unique identifier for a specific configuration |
+| `ConfigurationCategory` | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls |
+| `ConfigurationSubcategory` | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. |
+| `ConfigurationImpact` | string | Rated impact of the configuration to the overall configuration score (1-10) |
+| `IsCompliant` | boolean | Indicates whether the configuration or policy is properly configured |
 
 
 ## Related topics
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md
index 5da1e8e986..c5a3a9fbda 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md
@@ -1,7 +1,7 @@
 ---
-title: DeviceTvmSecureConfigurationAssessmentKB table in the Advanced hunting schema
+title: DeviceTvmSecureConfigurationAssessmentKB table in the advanced hunting schema
 description: Learn about the various secure configurations assessed by Threat & Vulnerability Management in the DeviceTvmSecureConfigurationAssessmentKB table of the Advanced hunting schema. 
-keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, MITRE ATT&CK framework, knowledge base, KB, DeviceTvmSecureConfigurationAssessmentKB
+keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, MITRE ATT&CK framework, knowledge base, KB, DeviceTvmSecureConfigurationAssessmentKB
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
@@ -28,22 +28,22 @@ ms.date: 11/12/2019
 
 [!include[Prerelease information](../../includes/prerelease.md)]
 
-The DeviceTvmSecureConfigurationAssessmentKB table in the Advanced hunting schema contains information about the various secure configurations — such as whether a device has automatic updates on — checked by [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md). It also includes risk information, related industry benchmarks, and applicable MITRE ATT&CK techniques and tactics. Use this reference to construct queries that return information from the table.
+The `DeviceTvmSecureConfigurationAssessmentKB` table in the advanced hunting schema contains information about the various secure configurations — such as whether a device has automatic updates on — checked by [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md). It also includes risk information, related industry benchmarks, and applicable MITRE ATT&CK techniques and tactics. Use this reference to construct queries that return information from the table.
 
-For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
+For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md).
 
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
-| ConfigurationId | string | Unique identifier for a specific configuration |
-| ConfigurationImpact | string | Rated impact of the configuration to the overall configuration score (1-10) |
-| ConfigurationName | string | Display name of the configuration |
-| ConfigurationDescription | string | Description of the configuration |
-| RiskDescription | string | Description of the associated risk |
-| ConfigurationCategory | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls|
-| ConfigurationSubcategory | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. |
-| ConfigurationBenchmarks | string | List of industry benchmarks recommending the same or similar configuration |
-| RelatedMitreTechniques | string | List of Mitre ATT&CK framework techniques related to the configuration |
-| RelatedMitreTactics  | string | List of Mitre ATT&CK framework tactics related to the configuration |
+| `ConfigurationId` | string | Unique identifier for a specific configuration |
+| `ConfigurationImpact` | string | Rated impact of the configuration to the overall configuration score (1-10) |
+| `ConfigurationName` | string | Display name of the configuration |
+| `ConfigurationDescription` | string | Description of the configuration |
+| `RiskDescription` | string | Description of the associated risk |
+| `ConfigurationCategory` | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls|
+| `ConfigurationSubcategory` | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. |
+| `ConfigurationBenchmarks` | string | List of industry benchmarks recommending the same or similar configuration |
+| `RelatedMitreTechniques` | string | List of Mitre ATT&CK framework techniques related to the configuration |
+| `RelatedMitreTactics ` | string | List of Mitre ATT&CK framework tactics related to the configuration |
 
 ## Related topics
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md
index dc92507b8e..5323e67ad0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md
@@ -1,7 +1,7 @@
 ---
-title: DeviceTvmSoftwareInventoryVulnerabilities table in the Advanced hunting schema
-description: Learn about the inventory of software in your devices and their vulnerabilities in the DeviceTvmSoftwareInventoryVulnerabilities table of the Advanced hunting schema.
-keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, OS DeviceTvmSoftwareInventoryVulnerabilities
+title: DeviceTvmSoftwareInventoryVulnerabilities table in the advanced hunting schema
+description: Learn about the inventory of software in your devices and their vulnerabilities in the DeviceTvmSoftwareInventoryVulnerabilities table of the advanced hunting schema.
+keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, OS DeviceTvmSoftwareInventoryVulnerabilities
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
@@ -29,22 +29,22 @@ ms.date: 11/12/2019
 
 [!include[Prerelease information](../../includes/prerelease.md)]
 
-The DeviceTvmSoftwareInventoryVulnerabilities table in the Advanced hunting schema contains the [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) inventory of software on your devices as well as any known vulnerabilities in these software products. This table also includes operating system information, CVE IDs, and vulnerability severity information. Use this reference to construct queries that return information from the table.
+The `DeviceTvmSoftwareInventoryVulnerabilities` table in the advanced hunting schema contains the [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) inventory of software on your devices as well as any known vulnerabilities in these software products. This table also includes operating system information, CVE IDs, and vulnerability severity information. Use this reference to construct queries that return information from the table.
 
-For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
+For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md).
 
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
-| MachineId | string | Unique identifier for the machine in the service |
-| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
-| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. |
-| OSVersion | string | Version of the operating system running on the machine |
-| OSArchitecture | string | Architecture of the operating system running on the machine |
-| SoftwareVendor | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape |
-| SoftwareName | string | Name of the software product |
-| SoftwareVersion | string | Version number of the software product |
-| CveId | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system |
-| VulnerabilitySeverityLevel | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape |
+| `DeviceId` | string | Unique identifier for the machine in the service |
+| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
+| `OSPlatform` | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. |
+| `OSVersion` | string | Version of the operating system running on the machine |
+| `OSArchitecture` | string | Architecture of the operating system running on the machine |
+| `SoftwareVendor` | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape |
+| `SoftwareName` | string | Name of the software product |
+| `SoftwareVersion` | string | Version number of the software product |
+| `CveId` | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system |
+| `VulnerabilitySeverityLevel` | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape |
 
 
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md
index 754894ddbf..9efd108ce9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md
@@ -1,7 +1,7 @@
 ---
-title: DeviceTvmSoftwareVulnerabilitiesKB  table in the Advanced hunting schema
-description: Learn about the software vulnerabilities tracked by Threat & Vulnerability Management in the DeviceTvmSoftwareVulnerabilitiesKB table of the Advanced hunting schema. 
-keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, CVSS, DeviceTvmSoftwareVulnerabilitiesKB 
+title: DeviceTvmSoftwareVulnerabilitiesKB  table in the advanced hunting schema
+description: Learn about the software vulnerabilities tracked by Threat & Vulnerability Management in the DeviceTvmSoftwareVulnerabilitiesKB table of the advanced hunting schema. 
+keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, CVSS, DeviceTvmSoftwareVulnerabilitiesKB 
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
@@ -28,20 +28,20 @@ ms.date: 11/12/2019
 
 [!include[Prerelease information](../../includes/prerelease.md)]
 
-The DeviceTvmSoftwareInventoryVulnerabilities table in the Advanced hunting schema contains the list of vulnerabilities [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) assesses devices for. Use this reference to construct queries that return information from the table.
+The `DeviceTvmSoftwareInventoryVulnerabilities` table in the advanced hunting schema contains the list of vulnerabilities [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) assesses devices for. Use this reference to construct queries that return information from the table.
 
-For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
+For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md).
 
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
-| CveId | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system |
-| CvssScore | string | Severity score assigned to the security vulnerability under th Common Vulnerability Scoring System (CVSS) |
-| IsExploitAvailable | boolean | Indicates whether exploit code for the vulnerability is publicly available |
-| VulnerabilitySeverityLevel | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape |
-| LastModifiedTime | datetime | Date and time the item or related metadata was last modified |
-| PublishedDate | datetime | Date vulnerability was disclosed to public |
-| VulnerabilityDescription | string | Description of vulnerability and associated risks |
-| AffectedSoftware | string | List of all software products affected by the vulnerability |
+| `CveId` | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system |
+| `CvssScore` | string | Severity score assigned to the security vulnerability under th Common Vulnerability Scoring System (CVSS) |
+| `IsExploitAvailable` | boolean | Indicates whether exploit code for the vulnerability is publicly available |
+| `VulnerabilitySeverityLevel` | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape |
+| `LastModifiedTime` | datetime | Date and time the item or related metadata was last modified |
+| `PublishedDate` | datetime | Date vulnerability was disclosed to public |
+| `VulnerabilityDescription` | string | Description of vulnerability and associated risks |
+| `AffectedSoftware` | string | List of all software products affected by the vulnerability |
 
 ## Related topics
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts.md b/windows/security/threat-protection/microsoft-defender-atp/alerts.md
index 3bf7ffba39..62a32da91b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/alerts.md
@@ -27,6 +27,7 @@ Method |Return Type |Description
 :---|:---|:---
 [Get alert](get-alert-info-by-id.md) | [Alert](alerts.md) | Get a single [alert](alerts.md) object.
 [List alerts](get-alerts.md) | [Alert](alerts.md) collection | List [alert](alerts.md) collection.
+[Update alert](get-alerts.md) | [Alert](update-alert.md) | Update specific [alert](alerts.md).
 [Create alert](create-alert-by-reference.md)|[Alert](alerts.md)|Create an alert based on event data obtained from [Advanced Hunting](run-advanced-query-api.md).
 [List related domains](get-alert-related-domain-info.md)|Domain collection| List URLs associated with the alert.
 [List related files](get-alert-related-files-info.md) | [File](files.md) collection |  List the [file](files.md) entities that are associated with the [alert](alerts.md).
@@ -59,19 +60,8 @@ detectionSource | String | Detection source.
 threatFamilyName | String | Threat family.
 machineId | String | ID of a [machine](machine.md) entity that is associated with the alert.
 comments | List of Alert comments | Alert Comment is an object that contains: comment string, createdBy string and createTime date time.
-alertFiles | List of Alert Files | **This list will be populated on $expand option, see example below** Alert File is an object that contains: sha1, sha256, filePath and fileName. 
-alertIPs | List of Alert IPs | **This list will be populated on $expand option, see example below** Alert IP is an object that contains: ipAddress string field. 
-alertDomains | List of Alert Domains | **This list will be populated on $expand option, see example below** Alert Domain is an object that contains: host string field. 
 
 
-
-## JSON representation:
-
-- When querying for alert list the regular way (without expand option, e.g. /api/alerts) the expandable properties will not get populated (empty lists)
-- To expand expandable properties use $expand option (e.g. to expand all send /api/alerts?$expand=files,ips,domains).
-- When querying single alert all expandable properties will be expanded. 
-- Check out [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md) for more OData examples. 
-
 ### Response example for getting single alert:
 
 ```
@@ -83,12 +73,12 @@ GET https://api.securitycenter.windows.com/api/alerts/da637084217856368682_-2929
     "id": "da637084217856368682_-292920499",
     "incidentId": 66860,
     "investigationId": 4416234,
+	"investigationState": "Running",
     "assignedTo": "secop@contoso.com",
     "severity": "Low",
     "status": "New",
     "classification": "TruePositive",
     "determination": null,
-    "investigationState": "Running",
     "detectionSource": "WindowsDefenderAtp",
     "category": "CommandAndControl",
     "threatFamilyName": null,
@@ -106,24 +96,6 @@ GET https://api.securitycenter.windows.com/api/alerts/da637084217856368682_-2929
             "createdBy": "secop@contoso.com",
             "createdTime": "2019-11-05T14:08:37.8404534Z"
         }
-    ],
-    "alertFiles": [
-        {
-            "sha1": "77e862797dd525fd3e9c3058153247945d0d4cfd",
-            "sha256": "c05823562aee5e6d000b0e041197d5b8303f5aa4eecb49820879b705c926e16e",
-            "filePath": "C:\\Users\\test1212\\AppData\\Local\\Temp\\nsf61D3.tmp.exe",
-            "fileName": "nsf61D3.tmp.exe"
-        }
-    ],
-    "alertDomains": [
-        {
-            "host": "login.bullguard.com"
-        }
-    ],
-    "alertIps": [
-        {
-            "ipAddress": "91.231.212.53"
-        }
     ]
 }
 ```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md b/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md
index 03274e47b8..c27bcf9d6b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md
@@ -17,7 +17,7 @@ ms.collection: M365-security-compliance
 ms.topic: article
 ---
 
-# Microsoft Defender ATP Flow connector
+# Microsoft Power Automate (formerly Microsoft Flow), and Azure Functions
 
 **Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md b/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md
index bf6f5843b9..b05666bfbf 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md
@@ -43,7 +43,7 @@ The first example demonstrates how to connect Power BI to Advanced Hunting API a
 
 ```
 	let 
-		AdvancedHuntingQuery = "MiscEvents | where ActionType contains 'Anti'",
+		AdvancedHuntingQuery = "DeviceEvents | where ActionType contains 'Anti'",
 
 		HuntingUrl = "https://api.securitycenter.windows.com/api/advancedqueries",
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md b/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md
index 425ad57ee8..589b46db48 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md
@@ -1,5 +1,5 @@
 ---
-title: Microsoft Defender Advanced Threat Protection API overview  
+title: Access the Microsoft Defender Advanced Threat Protection APIs  
 ms.reviewer: 
 description: Learn how you can use APIs to automate workflows and innovate based on Microsoft Defender ATP capabilities
 keywords: apis, api, wdatp, open api, windows defender atp api, public api, supported apis, alerts, machine, user, domain, ip, file, advanced hunting, query
@@ -17,7 +17,7 @@ ms.collection: M365-security-compliance
 ms.topic: conceptual
 ---
 
-# Microsoft Defender ATP API overview
+# Access the Microsoft Defender Advanced Threat Protection APIs 
 
 **Applies to:** 
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
index 772ce99ae9..363a0b815b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
@@ -46,12 +46,12 @@ For information about configuring attack surface reduction rules, see [Enable at
 
 Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios.
 
-You can query Microsoft Defender ATP data by using [Advanced hunting](advanced-hunting-query-language.md). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to understand how attack surface reduction rules could affect your environment.
+You can query Microsoft Defender ATP data by using [Advanced hunting](advanced-hunting-query-language.md). If you're using [audit mode](audit-windows-defender.md), you can use advanced hunting to understand how attack surface reduction rules could affect your environment.
 
 Here is an example query:
 
-```PowerShell
-MiscEvents
+```kusto
+DeviceEvents
 | where ActionType startswith 'Asr'
 ```
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
index b9aad84bc9..96cf4bd271 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@@ -35,6 +35,7 @@ When an alert is triggered, a security playbook goes into effect. Depending on t
 
 >[!NOTE]
 >Currently, automated investigation only supports the following OS versions:
+>- Windows Server 2019
 >- Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441)) or later
 >- Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464/windows-10-update-kb4493464)) or later
 >- Later versions of Windows 10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md b/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md
index fbfaeaf1bc..1596496d14 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md
@@ -18,11 +18,19 @@ ms.topic: article
 ---
 
 # Collect investigation package API
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+
+## API description
 Collect investigation package from a machine.
 
+
+## Limitations
+1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
+
+
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
 
@@ -74,25 +82,3 @@ Content-type: application/json
   "Comment": "Collect forensics due to alert 1234"
 }
 ```
-
-**Response**
-
-Here is an example of the response.
-
-```
-HTTP/1.1 201 Created
-Content-type: application/json
-{
-    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
-    "id": "c9042f9b-8483-4526-87b5-35e4c2532223",
-    "type": "CollectInvestigationPackage",
-    "requestor": "Analyst@contoso.com",
-    "requestorComment": " Collect forensics due to alert 1234",
-    "status": "InProgress",
-    "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
-    "creationDateTimeUtc": "2018-12-04T12:09:24.1785079Z",
-    "lastUpdateTimeUtc": "2018-12-04T12:09:24.1785079Z",
-	"relatedFileInfo": null
-}
-
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md
index 958a83f654..74f4a1a451 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md
@@ -1,7 +1,7 @@
 ---
 title: Configure Threat & Vulnerability Management in Microsoft Defender ATP
 ms.reviewer: 
-description: Configure your Threat & Vulnerability Management to allow security administrators and IT administrators to collaborate seamlessly to remediate issues via Microsoft intune and Microsoft System Center Configuration Manager (SCCM) integrations.
+description: Configuring TVM's integration with Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) helps security and IT admins collaborate seamlessly
 keywords: RBAC, Threat & Vulnerability Management configuration, Threat & Vulnerability Management integrations, Microsft Intune integration with TVM, SCCM integration with TVM  
 search.product: Windows 10
 search.appverid: met150
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
index 5a8e0475ca..100bfd2636 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
@@ -69,6 +69,9 @@ The following steps will guide you through onboarding VDI machines and will high
 
 4. Open a Local Group Policy Editor window and navigate to **Computer Configuration** > **Windows Settings** > **Scripts** > **Startup**.
 
+    >[!NOTE]
+    >Domain Group Policy may also be used for onboarding non-persistent VDI machines.
+
 5. Depending on the method you'd like to implement, follow the appropriate steps: 

   **For single entry for each machine**:

   Select the **PowerShell Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to onboarding PowerShell script `Onboard-NonPersistentMachine.ps1`. 


diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md
index a97e8031a2..ff9e39088c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md
@@ -1,6 +1,6 @@
 ---
 title: Optimize ASR rule deployment and detections
-description: Ensure your attack surface reduction (ASR) rules are fully deployed and optimized to effectively identify and prevent actions that are typically taken by malware during exploitation. 
+description: Ensure your attack surface reduction (ASR) rules are fully optimized to identify and prevent typical actions taken by malware during the exploitation phase. 
 keywords: onboard, Intune management, MDATP, WDATP, Microsoft Defender, Windows Defender, advanced threat protection, attack surface reduction, ASR, security baseline
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md
index 521fbb5621..ad965c75e5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md
@@ -15,7 +15,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 10/16/2017
 ---
 
 # Pull detections to your SIEM tools
@@ -56,13 +55,3 @@ Microsoft Defender ATP supports the OAuth 2.0 protocol to pull detections using
 For more information, see [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md).
 
 
-## In this section
-
-Topic | Description
-:---|:---
-[Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)| Learn about enabling the SIEM integration feature in the **Settings** page in the portal so that you can use and generate the required information to configure supported SIEM tools.
-[Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md)| Learn about installing the REST API Modular Input App and other configuration settings to enable Splunk to pull Microsoft Defender ATP detections.
-[Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Microsoft Defender ATP detections.
-[Microsoft Defender ATP Detection fields](api-portal-mapping.md) | Understand what data fields are exposed as part of the alerts API and how they map to Microsoft Defender Security Center.
-[Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md) | Use the Client credentials OAuth 2.0 flow to pull detections from Microsoft Defender ATP using REST API.
-[Troubleshoot SIEM tool integration issues](troubleshoot-siem.md) | Address issues you might encounter when using the SIEM integration feature.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
index b751dd036f..ae15f3e5c4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
@@ -51,12 +51,12 @@ Controlled folder access requires enabling [Windows Defender Antivirus real-time
 
 Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
 
-You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to see how controlled folder access settings would affect your environment if they were enabled.
+You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use advanced hunting to see how controlled folder access settings would affect your environment if they were enabled.
 
 Here is an example query
 
 ```PowerShell
-MiscEvents
+DeviceEvents
 | where ActionType in ('ControlledFolderAccessViolationAudited','ControlledFolderAccessViolationBlocked')
 ```
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md
index 077445f7c7..2e5c7cec45 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md
@@ -16,13 +16,24 @@ ms.collection: M365-security-compliance
 ms.topic: article
 ---
 
-# Create alert from event API
+# Create alert API
 
 **Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
 - Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 
-Create alert using event data, as obtained from [Advanced Hunting](run-advanced-query-api.md) for creating a new alert.
+
+## API description
+Creates new [Alert](alerts.md).
+
Microsoft Defender ATP Event is a required parameter for the alert creation.
+
You can use an event found in Advanced Hunting API or Portal.
+
If there existing an open alert on the same Machine with the same Title, the new created alert will be merged with it.
+
An automatic investigation starts automatically on alerts created via the API.
+
+
+## Limitations
+1. Rate limitations for this API are 15 calls per minute.
+
 
 ## Permissions
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
index fb3a52f9f4..c5a436c489 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
@@ -34,17 +34,17 @@ Custom detection rules built from [Advanced hunting](advanced-hunting-overview.m
 In Microsoft Defender Security Center, go to **Advanced hunting** and select an existing query or create a new query. When using an new query, run the query to identify errors and understand possible results.
 
 #### Required columns in the query results
-To use a query for a custom detection rule, the query must return the `EventTime`, `MachineId`, and `ReportId` columns in the results. Simple queries, such as those that don’t use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns.
+To use a query for a custom detection rule, the query must return the `Timestamp`, `DeviceId`, and `ReportId` columns in the results. Simple queries, such as those that don’t use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns.
 
-There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by `MachineId`, you can still return `EventTime` and `ReportId` by getting them from the most recent event involving each machine. 
+There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by `DeviceId`, you can still return `Timestamp` and `ReportId` by getting them from the most recent event involving each machine. 
 
-The sample query below counts the number of unique machines (`MachineId`) with antivirus detections and uses this count to find only the machines with more than five detections. To return the latest `EventTime` and the corresponding `ReportId`, it uses the `summarize` operator with the `arg_max` function.
+The sample query below counts the number of unique machines (`DeviceId`) with antivirus detections and uses this count to find only the machines with more than five detections. To return the latest `Timestamp` and the corresponding `ReportId`, it uses the `summarize` operator with the `arg_max` function.
 
-```
-MiscEvents
-| where EventTime > ago(7d)
+```kusto
+DeviceEvents
+| where Timestamp > ago(7d)
 | where ActionType == "AntivirusDetection"
-| summarize (EventTime, ReportId)=arg_max(EventTime, ReportId), count() by MachineId
+| summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count() by DeviceId
 | where count_ > 5
 ```
 
@@ -76,7 +76,7 @@ Whenever a rule runs, similar detections on the same machine could be aggregated
 Your custom detection rule can automatically take actions on files or machines that are returned by the query.
 
 #### Actions on machines
-These actions are applied to machines in the `MachineId` column of the query results:
+These actions are applied to machines in the `DeviceId` column of the query results:
 - **Isolate machine** — applies full network isolation, preventing the machine from connecting to any application or service, except for the Microsoft Defender ATP service. [Learn more about machine isolation](respond-machine-alerts.md#isolate-machines-from-the-network)
 - **Collect investigation package** — collects machine information in a ZIP file. [Learn more about the investigation package](respond-machine-alerts.md#collect-investigation-package-from-machines)
 - **Run antivirus scan** — performs a full Windows Defender Antivirus scan on the machine
@@ -117,7 +117,7 @@ You can also take the following actions on the rule from this page:
 
 - **Run** — run the rule immediately. This also resets the interval for the next run.
 - **Edit** — modify the rule without changing the query
-- **Modify query** — edit the query in Advanced hunting
+- **Modify query** — edit the query in advanced hunting
 - **Turn on** / **Turn off** — enable the rule or stop it from running
 - **Delete** — turn off the rule and remove it
 
@@ -127,5 +127,5 @@ You can also take the following actions on the rule from this page:
 ## Related topic
 - [Custom detections overview](overview-custom-detections.md)
 - [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the Advanced hunting query language](advanced-hunting-query-language.md)
+- [Learn the advanced hunting query language](advanced-hunting-query-language.md)
 - [View and organize alerts](alerts-queue.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md
index 27ffb12de8..1c03a39e93 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md
@@ -18,15 +18,18 @@ ms.topic: article
 
 # Delete Indicator API
 
-**Applies to:**  
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 
 
->[!Note]
-> Currently this API is only supported for AppOnly context requests. (See [Get access with application context](exposed-apis-create-app-webapp.md) for more information)
+## API description
+Deletes an [Indicator](ti-indicator.md) entity by ID.
 
 
-- Deletes an Indicator entity by ID.
+## Limitations
+1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
+
 
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Get started](apis-intro.md)
@@ -66,15 +69,5 @@ If Indicator with the specified id was not found - 404 Not Found.
 Here is an example of the request.
 
 ```
-DELETE https://api.securitycenter.windows.com/api/indicators/220e7d15b0b3d7fac48f2bd61114db1022197f7f
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```
-HTTP/1.1 204 NO CONTENT
-
+DELETE https://api.securitycenter.windows.com/api/indicators/995
 ```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
index 0f325b3497..36853a0451 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
@@ -10,9 +10,9 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 audience: ITPro
-author: levinec
-ms.author: ellevin
-ms.date: 05/09/2019
+author: denisebmsft
+ms.author: deniseb
+ms.date: 01/08/2020
 ms.reviewer: 
 manager: dansimp
 ---
@@ -23,51 +23,50 @@ manager: dansimp
 
 * [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-[Exploit protection](exploit-protection.md) helps protect against malware that uses exploits to infect devices and spread. It consists of a number of mitigations that can be applied to either the operating system or individual apps.
+[Exploit protection](exploit-protection.md) helps protect against malware that uses exploits to infect devices and spread. Exploit protection consists of a number of mitigations that can be applied to either the operating system or individual apps.
+
+> [!IMPORTANT]
+> .NET 2.0 is not compatible with some exploit protection capabilities, specifically, Export Address Filtering (EAF) and Import Address Filtering (IAF). If you have enabled .NET 2.0, usage of EAF and IAF are not supported.
 
 Many features from the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection.
 
-You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the machine.
-
 You can enable each mitigation separately by using any of these methods:
 
-* [Windows Security app](#windows-security-app)
-* [Microsoft Intune](#intune)
-* [Mobile Device Management (MDM)](#mdm)
-* [System Center Configuration Manager (SCCM)](#sccm)
-* [Group Policy](#group-policy)
-* [PowerShell](#powershell)
+- [Windows Security app](#windows-security-app)
+- [Microsoft Intune](#intune)
+- [Mobile Device Management (MDM)](#mdm)
+- [System Center Configuration Manager (SCCM)](#sccm)
+- [Group Policy](#group-policy)
+- [PowerShell](#powershell)
 
-They are configured by default in Windows 10.
-
-You can set each mitigation to on, off, or to its default value.
-Some mitigations have additional options.
+Exploit protection is configured by default in Windows 10. You can set each mitigation to on, off, or to its default value. Some mitigations have additional options.
 
 You can [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) and deploy them to other machines.
 
+You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the machine.
+
 ## Windows Security app
 
 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
 
-2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**.
+2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings**.
 
-3. Go to **Program settings** and choose the app you want to apply mitigations to:
+3. Go to **Program settings** and choose the app you want to apply mitigations to. 

+    - If the app you want to configure is already listed, click it and then click **Edit**.
+    - If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app. 

+        - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
+        - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
 
-    1. If the app you want to configure is already listed, click it and then click **Edit**
-    2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:
-        * Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
-        * Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
+4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You are notified if you need to restart the process or app, or if you need to restart Windows.
 
-4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
+5. Repeat steps 3-4 for all the apps and mitigations you want to configure.
 
-5. Repeat this for all the apps and mitigations you want to configure.
+6. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here:

+    - **On by default**: The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
+    - **Off by default**: The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
+    - **Use default**: The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation
 
-6. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here:
-    * **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
-    * **Off by default** - The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
-    * **Use default** - The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation
-
-7. Repeat this for all the system-level mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
+7. Repeat step 6 for all the system-level mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
 
 If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work:
 
@@ -78,51 +77,45 @@ Enabled in **Program settings** | Enabled in **System settings** | Behavior
 [!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **System settings**
 [!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | Default as defined in **Use default** option
 
-**Example 1**
+### Example 1: Mikael configures Data Execution Prevention in system settings section to be off by default
 
-Mikael configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**.
-
-Mikael then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, he enables the **Override system settings** option and sets the switch to **On**. There are no other apps listed in the **Program settings** section.
+Mikael adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, Mikael enables the **Override system settings** option and sets the switch to **On**. There are no other apps listed in the **Program settings** section.
 
 The result will be that DEP only will be enabled for *test.exe*. All other apps will not have DEP applied.
 
-**Example 2**
+### Example 2: Josie configures Data Execution Prevention in system settings to be off by default
 
-Josie configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**.
+Josie adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, Josie enables the **Override system settings** option and sets the switch to **On**.
 
-Josie then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, she enables the **Override system settings** option and sets the switch to **On**.
+Josie also adds the app *miles.exe* to the **Program settings** section and configures **Control flow guard (CFG)** to **On**. Josie doesn't enable the **Override system settings** option for DEP or any other mitigations for that app.
 
-Josie also adds the app *miles.exe* to the **Program settings** section and configures **Control flow guard (CFG)** to **On**. She doesn't enable the **Override system settings** option for DEP or any other mitigations for that app.
-
-The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*.
-CFG will be enabled for *miles.exe*.
+The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*. CFG will be enabled for *miles.exe*.
 
 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
 
 2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**.
 
-3. Go to **Program settings** and choose the app you want to apply mitigations to:
-
-    1. If the app you want to configure is already listed, click it and then click **Edit**
-    2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:
-        * Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
-        * Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
+3. Go to **Program settings** and choose the app you want to apply mitigations to.

+    - If the app you want to configure is already listed, click it and then click **Edit**.
+    - If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app.

+        - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
+        - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
 
 4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
 
-5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
+5. Repeat steps 3-4 for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
 
 ## Intune
 
 1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
-1. Click **Device configuration** > **Profiles** > **Create profile**.
-1. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
+2. Click **Device configuration** > **Profiles** > **Create profile**.
+3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
    ![Create endpoint protection profile](../images/create-endpoint-protection-profile.png)
-1. Click **Configure** > **Windows Defender Exploit Guard** > **Exploit protection**.  
-1. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings:  
+4. Click **Configure** > **Windows Defender Exploit Guard** > **Exploit protection**.  
+5. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings:  
    ![Enable network protection in Intune](../images/enable-ep-intune.png)
-1. Click **OK** to save each open blade and click **Create**.
-1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
+6. Click **OK** to save each open blade and click **Create**.
+7. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
 
 ## MDM
 
@@ -131,21 +124,19 @@ Use the [./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings](htt
 ## SCCM
 
 1. In System Center Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
-1. Click **Home** > **Create Exploit Guard Policy**.
-1. Enter a name and a description, click **Exploit protection**, and click **Next**.
-1. Browse to the location of the exploit protection XML file and click **Next**.
-1. Review the settings and click **Next** to create the policy.
-1. After the policy is created, click **Close**.
+2. Click **Home** > **Create Exploit Guard Policy**.
+3. Enter a name and a description, click **Exploit protection**, and click **Next**.
+4. Browse to the location of the exploit protection XML file and click **Next**.
+5. Review the settings and click **Next** to create the policy.
+6. After the policy is created, click **Close**.
 
 ## Group Policy
 
 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
 1. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-
-1. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit Protection** > **Use a common set of exploit protection settings**.
-
-1. Click **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) and click **OK**.
+2. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit Protection** > **Use a common set of exploit protection settings**.
+3. Click **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) and click **OK**.
 
 ## PowerShell
 
@@ -230,7 +221,7 @@ Validate handle usage | App-level only |   StrictHandle  | Audit not available
 Validate image dependency integrity | App-level only |   EnforceModuleDepencySigning  | Audit not available
 Validate stack integrity (StackPivot) | App-level only |   EnableRopStackPivot  | Audit not available
 
-\[1\]: Use the following format to enable EAF modules for dlls for a process:
+\[1\]: Use the following format to enable EAF modules for DLLs for a process:
 
 ```PowerShell
 Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll
diff --git a/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md b/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md
index 5e9a5f5e75..1741fdf531 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md
@@ -130,7 +130,7 @@ h. Select  **Manage > Assignments**. In the  **Include**  tab, select  *
 In terminal, run:
 
 ```bash
-    mdatp --edr --earlypreview true
+    mdatp --edr --early-preview true
  ```
 
 For versions earlier than 100.78.0, run:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
index c7ae3aac79..ccab9e8250 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
@@ -152,7 +152,7 @@ You can also use [Advanced hunting](advanced-hunting-query-language.md) to query
 After running your simulations, we encourage you to walk through the lab progress bar and explore Microsoft Defender ATP features. See if your attacks triggered an automated investigation and remediation, check out the evidence collected and analyzed by the feature.
 
 
-Hunt for attack evidence through Advanced hunting by using the rich query language and raw telemetry and check out some world-wide threats documented in Threat analytics.
+Hunt for attack evidence through advanced hunting by using the rich query language and raw telemetry and check out some world-wide threats documented in Threat analytics.
 
 
 ## Simulation results
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md
index 3d1b7367e0..c0073ce75e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md
@@ -49,12 +49,12 @@ Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](http
 
 Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios.
 
-You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to see how exploit protection settings could affect your environment.
+You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview). If you're using [audit mode](audit-windows-defender.md), you can use advanced hunting to see how exploit protection settings could affect your environment.
 
 Here is an example query:
 
-```PowerShell
-MiscEvents
+```kusto
+DeviceEvents
 | where ActionType startswith 'ExploitGuard' and ActionType !contains 'NetworkProtection'
 ```
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md
new file mode 100644
index 0000000000..549743f14c
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md
@@ -0,0 +1,239 @@
+---
+title: Create an Application to access Microsoft Defender ATP without a user
+ms.reviewer: 
+description: Learn how to design a web app to get programmatic access to Microsoft Defender ATP without a user.
+keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file, advanced hunting, query
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+---
+
+# Partner access through Microsoft Defender ATP APIs
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+This page describes how to create an AAD application to get programmatic access to Microsoft Defender ATP on behalf of your customers.
+
+Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will help you automate work flows and innovate based on Microsoft Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
+
+In general, you’ll need to take the following steps to use the APIs:
+- Create a **multi-tenant** AAD application.
+- Get authorized(consent) by your customer administrator for your application to access Microsoft Defender ATP resources it needs.
+- Get an access token using this application.
+- Use the token to access Microsoft Defender ATP API.
+
+The following steps with guide you how to create an AAD application, get an access token to Microsoft Defender ATP and validate the token.
+
**To become an official partner of Microsoft Defender ATP and appear in our partner page, you will provide us with your application identifier.**
+
+## Create the multi-tenant app
+
+1. Log on to your [Azure tenant](https://portal.azure.com) with user that has **Global Administrator** role.
+
+2. Navigate to **Azure Active Directory** > **App registrations** > **New registration**. 
+
+   ![Image of Microsoft Azure and navigation to application registration](images/atp-azure-new-app2.png)
+
+3. In the registration form:
+
+	- Choose a name for your application.
+
+	- Supported account types - accounts in any organizational directory.
+
+	- Redirect URI - type: Web, URI: https://portal.azure.com
+
+	![Image of Microsoft Azure partner application registration](images/atp-api-new-app-partner.png)
+
+
+4. Allow your Application to access Microsoft Defender ATP and assign it with the minimal set of permissions required to complete the integration.
+
+   - On your application page, click **API Permissions** > **Add permission** > **APIs my organization uses** > type **WindowsDefenderATP** and click on **WindowsDefenderATP**.
+
+   - **Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear.
+
+   ![Image of API access and API selection](images/add-permission.png)
+   
+   ### Request API permissions
+
+   To determine which permission you need, please look at the **Permissions** section in the API you are interested to call. For instance:
+
+   - To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission
+   
+   - To [isolate a machine](isolate-machine.md), select 'Isolate machine' permission
+
+   In the following example we will use **'Read all alerts'** permission:
+
+   Choose **Application permissions** > **Alert.Read.All** > Click on **Add permissions**
+
+   ![Image of API access and API selection](images/application-permissions.png)
+
+
+5. Click **Grant consent**
+
+	- **Note**: Every time you add permission you must click on **Grant consent** for the new permission to take effect.
+
+	![Image of Grant permissions](images/grant-consent.png)
+
+6. Add a secret to the application.
+
+	- Click **Certificates & secrets**, add description to the secret and click **Add**.
+
+    **Important**: After click Add, **copy the generated secret value**. You won't be able to retrieve after you leave!
+
+    ![Image of create app key](images/webapp-create-key2.png)
+
+7. Write down your application ID:
+
+   - On your application page, go to **Overview** and copy the following:
+
+   ![Image of created app id](images/app-id.png)
+
+8. Add the application to your customer's tenant.
+
+    You need your application to be approved in each customer tenant where you intend to use it. This is because your application interacts with Microsoft Defender ATP application on behalf of your customer.
+
+    A user with **Global Administrator** from your customer's tenant need to click the consent link and approve your application.
+
+    Consent link is of the form:
+
+    ```
+    https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=00000000-0000-0000-0000-000000000000&response_type=code&sso_reload=true
+    ```
+
+    Where 00000000-0000-0000-0000-000000000000 should be replaced with your Application ID
+
+	After clicking on the consent link, login with the Global Administrator of the customer's tenant and consent the application.
+
+	![Image of consent](images/app-consent-partner.png)
+
+	In addition, you will need to ask your customer for their tenant ID and save it for future use when acquiring the token.
+
+- **Done!** You have successfully registered an application! 
+- See examples below for token acquisition and validation.
+
+## Get an access token examples:
+
+**Note:** to get access token on behalf of your customer, use the customer's tenant ID on the following token acquisitions.
+
+
For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds)
+
+### Using PowerShell
+
+```
+# That code gets the App Context Token and save it to a file named "Latest-token.txt" under the current directory
+# Paste below your Tenant ID, App ID and App Secret (App key).
+
+$tenantId = '' ### Paste your tenant ID here
+$appId = '' ### Paste your Application ID here
+$appSecret = '' ### Paste your Application key here
+
+$resourceAppIdUri = 'https://api.securitycenter.windows.com'
+$oAuthUri = "https://login.windows.net/$TenantId/oauth2/token"
+$authBody = [Ordered] @{
+    resource = "$resourceAppIdUri"
+    client_id = "$appId"
+    client_secret = "$appSecret"
+    grant_type = 'client_credentials'
+}
+$authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $authBody -ErrorAction Stop
+$token = $authResponse.access_token
+Out-File -FilePath "./Latest-token.txt" -InputObject $token
+return $token
+```
+
+### Using C#:
+
+>The below code was tested with Nuget Microsoft.IdentityModel.Clients.ActiveDirectory
+
+- Create a new Console Application
+- Install Nuget [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/)
+- Add the below using
+
+    ```
+    using Microsoft.IdentityModel.Clients.ActiveDirectory;
+    ```
+
+- Copy/Paste the below code in your application (do not forget to update the 3 variables: ```tenantId, appId, appSecret```)
+
+    ```
+    string tenantId = "00000000-0000-0000-0000-000000000000"; // Paste your own tenant ID here
+    string appId = "11111111-1111-1111-1111-111111111111"; // Paste your own app ID here
+    string appSecret = "22222222-2222-2222-2222-222222222222"; // Paste your own app secret here for a test, and then store it in a safe place! 
+
+    const string authority = "https://login.windows.net";
+    const string wdatpResourceId = "https://api.securitycenter.windows.com";
+
+    AuthenticationContext auth = new AuthenticationContext($"{authority}/{tenantId}/");
+    ClientCredential clientCredential = new ClientCredential(appId, appSecret);
+    AuthenticationResult authenticationResult = auth.AcquireTokenAsync(wdatpResourceId, clientCredential).GetAwaiter().GetResult();
+    string token = authenticationResult.AccessToken;
+    ```
+
+
+### Using Python
+
+Refer to [Get token using Python](run-advanced-query-sample-python.md#get-token)
+
+### Using Curl
+
+> [!NOTE]
+> The below procedure supposed Curl for Windows is already installed on your computer
+
+- Open a command window
+- Set CLIENT_ID to your Azure application ID
+- Set CLIENT_SECRET to your Azure application secret
+- Set TENANT_ID to the Azure tenant ID of the customer that wants to use your application to access Microsoft Defender ATP application
+- Run the below command:
+
+```
+curl -i -X POST -H "Content-Type:application/x-www-form-urlencoded" -d "grant_type=client_credentials" -d "client_id=%CLIENT_ID%" -d "scope=https://securitycenter.onmicrosoft.com/windowsatpservice/.default" -d "client_secret=%CLIENT_SECRET%" "https://login.microsoftonline.com/%TENANT_ID%/oauth2/v2.0/token" -k
+```
+
+You will get an answer of the form:
+
+```
+{"token_type":"Bearer","expires_in":3599,"ext_expires_in":0,"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIn  aWReH7P0s0tjTBX8wGWqJUdDA"}
+```
+
+## Validate the token
+
+Sanity check to make sure you got a correct token:
+- Copy/paste into [JWT](https://jwt.ms) the token you get in the previous step in order to decode it
+- Validate you get a 'roles' claim with the desired permissions
+- In the screenshot below, you can see a decoded token acquired from an Application with multiple permissions to Microsoft Defender ATP:
+- The "tid" claim is the tenant ID the token belongs to.
+
+![Image of token validation](images/webapp-decoded-token.png)
+
+## Use the token to access Microsoft Defender ATP API
+
+- Choose the API you want to use, for more information, see [Supported Microsoft Defender ATP APIs](exposed-apis-list.md)
+- Set the Authorization header in the Http request you send to "Bearer {token}" (Bearer is the Authorization scheme)
+- The Expiration time of the token is 1 hour (you can send more then one request with the same token)
+
+- Example of sending a request to get a list of alerts **using C#** 
+    ```
+    var httpClient = new HttpClient();
+
+    var request = new HttpRequestMessage(HttpMethod.Get, "https://api.securitycenter.windows.com/api/alerts");
+
+    request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
+
+    var response = httpClient.SendAsync(request).GetAwaiter().GetResult();
+
+    // Do something useful with the response
+    ```
+
+## Related topics
+- [Supported Microsoft Defender ATP APIs](exposed-apis-list.md)
+- [Access Microsoft Defender ATP on behalf of a user](exposed-apis-create-app-nativeapp.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md
index 7f21e771f8..5bb9b4adc1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md
@@ -32,7 +32,7 @@ In this section we share PowerShell samples to
 
 **Prerequisite**: You first need to [create an app](apis-intro.md).
 
-## Preparation Instructions
+## Preparation instructions
 
 - Open a PowerShell window.
 - If your policy does not allow you to run the PowerShell commands, you can run the below command:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
index fbcee47cf2..cb90cee7fe 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
@@ -51,25 +51,25 @@ Content-type: application/json
     "value": [
         {
             "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
-            "computerDnsName": "mymachine1.contoso.com",
-            "firstSeen": "2018-08-02T14:55:03.7791856Z",
-            "lastSeen": "2018-08-02T14:55:03.7791856Z",
-            "osPlatform": "Windows10",
-            "osVersion": "10.0.0.0",
-            "lastIpAddress": "172.17.230.209",
-            "lastExternalIpAddress": "167.220.196.71",
-            "agentVersion": "10.5830.18209.1001",
-            "osBuild": 18209,
-            "healthStatus": "Active",
-            "rbacGroupId": 140,
-            "rbacGroupName": "The-A-Team",
-            "riskScore": "High",
-            "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
-            "machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
+			"computerDnsName": "mymachine1.contoso.com",
+			"firstSeen": "2018-08-02T14:55:03.7791856Z",
+			"lastSeen": "2018-08-02T14:55:03.7791856Z",
+			"osPlatform": "Windows10",
+			"version": "1709",
+			"osProcessor": "x64",
+			"lastIpAddress": "172.17.230.209",
+			"lastExternalIpAddress": "167.220.196.71",
+			"osBuild": 18209,
+			"healthStatus": "Active",
+			"rbacGroupId": 140,
+			"rbacGroupName": "The-A-Team",
+			"riskScore": "Low",
+			"exposureLevel": "Medium",
+			"isAadJoined": true,
+			"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
+			"machineTags": [ "test tag 1", "ExampleTag" ]
         },
-        .
-        .
-        .
+        ...
     ]
 }
 ```
@@ -79,7 +79,7 @@ Content-type: application/json
 - Get all the alerts that created after 2018-10-20 00:00:00
 
 ```
-HTTP GET  https://api.securitycenter.windows.com/api/alerts?$filter=alertCreationTime gt 2018-11-22T00:00:00Z
+HTTP GET  https://api.securitycenter.windows.com/api/alerts?$filter=alertCreationTime+gt+2018-11-22T00:00:00Z
 ```
 
 **Response:**
@@ -91,28 +91,35 @@ Content-type: application/json
     "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
     "value": [
         {
-            "id": "121688558380765161_2136280442",
-            "incidentId": 7696,
-            "assignedTo": "secop@contoso.com",
-            "severity": "High",
-            "status": "New",
-            "classification": "TruePositive",
-            "determination": "Malware",
-            "investigationState": "Running",
-            "category": "MalwareDownload",
-            "detectionSource": "WindowsDefenderAv",
-            "threatFamilyName": "Mikatz",
-            "title": "Windows Defender AV detected 'Mikatz', high-severity malware",
-            "description": "Some description",
-            "alertCreationTime": "2018-11-26T16:19:21.8409809Z",
-            "firstEventTime": "2018-11-26T16:17:50.0948658Z",
-            "lastEventTime": "2018-11-26T16:18:01.809871Z",
-            "resolvedTime": null,
-            "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
+            "id": "da637084217856368682_-292920499",
+			"incidentId": 66860,
+			"investigationId": 4416234,
+			"investigationState": "Running",
+			"assignedTo": "secop@contoso.com",
+			"severity": "Low",
+			"status": "New",
+			"classification": "TruePositive",
+			"determination": null,
+			"detectionSource": "WindowsDefenderAtp",
+			"category": "CommandAndControl",
+			"threatFamilyName": null,
+			"title": "Network connection to a risky host",
+			"description": "A network connection was made to a risky host which has exhibited malicious activity.",
+			"alertCreationTime": "2019-11-03T23:49:45.3823185Z",
+			"firstEventTime": "2019-11-03T23:47:16.2288822Z",
+			"lastEventTime": "2019-11-03T23:47:51.2966758Z",
+			"lastUpdateTime": "2019-11-03T23:55:52.6Z",
+			"resolvedTime": null,
+			"machineId": "986e5df8b73dacd43c8917d17e523e76b13c75cd",
+			"comments": [
+				{
+					"comment": "test comment for docs",
+					"createdBy": "secop@contoso.com",
+					"createdTime": "2019-11-05T14:08:37.8404534Z"
+				}
+		  ]
         },
-        .
-        .
-        .
+        ...
     ]
 }
 ```
@@ -122,7 +129,7 @@ Content-type: application/json
 - Get all the machines with 'High' 'RiskScore'
 
 ```
-HTTP GET  https://api.securitycenter.windows.com/api/machines?$filter=riskScore eq 'High'
+HTTP GET  https://api.securitycenter.windows.com/api/machines?$filter=riskScore+eq+'High'
 ```
 
 **Response:**
@@ -135,25 +142,25 @@ Content-type: application/json
     "value": [
         {
             "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
-            "computerDnsName": "mymachine1.contoso.com",
-            "firstSeen": "2018-08-02T14:55:03.7791856Z",
-            "lastSeen": "2018-08-02T14:55:03.7791856Z",
-            "osPlatform": "Windows10",
-            "osVersion": "10.0.0.0",
-            "lastIpAddress": "172.17.230.209",
-            "lastExternalIpAddress": "167.220.196.71",
-            "agentVersion": "10.5830.18209.1001",
-            "osBuild": 18209,
-            "healthStatus": "Active",
-            "rbacGroupId": 140,
-            "rbacGroupName": "The-A-Team",
-            "riskScore": "High",
-            "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
-            "machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
+			"computerDnsName": "mymachine1.contoso.com",
+			"firstSeen": "2018-08-02T14:55:03.7791856Z",
+			"lastSeen": "2018-08-02T14:55:03.7791856Z",
+			"osPlatform": "Windows10",
+			"version": "1709",
+			"osProcessor": "x64",
+			"lastIpAddress": "172.17.230.209",
+			"lastExternalIpAddress": "167.220.196.71",
+			"osBuild": 18209,
+			"healthStatus": "Active",
+			"rbacGroupId": 140,
+			"rbacGroupName": "The-A-Team",
+			"riskScore": "High",
+			"exposureLevel": "Medium",
+			"isAadJoined": true,
+			"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
+			"machineTags": [ "test tag 1", "ExampleTag" ]
         },
-        .
-        .
-        .
+        ...
     ]
 }
 ```
@@ -163,7 +170,7 @@ Content-type: application/json
 - Get top 100 machines with 'HealthStatus' not equals to 'Active'
 
 ```
-HTTP GET  https://api.securitycenter.windows.com/api/machines?$filter=healthStatus ne 'Active'&$top=100
+HTTP GET  https://api.securitycenter.windows.com/api/machines?$filter=healthStatus+ne+'Active'&$top=100 
 ```
 
 **Response:**
@@ -176,25 +183,25 @@ Content-type: application/json
     "value": [
         {
             "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
-            "computerDnsName": "mymachine1.contoso.com",
-            "firstSeen": "2018-08-02T14:55:03.7791856Z",
-            "lastSeen": "2018-08-02T14:55:03.7791856Z",
-            "osPlatform": "Windows10",
-            "osVersion": "10.0.0.0",
-            "lastIpAddress": "172.17.230.209",
-            "lastExternalIpAddress": "167.220.196.71",
-            "agentVersion": "10.5830.18209.1001",
-            "osBuild": 18209,
-            "healthStatus": "Active",
-            "rbacGroupId": 140,
-            "rbacGroupName": "The-A-Team",
-            "riskScore": "High",
-            "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
-            "machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
+			"computerDnsName": "mymachine1.contoso.com",
+			"firstSeen": "2018-08-02T14:55:03.7791856Z",
+			"lastSeen": "2018-08-02T14:55:03.7791856Z",
+			"osPlatform": "Windows10",
+			"version": "1709",
+			"osProcessor": "x64",
+			"lastIpAddress": "172.17.230.209",
+			"lastExternalIpAddress": "167.220.196.71",
+			"osBuild": 18209,
+			"healthStatus": "ImpairedCommunication",
+			"rbacGroupId": 140,
+			"rbacGroupName": "The-A-Team",
+			"riskScore": "Low",
+			"exposureLevel": "Medium",
+			"isAadJoined": true,
+			"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
+			"machineTags": [ "test tag 1", "ExampleTag" ]
         },
-        .
-        .
-        .
+        ...
     ]
 }
 ```
@@ -217,25 +224,25 @@ Content-type: application/json
     "value": [
         {
             "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
-            "computerDnsName": "mymachine1.contoso.com",
-            "firstSeen": "2018-08-02T14:55:03.7791856Z",
-            "lastSeen": "2018-08-02T14:55:03.7791856Z",
-            "osPlatform": "Windows10",
-            "osVersion": "10.0.0.0",
-            "lastIpAddress": "172.17.230.209",
-            "lastExternalIpAddress": "167.220.196.71",
-            "agentVersion": "10.5830.18209.1001",
-            "osBuild": 18209,
-            "healthStatus": "Active",
-            "rbacGroupId": 140,
-            "rbacGroupName": "The-A-Team",
-            "riskScore": "High",
-            "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
-            "machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
+			"computerDnsName": "mymachine1.contoso.com",
+			"firstSeen": "2018-08-02T14:55:03.7791856Z",
+			"lastSeen": "2018-08-02T14:55:03.7791856Z",
+			"osPlatform": "Windows10",
+			"version": "1709",
+			"osProcessor": "x64",
+			"lastIpAddress": "172.17.230.209",
+			"lastExternalIpAddress": "167.220.196.71",
+			"osBuild": 18209,
+			"healthStatus": "ImpairedCommunication",
+			"rbacGroupId": 140,
+			"rbacGroupName": "The-A-Team",
+			"riskScore": "Low",
+			"exposureLevel": "Medium",
+			"isAadJoined": true,
+			"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
+			"machineTags": [ "test tag 1", "ExampleTag" ]
         },
-        .
-        .
-        .
+        ...
     ]
 }
 ```
@@ -245,7 +252,7 @@ Content-type: application/json
 - Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Microsoft Defender ATP
 
 ```
-HTTP GET  https://api.securitycenter.windows.com/api/machineactions?$filter=requestor eq 'Analyst@WcdTestPrd.onmicrosoft.com' and type eq 'RunAntiVirusScan'
+HTTP GET  https://api.securitycenter.windows.com/api/machineactions?$filter=requestor eq 'Analyst@contoso.com' and type eq 'RunAntiVirusScan'
 ```
 
 **Response:**
@@ -257,19 +264,19 @@ Content-type: application/json
     "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions",
     "value": [
         {
-            "id": "5c3e3322-d993-1234-1111-dfb136ebc8c5",
+            "id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba",
             "type": "RunAntiVirusScan",
-            "requestor": "Analyst@examples.onmicrosoft.com",
-            "requestorComment": "1533",
+			"scope": "Full",
+            "requestor": "Analyst@contoso.com",
+            "requestorComment": "Check machine for viruses due to alert 3212",
             "status": "Succeeded",
-            "machineId": "123321c10e44a82877af76b1d0161a17843f688a",
-            "creationDateTimeUtc": "2018-11-12T13:33:24.5755657Z",
-            "lastUpdateDateTimeUtc": "2018-11-12T13:34:32.0319826Z",
-            "relatedFileInfo": null
+            "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
+            "computerDnsName": "desktop-39g9tgl",
+            "creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z",
+            "lastUpdateTimeUtc": "2018-12-04T12:18:57.5511934Z",
+			"relatedFileInfo": null
         },
-        .
-        .
-        .
+        ...
     ]
 }
 ```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/files.md b/windows/security/threat-protection/microsoft-defender-atp/files.md
index d4cc5e85cb..5ef6fc7ec4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/files.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/files.md
@@ -17,9 +17,10 @@ ms.topic: article
 ---
 
 # File resource type
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 
 Represent a file entity in Microsoft Defender ATP.
 
@@ -37,11 +38,10 @@ Property |	Type	|	Description
 :---|:---|:---
 sha1 | String | Sha1 hash of the file content
 sha256 | String | Sha256 hash of the file content
-md5 | String | md5 hash of the file content
-globalPrevalence | Integer | File prevalence across organization
+globalPrevalence | Nullable long | File prevalence across organization
 globalFirstObserved | DateTimeOffset | First time the file was observed.
 globalLastObserved | DateTimeOffset | Last time the file was observed.
-size | Integer | Size of the file.
+size | Nullable long | Size of the file.
 fileType | String | Type of the file. 
 isPeFile | Boolean | true if the file is portable executable (e.g. "DLL", "EXE", etc.)
 filePublisher | String | File publisher.
@@ -50,3 +50,29 @@ signer | String | File signer.
 issuer | String | File issuer.
 signerHash | String | Hash of the signing certificate.
 isValidCertificate | Boolean | Was signing certificate successfully verified by  Microsoft Defender ATP agent.
+determinationType | String | The determination type of the file.
+determinationValue | String | Determination value.
+
+
+## Json representation
+
+```json
+{
+	"sha1": "4388963aaa83afe2042a46a3c017ad50bdcdafb3",
+	"sha256": "413c58c8267d2c8648d8f6384bacc2ae9c929b2b96578b6860b5087cd1bd6462",
+	"globalPrevalence": 180022,
+	"globalFirstObserved": "2017-09-19T03:51:27.6785431Z",
+	"globalLastObserved": "2020-01-06T03:59:21.3229314Z",
+	"size": 22139496,
+	"fileType": "APP",
+	"isPeFile": true,
+	"filePublisher": "CHENGDU YIWO Tech Development Co., Ltd.",
+	"fileProductName": "EaseUS MobiSaver for Android",
+	"signer": "CHENGDU YIWO Tech Development Co., Ltd.",
+	"issuer": "VeriSign Class 3 Code Signing 2010 CA",
+	"signerHash": "6c3245d4a9bc0244d99dff27af259cbbae2e2d16",
+	"isValidCertificate": false,
+	"determinationType": "Pua",
+	"determinationValue": "PUA:Win32/FusionCore"
+}
+```
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md
index c803a1d4de..5976574977 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md
@@ -18,13 +18,19 @@ ms.topic: article
 
 # Find machines by internal IP API
 
-**Applies to:**
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 
-Find machines seen with the requested internal IP in the time range of 15 minutes prior and after a given timestamp.
 
-The given timestamp must be in the past 30 days.
+## API description
+Find [Machines](machine.md) seen with the requested internal IP in the time range of 15 minutes prior and after a given timestamp.
+
+
+## Limitations
+1. The given timestamp must be in the past 30 days.
+2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
+
 
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
@@ -70,37 +76,5 @@ Here is an example of the request.
 [!include[Improve request performance](../../includes/improve-request-performance.md)]
 
 ```
-GET https://api.securitycenter.windows.com/api/machines/findbyip(ip='10.248.240.38',timestamp=2018-09-22T08:44:05Z)
-```
-
-**Response**
-
-Here is an example of the response.
-
-```
-HTTP/1.1 200 OK
-Content-type: application/json
-{
-    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
-    "value": [
-        {
-            "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
-			"computerDnsName": "mymachine1.contoso.com",
-			"firstSeen": "2018-08-02T14:55:03.7791856Z",
-			"lastSeen": "2018-09-22T08:55:03.7791856Z",
-			"osPlatform": "Windows10",
-			"osVersion": "10.0.0.0",
-			"lastIpAddress": "10.248.240.38",
-			"lastExternalIpAddress": "167.220.196.71",
-			"agentVersion": "10.5830.18209.1001",
-			"osBuild": 18209,
-			"healthStatus": "Active",
-			"rbacGroupId": 140,
-			"rbacGroupName": "The-A-Team",
-			"riskScore": "Low",
-			"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
-			"machineTags": [ "test tag 1", "test tag 2" ]
-        }
-    ]
-}
+GET https://api.securitycenter.windows.com/api/machines/findbyip(ip='10.248.240.38',timestamp=2019-09-22T08:44:05Z)
 ```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md
index d410e5fdb4..f065b2faab 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md
@@ -18,11 +18,19 @@ ms.topic: article
 
 # Get alert information by ID API
 
-**Applies to:**
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+
+
+## API description
+Retrieves specific [Alert](alerts.md) by its ID.
+
+
+## Limitations
+1. You can get alerts last updated in the past 30 days.
+2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
 
-Retrieves an alert by its ID.
 
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
@@ -56,46 +64,3 @@ Empty
 
 ## Response
 If successful, this method returns 200 OK, and the [alert](alerts.md) entity in the response body. If alert with the specified id was not found - 404 Not Found.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-```
-GET https://api.securitycenter.windows.com/api/alerts/441688558380765161_2136280442
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```
-{
-    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
-    "id": "441688558380765161_2136280442",
-	"incidentId": 8633,
-	"assignedTo": "secop@contoso.com",
-	"severity": "Low",
-	"status": "InProgress",
-	"classification": "TruePositive",
-	"determination": "Malware",
-	"investigationState": "Running",
-	"category": "MalwareDownload",
-	"detectionSource": "WindowsDefenderAv",
-	"threatFamilyName": "Mikatz",
-	"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
-	"description": "Some description",
-	"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
-	"firstEventTime": "2018-11-25T16:17:50.0948658Z",
-	"lastEventTime": "2018-11-25T16:18:01.809871Z",
-	"resolvedTime": null,
-	"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
-}
-
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md
index 001e90c95f..bfafa218ea 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md
@@ -18,12 +18,20 @@ ms.topic: article
 
 # Get alert related domain information API
 
-**Applies to:**
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 
+
+## API description
 Retrieves all domains related to a specific alert.
 
+
+## Limitations
+1. You can query on alerts last updated in the past 30 days.
+2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
+
+
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
 
@@ -79,7 +87,11 @@ Content-type: application/json
     "value": [
         {
             "host": "www.example.com"
+        },
+		{
+            "host": "www.example2.com"
         }
+		...
     ]
 }
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md
index c8605dc7cd..89838eb90d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md
@@ -18,12 +18,20 @@ ms.topic: article
 
 # Get alert related files information API
 
-**Applies to:**
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 
+
+## API description
 Retrieves all files related to a specific alert.
 
+
+## Limitations
+1. You can query on alerts last updated in the past 30 days.
+2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
+
+
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
 
@@ -79,23 +87,25 @@ Content-type: application/json
     "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Files",
     "value": [
         {
-            "sha1": "654f19c41d9662cf86be21bf0af5a88c38c56a9d",
-            "sha256": "2f905feec2798cee6f63da2c26758d86bfeaab954c01e20ac7085bf55fedde87",
-            "md5": "82849dc81d94056224445ea73dc6153a",
-            "globalPrevalence": 33,
-            "globalFirstObserved": "2018-07-17T18:17:27.5909748Z",
-            "globalLastObserved": "2018-08-06T16:07:12.9414137Z",
-            "windowsDefenderAVThreatName": null,
-            "size": 801112,
-            "fileType": "PortableExecutable",
+            "sha1": "f2a00fd2f2de1be0214b8529f1e9f67096c1aa70",
+            "sha256": "dcd71ef5fff4362a9f64cf3f96f14f2b11d6f428f3badbedcb9ff3361e7079aa",
+            "md5": "8d5b7cc9a832e21d22503057e1fec8e9",
+            "globalPrevalence": 29,
+            "globalFirstObserved": "2019-03-23T23:54:06.0135204Z",
+            "globalLastObserved": "2019-04-23T00:43:20.0489831Z",
+            "size": 113984,
+            "fileType": null,
             "isPeFile": true,
-            "filePublisher": null,
-            "fileProductName": null,
-            "signer": "Microsoft Windows",
-            "issuer": "Microsoft Development PCA 2014",
-            "signerHash": "9e284231a4d1c53fc8d4492b09f65116bf97447f",
-            "isValidCertificate": true
+            "filePublisher": "Microsoft Corporation",
+            "fileProductName": "Microsoft Windows Operating System",
+            "signer": "Microsoft Corporation",
+            "issuer": "Microsoft Code Signing PCA",
+            "signerHash": "9dc17888b5cfad98b3cb35c1994e96227f061675",
+            "isValidCertificate": true,
+            "determinationType": "Unknown",
+            "determinationValue": null
         }
+		...
     ]
 }
 ```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md
index 69d6da0bf6..f012975e19 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md
@@ -16,14 +16,22 @@ ms.collection: M365-security-compliance
 ms.topic: article
 ---
 
-# Get alert related IP information API
+# Get alert related IPs information API
 
-**Applies to:**
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 
+
+## API description
 Retrieves all IPs related to a specific alert.
 
+
+## Limitations
+1. You can query on alerts last updated in the past 30 days.
+2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
+
+
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
 
@@ -85,6 +93,7 @@ Content-type: application/json
 				{
 					"id": "23.203.232.228	
 				}
+				...
 	]
 }
  
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md
index bd98f47f1b..be84e2c9ca 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md
@@ -18,11 +18,19 @@ ms.topic: article
 
 # Get alert related machine information API
 
-**Applies to:**
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+
+
+## API description
+Retrieves [Machine](machine.md) related to a specific alert.
+
+
+## Limitations
+1. You can query on alerts last updated in the past 30 days.
+2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
 
-Retrieves machine that is related to a specific alert.
 
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
@@ -85,15 +93,16 @@ Content-type: application/json
     "firstSeen": "2018-08-02T14:55:03.7791856Z",
 	"lastSeen": "2018-08-02T14:55:03.7791856Z",
     "osPlatform": "Windows10",
-    "osVersion": "10.0.0.0",
+    "version": "1709",
+	"osProcessor": "x64",
     "lastIpAddress": "172.17.230.209",
     "lastExternalIpAddress": "167.220.196.71",
-    "agentVersion": "10.5830.18209.1001",
     "osBuild": 18209,
     "healthStatus": "Active",
     "rbacGroupId": 140,
 	"rbacGroupName": "The-A-Team",
     "riskScore": "Low",
+	"exposureLevel": "Medium",
 	"isAadJoined": true,
     "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
 	"machineTags": [ "test tag 1", "test tag 2" ]
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md
index ac8b284b43..d0e078abac 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md
@@ -18,11 +18,19 @@ ms.topic: article
 
 # Get alert related user information API
 
-**Applies to:**
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+
+
+## API description
+Retrieves the User related to a specific alert.
+
+
+## Limitations
+1. You can query on alerts last updated in the past 30 days.
+2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
 
-Retrieves the user associated to a specific alert.
 
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
@@ -80,13 +88,16 @@ Content-type: application/json
 {
     "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Users/$entity",
     "id": "contoso\\user1",
-    "firstSeen": "2018-08-02T00:00:00Z",
-    "lastSeen": "2018-08-04T00:00:00Z",
-    "mostPrevalentMachineId": null,
-    "leastPrevalentMachineId": null,
+    "accountName": "user1",
+    "accountDomain": "contoso",
+    "accountSid": "S-1-5-21-72051607-1745760036-109187956-93922",
+    "firstSeen": "2019-12-08T06:33:39Z",
+    "lastSeen": "2020-01-05T06:58:34Z",
+    "mostPrevalentMachineId": "0111b647235c26159bec3e5eb6c8c3a0cc3ab766",
+    "leastPrevalentMachineId": "0111b647235c26159bec3e5eb6c8c3a0cc3ab766",
     "logonTypes": "Network",
-    "logOnMachinesCount": 3,
+    "logOnMachinesCount": 1,
     "isDomainAdmin": false,
-    "isOnlyNetworkUser": null
+    "isOnlyNetworkUser": false
 }
 ```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md
index b6056a66b3..33337c0f38 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md
@@ -22,13 +22,19 @@ ms.topic: article
 
 - Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 
+
+## API description
 Retrieves a collection of Alerts.
+
Supports [OData V4 queries](https://www.odata.org/documentation/).
+
The OData's ```$filter``` query is supported on: ```alertCreationTime```, ```incidentId```, ```InvestigationId```, ```status```, ```severity``` and ```category``` properties.
+
See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)
 
-Supports [OData V4 queries](https://www.odata.org/documentation/).
 
-The OData's Filter query is supported on: "alertCreationTime", "incidentId", "InvestigationId", "status", "severity" and "category".
+## Limitations
+1. You can get alerts last updated in the past 30 days.
+2. Maximum page size is 10,000.
+3. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. 
 
-See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)
 
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
@@ -50,10 +56,6 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
 GET /api/alerts
 ```
 
-## Optional query parameters
-Method supports $top, $select, $filter, $expand and $skip query parameters.
-
$expand is available on Files, IPs and Domains. e.g. $expand=files,domains
-
 ## Request headers
 
 Name | Type | Description
@@ -120,11 +122,9 @@ Here is an example of the response.
 					"createdBy": "secop@contoso.com",
 					"createdTime": "2019-11-05T14:08:37.8404534Z"
 				}
-			],
-			"alertFiles": [],
-			"alertDomains": [],
-			"alertIps": []
+			]
 		}
+		...
 	]
 }
 ```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md
index 07b687504d..4207a4cc3b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md
@@ -15,6 +15,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
+ROBOTS: NOINDEX
 ---
 
 # Get CVE-KB map API
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md
index f835f9bc06..73b5a29c5d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md
@@ -18,11 +18,19 @@ ms.topic: article
 
 # Get domain related alerts API
 
-**Applies to:**
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+
+
+## API description
+Retrieves a collection of [Alerts](alerts.md) related to a given domain address.
+
+
+## Limitations
+1. You can query on alerts last updated in the past 30 days.
+2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
 
-Retrieves a collection of alerts related to a given domain address.
 
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
@@ -68,58 +76,3 @@ Here is an example of the request.
 ```
 GET https://api.securitycenter.windows.com/api/domains/client.wns.windows.com/alerts
 ```
-
-**Response**
-
-Here is an example of the response.
-
-```
-HTTP/1.1 200 OK
-Content-type: application/json
-
-{
-    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
-    "value": [
-        {
-            "id": "441688558380765161_2136280442",
-            "incidentId": 8633,
-            "assignedTo": "secop@contoso.com",
-            "severity": "Low",
-            "status": "InProgress",
-            "classification": "TruePositive",
-            "determination": "Malware",
-            "investigationState": "Running",
-            "category": "MalwareDownload",
-            "detectionSource": "WindowsDefenderAv",
-            "threatFamilyName": "Mikatz",
-            "title": "Windows Defender AV detected 'Mikatz', high-severity malware",
-            "description": "Some description",
-            "alertCreationTime": "2018-11-25T16:19:21.8409809Z",
-            "firstEventTime": "2018-11-25T16:17:50.0948658Z",
-            "lastEventTime": "2018-11-25T16:18:01.809871Z",
-            "resolvedTime": null,
-            "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
-        },
-        {
-            "id": "121688558380765161_2136280442",
-            "incidentId": 4123,
-            "assignedTo": "secop@contoso.com",
-            "severity": "Low",
-            "status": "InProgress",
-            "classification": "TruePositive",
-            "determination": "Malware",
-            "investigationState": "Running",
-            "category": "MalwareDownload",
-            "detectionSource": "WindowsDefenderAv",
-            "threatFamilyName": "Mikatz",
-            "title": "Windows Defender AV detected 'Mikatz', high-severity malware",
-            "description": "Some description",
-            "alertCreationTime": "2018-11-24T16:19:21.8409809Z",
-            "firstEventTime": "2018-11-24T16:17:50.0948658Z",
-            "lastEventTime": "2018-11-24T16:18:01.809871Z",
-            "resolvedTime": null,
-            "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
-        }
-    ]
-}
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md
index 3d5d3cd534..b8b6be1268 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md
@@ -17,10 +17,20 @@ ms.topic: article
 ---
 
 # Get domain related machines API
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-Retrieves a collection of machines that have communicated to or from a given domain address.
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+
+
+## API description
+Retrieves a collection of [Machines](machine.md) that have communicated to or from a given domain address.
+
+
+## Limitations
+1. You can query on machines last seen in the past 30 days.
+2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
+
 
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
@@ -68,54 +78,3 @@ Here is an example of the request.
 ```
 GET https://api.securitycenter.windows.com/api/domains/api.securitycenter.windows.com/machines
 ```
-
-**Response**
-
-Here is an example of the response.
-
-
-```
-HTTP/1.1 200 OK
-Content-type: application/json
-{
-    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
-    "value": [
-        {
-            "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
-            "computerDnsName": "mymachine1.contoso.com",
-            "firstSeen": "2018-08-02T14:55:03.7791856Z",
-			"lastSeen": "2018-08-02T14:55:03.7791856Z",
-            "osPlatform": "Windows10",
-            "osVersion": "10.0.0.0",
-            "lastIpAddress": "172.17.230.209",
-            "lastExternalIpAddress": "167.220.196.71",
-            "agentVersion": "10.5830.18209.1001",
-            "osBuild": 18209,
-            "healthStatus": "Active",
-            "rbacGroupId": 140,
-			"rbacGroupName": "The-A-Team",
-            "riskScore": "Low",
-            "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
-			"machineTags": [ "test tag 1", "test tag 2" ]
-        },
-        {
-            "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
-            "computerDnsName": "mymachine2.contoso.com",
-            "firstSeen": "2018-07-09T13:22:45.1250071Z",
-			"lastSeen": "2018-07-09T13:22:45.1250071Z",
-            "osPlatform": "Windows10",
-            "osVersion": "10.0.0.0",
-            "lastIpAddress": "192.168.12.225",
-            "lastExternalIpAddress": "79.183.65.82",
-            "agentVersion": "10.5820.17724.1000",
-            "osBuild": 17724,
-            "healthStatus": "Inactive",
-			"rbacGroupId": 140,
-			"rbacGroupName": "The-A-Team",
-            "riskScore": "Low",
-            "aadDeviceId": null,
-			"machineTags": [ "test tag 1" ]
-        }
-	]
-}
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md
index a74fa5c9ca..77725715cd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md
@@ -18,10 +18,18 @@ ms.topic: article
 
 # Get domain statistics API
 
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+
+
+## API description
+Retrieves the statistics on the given domain.
+
+
+## Limitations
+1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
 
-Retrieves the prevalence for the given domain.
 
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md
index 0c499a7062..db2c9f018f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md
@@ -17,10 +17,19 @@ ms.topic: article
 ---
 
 # Get file information API
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-Retrieves a file by identifier Sha1, Sha256, or MD5.
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+
+
+## API description
+Retrieves a [File](files.md) by identifier Sha1, or Sha256
+
+
+## Limitations
+1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
+
 
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
@@ -62,7 +71,7 @@ Here is an example of the request.
 [!include[Improve request performance](../../includes/improve-request-performance.md)]
 
 ```
-GET https://api.securitycenter.windows.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1
+GET https://api.securitycenter.windows.com/api/files/4388963aaa83afe2042a46a3c017ad50bdcdafb3
 ```
 
 **Response**
@@ -74,22 +83,22 @@ Here is an example of the response.
 HTTP/1.1 200 OK
 Content-type: application/json
 {
-    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Files/$entity",
-    "sha1": "6532ec91d513acc05f43ee0aa3002599729fd3e1",
-    "sha256": "d4447dffdbb2889b4b4e746b0bc882df1b854101614b0aa83953ef3cb66904cf",
-    "md5": "7f05a371d2beffb3784fd2199f81d730",
-    "globalPrevalence": 7329,
-    "globalFirstObserved": "2018-04-08T05:50:29.4459725Z",
-    "globalLastObserved": "2018-08-07T23:35:11.1361328Z",
-    "windowsDefenderAVThreatName": null,
-    "size": 391680,
-    "fileType": "PortableExecutable",
-    "isPeFile": true,
-    "filePublisher": null,
-    "fileProductName": null,
-    "signer": null,
-    "issuer": null,
-    "signerHash": null,
-    "isValidCertificate": null
+	"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Files/$entity",
+	"sha1": "4388963aaa83afe2042a46a3c017ad50bdcdafb3",
+	"sha256": "413c58c8267d2c8648d8f6384bacc2ae9c929b2b96578b6860b5087cd1bd6462",
+	"globalPrevalence": 180022,
+	"globalFirstObserved": "2017-09-19T03:51:27.6785431Z",
+	"globalLastObserved": "2020-01-06T03:59:21.3229314Z",
+	"size": 22139496,
+	"fileType": "APP",
+	"isPeFile": true,
+	"filePublisher": "CHENGDU YIWO Tech Development Co., Ltd.",
+	"fileProductName": "EaseUS MobiSaver for Android",
+	"signer": "CHENGDU YIWO Tech Development Co., Ltd.",
+	"issuer": "VeriSign Class 3 Code Signing 2010 CA",
+	"signerHash": "6c3245d4a9bc0244d99dff27af259cbbae2e2d16",
+	"isValidCertificate": false,
+	"determinationType": "Pua",
+	"determinationValue": "PUA:Win32/FusionCore"
 }
 ```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md
index 3f6ac44dd3..146a80fcf6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md
@@ -18,12 +18,19 @@ ms.topic: article
 
 # Get file related alerts API
 
-**Applies to:**
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 
+
+## API description
 Retrieves a collection of alerts related to a given file hash.
 
+
+## Limitations
+1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
+
+
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
 
@@ -69,38 +76,3 @@ Here is an example of the request.
 ```
 GET https://api.securitycenter.windows.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1/alerts
 ```
-
-**Response**
-
-Here is an example of the response.
-
-
-```
-HTTP/1.1 200 OK
-Content-type: application/json
-{    
-    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
-    "value": [
-        {
-            "id": "121688558380765161_2136280442",
-			"incidentId": 7696,
-			"assignedTo": "secop@contoso.com",
-			"severity": "High",
-			"status": "New",
-			"classification": "TruePositive",
-			"determination": "Malware",
-			"investigationState": "Running",
-			"category": "MalwareDownload",
-			"detectionSource": "WindowsDefenderAv",
-			"threatFamilyName": "Mikatz",
-			"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
-			"description": "Some description",
-			"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
-			"firstEventTime": "2018-11-26T16:17:50.0948658Z",
-			"lastEventTime": "2018-11-26T16:18:01.809871Z",
-			"resolvedTime": null,
-			"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
-        }
-    ]
-}
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md
index de5d6837e9..a1e522151c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md
@@ -18,11 +18,18 @@ ms.topic: article
 
 # Get file related machines API
 
-**Applies to:**
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+
+
+## API description
+Retrieves a collection of [Machines](machine.md) related to a given file hash.
+
+
+## Limitations
+1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
 
-- Retrieves a collection of machines related to a given file hash.
 
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
@@ -69,52 +76,3 @@ Here is an example of the request.
 ```
 GET https://api.securitycenter.windows.com/api/files/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/machines
 ```
-
-**Response**
-
-Here is an example of the response.
-
-
-```
-HTTP/1.1 200 OK
-Content-type: application/json
-{
-    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
-    "value": [
-        {
-            "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
-            "computerDnsName": "mymachine1.contoso.com",
-            "firstSeen": "2018-08-02T14:55:03.7791856Z",
-			"lastSeen": "2018-08-02T14:55:03.7791856Z",
-            "osPlatform": "Windows10",
-            "osVersion": "10.0.0.0",
-            "lastIpAddress": "172.17.230.209",
-            "lastExternalIpAddress": "167.220.196.71",
-            "agentVersion": "10.5830.18209.1001",
-            "osBuild": 18209,
-            "healthStatus": "Active",
-            "rbacGroupId": 140,
-            "riskScore": "Low",
-            "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
-			"machineTags": [ "test tag 1", "test tag 2" ]
-        },
-        {
-            "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
-            "computerDnsName": "mymachine2.contoso.com",
-            "firstSeen": "2018-07-09T13:22:45.1250071Z",
-			"lastSeen": "2018-07-09T13:22:45.1250071Z",
-            "osPlatform": "Windows10",
-            "osVersion": "10.0.0.0",
-            "lastIpAddress": "192.168.12.225",
-            "lastExternalIpAddress": "79.183.65.82",
-            "agentVersion": "10.5820.17724.1000",
-            "osBuild": 17724,
-            "healthStatus": "Inactive",
-			"rbacGroupId": 140,
-            "riskScore": "Low",
-            "aadDeviceId": null,
-			"machineTags": [ "test tag 1" ]
-        }
-    ]
-}
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md
index 5f2cfec15b..b6abc23c5f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md
@@ -18,11 +18,18 @@ ms.topic: article
 
 # Get file statistics API
 
-**Applies to:**
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+
+
+## API description
+Retrieves the statistics for the given file.
+
+
+## Limitations
+1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
 
-Retrieves the prevalence for the given file.
 
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
@@ -64,7 +71,7 @@ Here is an example of the request.
 [!include[Improve request performance](../../includes/improve-request-performance.md)]
 
 ```
-GET https://api.securitycenter.windows.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1/stats
+GET https://api.securitycenter.windows.com/api/files/0991a395da64e1c5fbe8732ed11e6be064081d9f/stats
 ```
 
 **Response**
@@ -77,13 +84,15 @@ HTTP/1.1 200 OK
 Content-type: application/json
 {
     "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgFileStats",
-    "sha1": "6532ec91d513acc05f43ee0aa3002599729fd3e1",
-    "orgPrevalence": "3",
-    "orgFirstSeen": "2018-07-15T06:13:59Z",
-    "orgLastSeen": "2018-08-03T16:45:21Z",
+    "sha1": "0991a395da64e1c5fbe8732ed11e6be064081d9f",
+    "orgPrevalence": "14850",
+    "orgFirstSeen": "2019-12-07T13:44:16Z",
+    "orgLastSeen": "2020-01-06T13:39:36Z",
+    "globalPrevalence": "705012",
+    "globalFirstObserved": "2015-03-19T12:20:07.3432441Z",
+    "globalLastObserved": "2020-01-06T13:39:36Z",
     "topFileNames": [
-        "chrome_1.exe",
-		"chrome_2.exe"
+        "MREC.exe"
     ]
 }
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md
new file mode 100644
index 0000000000..03fc53560f
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md
@@ -0,0 +1,110 @@
+---
+title: List Investigations API
+description: Use this API to create calls related to get Investigations collection
+keywords: apis, graph api, supported apis, Investigations collection
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+---
+
+# List Investigations API
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+
+
+## API description
+Retrieves a collection of [Investigations](investigation.md).
+
Supports [OData V4 queries](https://www.odata.org/documentation/).
+
The OData's ```$filter``` query is supported on: ```startTime```, ```state```, ```machineId``` and ```triggeringAlertId``` properties.
+
See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)
+
+
+## Limitations
+1. Maximum page size is 10,000.
+2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. 
+
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Alert.Read.All |	'Read all alerts'
+Application |	Alert.ReadWrite.All |	'Read and write all alerts'
+Delegated (work or school account) | Alert.Read | 'Read alerts'
+Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
+
+## HTTP request
+```
+GET https://api.securitycenter.windows.com/api/investigations
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200, Ok response code with a collection of [Investigations](investigation.md) entities.
+
+
+[!include[Improve request performance](../../includes/improve-request-performance.md)]
+
+
+## Example
+
+**Request**
+
+Here is an example of a request to get all investigations: 
+
+
+```
+GET https://api.securitycenter.windows.com/api/investigations
+```
+
+**Response**
+
+Here is an example of the response:
+
+
+```
+HTTP/1.1 200 Ok
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Investigations",
+    "value": [
+        {
+            "id": "63017",
+            "startTime": "2020-01-06T14:11:34Z",
+            "endTime": null,
+            "state": "Running",
+            "cancelledBy": null,
+            "statusDetails": null,
+            "machineId": "a69a22debe5f274d8765ea3c368d00762e057b30",
+            "computerDnsName": "desktop-gtrcon0",
+            "triggeringAlertId": "da637139166940871892_-598649278"
+        }
+		...
+    ]
+}
+```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-investigation-object.md b/windows/security/threat-protection/microsoft-defender-atp/get-investigation-object.md
new file mode 100644
index 0000000000..933c2cde60
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-investigation-object.md
@@ -0,0 +1,66 @@
+---
+title: Get Investigation object API
+description: Use this API to create calls related to get Investigation object
+keywords: apis, graph api, supported apis, Investigation object
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+---
+
+# Get Investigation API
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+
+
+## API description
+Retrieves specific [Investigation](investigation.md) by its ID.
+
 ID can be the investigation ID or the investigation triggering alert ID.
+
+
+## Limitations
+1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
+
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Alert.Read.All |	'Read all alerts'
+Application |	Alert.ReadWrite.All |	'Read and write all alerts'
+Delegated (work or school account) | Alert.Read | 'Read alerts'
+Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
+
+## HTTP request
+```
+GET https://api.securitycenter.windows.com/api/investigations/{id}
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200, Ok response code with a [Investigations](investigation.md) entity.
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md
index e7bf04d3e1..c0088b91f6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md
@@ -18,12 +18,19 @@ ms.topic: article
 
 # Get IP related alerts API
 
-**Applies to:**
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 
+
+## API description
 Retrieves a collection of alerts related to a given IP address.
 
+
+## Limitations
+1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
+
+
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
 
@@ -69,39 +76,4 @@ Here is an example of the request.
 
 ```
 GET https://api.securitycenter.windows.com/api/ips/10.209.67.177/alerts
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```
-HTTP/1.1 200 OK
-Content-type: application/json
-{    
-    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
-    "value": [
-        {
-            "id": "441688558380765161_2136280442",
-			"incidentId": 8633,
-			"assignedTo": "secop@contoso.com",
-			"severity": "Low",
-			"status": "InProgress",
-			"classification": "TruePositive",
-			"determination": "Malware",
-			"investigationState": "Running",
-			"category": "MalwareDownload",
-			"detectionSource": "WindowsDefenderAv",
-			"threatFamilyName": "Mikatz",
-			"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
-			"description": "Some description",
-			"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
-			"firstEventTime": "2018-11-25T16:17:50.0948658Z",
-			"lastEventTime": "2018-11-25T16:18:01.809871Z",
-			"resolvedTime": null,
-			"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
-        }
-    ]
-}
-```
+```
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md
index 6f8fe6c478..9bc08c2680 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md
@@ -18,11 +18,18 @@ ms.topic: article
 
 # Get IP statistics API
 
-**Applies to:**
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+
+
+## API description
+Retrieves the statistics for the given IP.
+
+
+## Limitations
+1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
 
-Retrieves the prevalence for the given IP.
 
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md
index 7617020547..55e74662e6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md
@@ -15,7 +15,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 10/07/2018
+ROBOTS: NOINDEX
 ---
 
 # Get KB collection API
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md
index 2f8eda6c03..aaaa6abf4d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md
@@ -18,11 +18,19 @@ ms.topic: article
 
 # Get machine by ID API
 
-**Applies to:**
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+
+
+## API description
+Retrieves specific [Machine](machine.md) by its machine ID or computer name.
+
+
+## Limitations
+1. You can get machines last seen in the past 30 days.
+2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
 
-Retrieves a machine entity by ID.
 
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
@@ -83,20 +91,22 @@ Content-type: application/json
 {
     "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machine",
     "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
-    "computerDnsName": "mymachine1.contoso.com",
-    "firstSeen": "2018-08-02T14:55:03.7791856Z",
+	"computerDnsName": "mymachine1.contoso.com",
+	"firstSeen": "2018-08-02T14:55:03.7791856Z",
 	"lastSeen": "2018-08-02T14:55:03.7791856Z",
-    "osPlatform": "Windows10",
-    "osVersion": "10.0.0.0",
-    "lastIpAddress": "172.17.230.209",
-    "lastExternalIpAddress": "167.220.196.71",
-    "agentVersion": "10.5830.18209.1001",
-    "osBuild": 18209,
-    "healthStatus": "Active",
-    "rbacGroupId": 140,
+	"osPlatform": "Windows10",
+	"version": "1709",
+	"osProcessor": "x64",
+	"lastIpAddress": "172.17.230.209",
+	"lastExternalIpAddress": "167.220.196.71",
+	"osBuild": 18209,
+	"healthStatus": "Active",
+	"rbacGroupId": 140,
 	"rbacGroupName": "The-A-Team",
-    "riskScore": "Low",
-    "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
+	"riskScore": "Low",
+	"exposureLevel": "Medium",
+	"isAadJoined": true,
+	"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
 	"machineTags": [ "test tag 1", "test tag 2" ]
 }
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md
index 9d364b0815..59e1357d2e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md
@@ -18,11 +18,19 @@ ms.topic: article
 
 # Get machine log on users API
 
-**Applies to:**
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+
+
+## API description
+Retrieves a collection of logged on users on a specific machine.
+
+
+## Limitations
+1. You can query on machines last seen in the past 30 days.
+2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
 
-Retrieves a collection of logged on users.
 
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
@@ -81,26 +89,19 @@ Content-type: application/json
     "value": [
         {
             "id": "contoso\\user1",
-            "firstSeen": "2018-08-02T00:00:00Z",
-            "lastSeen": "2018-08-04T00:00:00Z",
-            "mostPrevalentMachineId": null,
-            "leastPrevalentMachineId": null,
-            "logonTypes": "Network",
-            "logOnMachinesCount": 3,
-            "isDomainAdmin": false,
-            "isOnlyNetworkUser": null
+            "accountName": "user1",
+            "accountDomain": "contoso",
+            "accountSid": "S-1-5-21-72051607-1745760036-109187956-93922",
+            "firstSeen": "2019-12-18T08:02:54Z",
+            "lastSeen": "2020-01-06T08:01:48Z",
+            "mostPrevalentMachineId": "111153d0c675eaa415b8e5f383c6388bff446c62",
+            "leastPrevalentMachineId": "111153d0c675eaa415b8e5f383c6388bff446c62",
+            "logonTypes": "Interactive",
+            "logOnMachinesCount": 8,
+            "isDomainAdmin": true,
+            "isOnlyNetworkUser": false
         },
-        {
-            "id": "contoso\\user2",
-            "firstSeen": "2018-08-02T00:00:00Z",
-            "lastSeen": "2018-08-05T00:00:00Z",
-            "mostPrevalentMachineId": null,
-            "leastPrevalentMachineId": null,
-            "logonTypes": "Network",
-            "logOnMachinesCount": 3,
-            "isDomainAdmin": false,
-            "isOnlyNetworkUser": null
-        }
+		...
     ]
 }
 ```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md
index f6499ab7bb..dd13f88123 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md
@@ -17,13 +17,20 @@ ms.topic: article
 ---
 
 # Get machine related alerts  API
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-Retrieves a collection of alerts related to a given machine ID.
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+
+
+## API description
+Retrieves all [Alerts](alerts.md) related to a specific machine.
+
+
+## Limitations
+1. You can query on machines last seen in the past 30 days.
+2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
 
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
 
 Permission type |	Permission	|	Permission display name
 :---|:---|:---
@@ -54,52 +61,3 @@ Empty
 
 ## Response
 If successful and machine exists - 200 OK with list of [alert](alerts.md) entities in the body. If machine was not found - 404 Not Found.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-```
-GET https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/alerts
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```
-HTTP/1.1 200 OK
-Content-type: application/json
-{    
-    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
-    "value": [
-        {
-            "id": "441688558380765161_2136280442",
-			"incidentId": 8633,
-			"assignedTo": "secop@contoso.com",
-			"severity": "Low",
-			"status": "InProgress",
-			"classification": "TruePositive",
-			"determination": "Malware",
-			"investigationState": "Running",
-			"category": "MalwareDownload",
-			"detectionSource": "WindowsDefenderAv",
-			"threatFamilyName": "Mikatz",
-			"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
-			"description": "Some description",
-			"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
-			"firstEventTime": "2018-11-25T16:17:50.0948658Z",
-			"lastEventTime": "2018-11-25T16:18:01.809871Z",
-			"resolvedTime": null,
-			"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
-        }
-    ]
-}
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md b/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md
index 0b122f4eb6..dbcaf5b6fb 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md
@@ -18,10 +18,18 @@ ms.topic: article
 
 # Get machineAction API
 
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+
+
+## API description
+Retrieves specific [Machine Action](machineaction.md) by its ID.
+
+
+## Limitations
+1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
 
-Get action performed on a machine.
 
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
@@ -77,15 +85,17 @@ HTTP/1.1 200 Ok
 Content-type: application/json
 {
     "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
-    "id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba",
-    "type": "RunAntiVirusScan",
-    "requestor": "Analyst@contoso.com",
-    "requestorComment": "Check machine for viruses due to alert 3212",
+    "id": "5382f7ea-7557-4ab7-9782-d50480024a4e",
+    "type": "Isolate",
+	"scope": "Selective",
+    "requestor": "Analyst@TestPrd.onmicrosoft.com",
+    "requestorComment": "test for docs",
     "status": "Succeeded",
-    "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
-    "creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z",
-    "lastUpdateTimeUtc": "2018-12-04T12:18:57.5511934Z",
-	"relatedFileInfo": null
+    "machineId": "7b1f4967d9728e5aa3c06a9e617a22a4a5a17378",
+    "computerDnsName": "desktop-test",
+    "creationDateTimeUtc": "2019-01-02T14:39:38.2262283Z",
+    "lastUpdateDateTimeUtc": "2019-01-02T14:40:44.6596267Z",
+    "relatedFileInfo": null
 }
 
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md
index 6389f8c1f4..c9883c2e4a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md
@@ -18,17 +18,22 @@ ms.topic: article
 
 # List MachineActions API
 
-**Applies to:**
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 
-Gets collection of actions done on machines.
 
-Get MachineAction collection API supports [OData V4 queries](https://www.odata.org/documentation/).
+## API description
+Retrieves a collection of [Machine Actions](machineaction.md).
+
Supports [OData V4 queries](https://www.odata.org/documentation/).
+
The OData's ```$filter``` query is supported on: ```status```, ```machineId```, ```type```, ```requestor``` and ```creationDateTimeUtc``` properties.
+
See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)
 
-The OData's Filter query is supported on: "Id", "Status", "MachineId", "Type", "Requestor" and "CreationDateTimeUtc".
 
-See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)
+## Limitations
+1. Maximum page size is 10,000.
+2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. 
+
 
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
@@ -89,10 +94,12 @@ Content-type: application/json
         {
             "id": "69dc3630-1ccc-4342-acf3-35286eec741d",
             "type": "CollectInvestigationPackage",
+			"scope": null,
             "requestor": "Analyst@contoso.com",
             "requestorComment": "test",
             "status": "Succeeded",
             "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
+            "computerDnsName": "desktop-39g9tgl",
             "creationDateTimeUtc": "2018-12-04T12:43:57.2011911Z",
             "lastUpdateTimeUtc": "2018-12-04T12:45:25.4049122Z",
 			"relatedFileInfo": null
@@ -100,10 +107,12 @@ Content-type: application/json
         {
             "id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba",
             "type": "RunAntiVirusScan",
+			"scope": "Full",
             "requestor": "Analyst@contoso.com",
             "requestorComment": "Check machine for viruses due to alert 3212",
             "status": "Succeeded",
             "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
+            "computerDnsName": "desktop-39g9tgl",
             "creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z",
             "lastUpdateTimeUtc": "2018-12-04T12:18:57.5511934Z",
 			"relatedFileInfo": null
@@ -111,10 +120,12 @@ Content-type: application/json
         {
             "id": "44cffc15-0e3d-4cbf-96aa-bf76f9b27f5e",
             "type": "StopAndQuarantineFile",
+			"scope": null,
             "requestor": "Analyst@contoso.com",
             "requestorComment": "test",
             "status": "Succeeded",
             "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
+			"computerDnsName": "desktop-39g9tgl",
             "creationDateTimeUtc": "2018-12-04T12:15:40.6052029Z",
             "lastUpdateTimeUtc": "2018-12-04T12:16:14.2899973Z",
 			"relatedFileInfo": {
@@ -151,10 +162,12 @@ Content-type: application/json
         {
             "id": "69dc3630-1ccc-4342-acf3-35286eec741d",
             "type": "CollectInvestigationPackage",
+			"scope": null,
             "requestor": "Analyst@contoso.com",
             "requestorComment": "test",
             "status": "Succeeded",
             "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
+			"computerDnsName": "desktop-39g9tgl",
             "creationDateTimeUtc": "2018-12-04T12:43:57.2011911Z",
             "lastUpdateTimeUtc": "2018-12-04T12:45:25.4049122Z",
 			"relatedFileInfo": null
@@ -162,10 +175,12 @@ Content-type: application/json
         {
             "id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba",
             "type": "RunAntiVirusScan",
+			"scope": "Full",
             "requestor": "Analyst@contoso.com",
             "requestorComment": "Check machine for viruses due to alert 3212",
             "status": "Succeeded",
             "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
+			"computerDnsName": "desktop-39g9tgl",
             "creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z",
             "lastUpdateTimeUtc": "2018-12-04T12:18:57.5511934Z",
 			"relatedFileInfo": null
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md
index 1434e0878e..31ef6bb72d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md
@@ -18,17 +18,23 @@ ms.topic: article
 
 # List machines API
 
-**Applies to:**
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 
-This API can do the following actions:
 
-- Retrieves a collection of machines that have communicated with  Microsoft Defender ATP cloud on the last 30 days.
-- Get Machines collection API supports [OData V4 queries](https://www.odata.org/documentation/).
-- The OData's Filter query is supported on: "Id", "ComputerDnsName", "LastSeen", "LastIpAddress", "HealthStatus", "OsPlatform", "RiskScore", "MachineTags" and "RbacGroupId".
+## API description
+Retrieves a collection of [Machines](machine.md) that have communicated with  Microsoft Defender ATP cloud on the last 30 days.
+
Supports [OData V4 queries](https://www.odata.org/documentation/).
+
The OData's ```$filter``` query is supported on: ```computerDnsName```, ```lastSeen```, ```lastIpAddress```, ```healthStatus```, ```osPlatform```, ```riskScore```, ```rbacGroupId``` and ```machineTags``` properties.
+
See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)
+
+
+## Limitations
+1. You can get machines last seen in the past 30 days.
+2. Maximum page size is 10,000.
+3. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. 
 
-See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)
 
 ## Permissions
 
@@ -88,42 +94,25 @@ Content-type: application/json
     "value": [
         {
             "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
-            "computerDnsName": "mymachine1.contoso.com",
-            "firstSeen": "2018-08-02T14:55:03.7791856Z",
+			"computerDnsName": "mymachine1.contoso.com",
+			"firstSeen": "2018-08-02T14:55:03.7791856Z",
 			"lastSeen": "2018-08-02T14:55:03.7791856Z",
-            "osPlatform": "Windows10",
-            "osVersion": "10.0.0.0",
-            "lastIpAddress": "172.17.230.209",
-            "lastExternalIpAddress": "167.220.196.71",
-            "agentVersion": "10.5830.18209.1001",
-            "osBuild": 18209,
-            "healthStatus": "Active",
-            "rbacGroupId": 140,
-			"rbacGroupName": "The-A-Team",
-            "riskScore": "Low",
-			"isAadJoined": true,
-            "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
-			"machineTags": [ "test tag 1", "test tag 2" ]
-        },
-        {
-            "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
-            "computerDnsName": "mymachine2.contoso.com",
-            "firstSeen": "2018-07-09T13:22:45.1250071Z",
-			"lastSeen": "2018-07-09T13:22:45.1250071Z",
-            "osPlatform": "Windows10",
-            "osVersion": "10.0.0.0",
-            "lastIpAddress": "192.168.12.225",
-            "lastExternalIpAddress": "79.183.65.82",
-            "agentVersion": "10.5820.17724.1000",
-            "osBuild": 17724,
-            "healthStatus": "Inactive",
+			"osPlatform": "Windows10",
+			"version": "1709",
+			"osProcessor": "x64",
+			"lastIpAddress": "172.17.230.209",
+			"lastExternalIpAddress": "167.220.196.71",
+			"osBuild": 18209,
+			"healthStatus": "Active",
 			"rbacGroupId": 140,
 			"rbacGroupName": "The-A-Team",
-            "riskScore": "Low",
-			"isAadJoined": false,
-            "aadDeviceId": null,
-			"machineTags": [ "test tag 1" ]
+			"riskScore": "Low",
+			"exposureLevel": "Medium",
+			"isAadJoined": true,
+			"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
+			"machineTags": [ "test tag 1", "test tag 2" ]
         }
+		...
     ]
 }
 ```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md b/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md
index d3b61ac453..986c832afc 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md
@@ -18,11 +18,14 @@ ms.topic: article
 
 # Get package SAS URI API
 
-**Applies to:**
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+
+
+## API description
+Get a URI that allows downloading of an [Investigation package](collect-investigation-package.md).
 
-Get a URI that allows downloading of an [investigation package](collect-investigation-package.md).
 
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md b/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md
new file mode 100644
index 0000000000..066146d158
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md
@@ -0,0 +1,54 @@
+---
+title: Become a Microsoft Defender ATP partner
+ms.reviewer: 
+description: Learn the steps and requirements so that you can integrate your solution with Microsoft Defender ATP and be a partner
+keywords: partner, integration, solution validation, certification, requirements, member, misa, application portal
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: conceptual 
+---
+
+# Become a Microsoft Defender ATP partner
+
+**Applies to:** 
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+To become a Microsoft Defender ATP solution partner, you'll need to follow and complete the following steps.
+
+## Step 1: Subscribe to a Microsoft Defender ATP Developer license
+Subscribing to the [Microsoft Defender ATP Developer license](https://winatpregistration-prd.trafficmanager.net/Developer/UserAgreement?Length=9) allows you to use a Microsoft Defender ATP tenant with up to 10 devices for developing solutions to integrate with Microsoft Defender ATP. 
+
+## Step 2: Fulfill the solution validation and certification requirements
+The best way for technology partners to certify their integration works, is to have a joint customer approve the suggested integration design and have it tested and demoed to the Microsoft Defender ATP team.
+
+Once the Microsoft Defender ATP team has reviewed and approves the integration, we will direct you to be included as a partner at the Microsoft Intelligent Security Association.
+
+## Step 3: Become a  Microsoft Intelligent Security Association member
+[Microsoft Intelligent Security Association](https://www.microsoft.com/security/partnerships/intelligent-security-association) is a program specifically for Microsoft security partners to help enrich your security products and improve customer discoverability of your integrations to Microsoft security products.
+
+## Step 4: Get listed in the Microsoft Defender ATP partner application portal
+Microsoft Defender ATP supports third-party applications discovery and integration using the in-product [partner page](partner-applications.md) that is embedded within the Microsoft Defender ATP management portal. 
+
+To have your company listed as a partner in the in-product partner page, you will need to provide the following:
+
+1. A square logo (SVG).
+2. Name of the product to be presented.
+3. Provide a 15-word product description.
+4. Link to the landing page for the customer to complete the integration or blog post that will include sufficient information for customers. Please note that any press release including the Microsoft Defender ATP product name should be reviewed by the marketing and engineering teams. You should allow at least 10 days for review process to be performed.
+5.	If you use a multi-tenant Azure AD approach, we will need the AAD application name to track usage of the application.
+
+
+Partnership with Microsoft Defender ATP help our mutual customers to further streamline, integrate, and orchestrate defenses. We are happy that you chose to become a Microsoft Defender ATP partner and to achieve our common goal of effectively protecting customers and their assets by preventing and responding to modern threats together.
+
+## Related topics
+- [Technical partner opportunities](partner-integration.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md
index 84051f2159..7ac3ed480b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md
@@ -18,16 +18,21 @@ ms.topic: article
 
 # List Indicators API
 
-**Applies to:** 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 
 
->[!NOTE]
-> Currently this API is supported only for AppOnly context requests. (See [Get access with application context](exposed-apis-create-app-webapp.md) for more information)
+## API description
+Retrieves a collection of all active [Indicators](ti-indicator.md).
+
Supports [OData V4 queries](https://www.odata.org/documentation/).
+
The OData's ```$filter``` query is supported on: ```indicatorValue```, ```indicatorType```, ```creationTimeDateTimeUtc```, ```createdBy```, ```action``` and ```severity``` properties.
+
See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)
 
 
-- Gets collection of TI Indicators.
-- Get TI Indicators collection API supports [OData V4 queries](https://www.odata.org/documentation/).
+## Limitations
+1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. 
+
 
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Get started](apis-intro.md)
@@ -36,7 +41,7 @@ Permission type |	Permission	|	Permission display name
 :---|:---|:---
 Application |	Ti.ReadWrite |	'Read and write Indicators'
 Application |	Ti.ReadWrite.All |	'Read and write All Indicators'
-
+Delegated (work or school account) |	Ti.ReadWrite |	'Read and write Indicators'
 
 ## HTTP request
 ```
@@ -82,26 +87,38 @@ Content-type: application/json
     "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Indicators",
     "value": [
         {
+			"id": "995",
             "indicatorValue": "12.13.14.15",
             "indicatorType": "IpAddress",
+			"action": "Alert",
+			"application": "demo-test",
+			"source": "TestPrdApp",
+			"sourceType": "AadApp",
             "title": "test",
             "creationTimeDateTimeUtc": "2018-10-24T11:15:35.3688259Z",
             "createdBy": "45097602-1234-5678-1234-9f453233e62c",
             "expirationTime": "2020-12-12T00:00:00Z",
-            "action": "Alert",
+			"lastUpdateTime": "2019-10-24T10:54:23.2009016Z",
+			"lastUpdatedBy": TestPrdApp,
             "severity": "Informational",
             "description": "test",
             "recommendedActions": "test",
 			"rbacGroupNames": []
         },
         {
+			"id": "996",
             "indicatorValue": "220e7d15b0b3d7fac48f2bd61114db1022197f7f",
             "indicatorType": "FileSha1",
+			"action": "AlertAndBlock",
+			"application": null,
+			"source": "TestPrdApp",
+			"sourceType": "AadApp",
             "title": "test",
             "creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z",
             "createdBy": "45097602-1234-5678-1234-9f453233e62c",
             "expirationTime": "2020-12-12T00:00:00Z",
-            "action": "AlertAndBlock",
+			"lastUpdateTime": "2019-10-24T10:54:23.2009016Z",
+			"lastUpdatedBy": TestPrdApp,
             "severity": "Informational",
             "description": "test",
             "recommendedActions": "TEST",
@@ -119,7 +136,7 @@ Content-type: application/json
 Here is an example of a request that gets all Indicators with 'AlertAndBlock' action 
 
 ```
-GET https://api.securitycenter.windows.com/api/indicators?$filter=action eq 'AlertAndBlock'
+GET https://api.securitycenter.windows.com/api/indicators?$filter=action+eq+'AlertAndBlock'
 ```
 
 **Response**
@@ -133,13 +150,19 @@ Content-type: application/json
     "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Indicators",
     "value": [
         {
-            "indicatorValue": "220e7d15b0b3d7fac48f2bd61114db1022197f7f",
+			"id": "997",
+            "indicatorValue": "111e7d15b0b3d7fac48f2bd61114db1022197f7f",
             "indicatorType": "FileSha1",
+			"action": "AlertAndBlock",
+			"application": null,
+			"source": "TestPrdApp",
+			"sourceType": "AadApp",
             "title": "test",
             "creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z",
             "createdBy": "45097602-1234-5678-1234-9f453233e62c",
             "expirationTime": "2020-12-12T00:00:00Z",
-            "action": "AlertAndBlock",
+			"lastUpdateTime": "2019-10-24T10:54:23.2009016Z",
+			"lastUpdatedBy": TestPrdApp,
             "severity": "Informational",
             "description": "test",
             "recommendedActions": "TEST",
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md
index 724fb808b6..0eaec5311d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md
@@ -18,12 +18,19 @@ ms.topic: article
 
 # Get user related alerts API
 
-**Applies to:**
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 
+
+## API description
 Retrieves a collection of alerts related to a given user ID.
 
+
+## Limitations
+1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
+
+
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
 
@@ -70,59 +77,4 @@ Here is an example of the request.
 
 ```
 GET https://api.securitycenter.windows.com/api/users/user1/alerts
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```
-HTTP/1.1 200 OK
-Content-type: application/json
-{    
-	"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
-    "value": [
-        {
-            "id": "441688558380765161_2136280442",
-			"incidentId": 8633,
-			"assignedTo": "secop@contoso.com",
-			"severity": "Low",
-			"status": "InProgress",
-			"classification": "TruePositive",
-			"determination": "Malware",
-			"investigationState": "Running",
-			"category": "MalwareDownload",
-			"detectionSource": "WindowsDefenderAv",
-			"threatFamilyName": "Mikatz",
-			"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
-			"description": "Some description",
-			"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
-			"firstEventTime": "2018-11-25T16:17:50.0948658Z",
-			"lastEventTime": "2018-11-25T16:18:01.809871Z",
-			"resolvedTime": null,
-			"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
-        },
-        {
-            "id": "121688558380765161_2136280442",
-			"incidentId": 4123,
-			"assignedTo": "secop@contoso.com",
-			"severity": "Low",
-			"status": "InProgress",
-			"classification": "TruePositive",
-			"determination": "Malware",
-			"investigationState": "Running",
-			"category": "MalwareDownload",
-			"detectionSource": "WindowsDefenderAv",
-			"threatFamilyName": "Mikatz",
-			"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
-			"description": "Some description",
-			"alertCreationTime": "2018-11-24T16:19:21.8409809Z",
-			"firstEventTime": "2018-11-24T16:17:50.0948658Z",
-			"lastEventTime": "2018-11-24T16:18:01.809871Z",
-			"resolvedTime": null,
-			"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
-        }
-	]
-}
-```
+```
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md
index f1ede24b29..ec84fa1f38 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md
@@ -18,12 +18,19 @@ ms.topic: article
 
 # Get user related machines API
 
-**Applies to:**
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 
+
+## API description
 Retrieves a collection of machines related to a given user ID.
 
+
+## Limitations
+1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
+
+
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
 
@@ -72,54 +79,3 @@ Here is an example of the request.
 ```
 GET https://api.securitycenter.windows.com/api/users/user1/machines
 ```
-
-**Response**
-
-Here is an example of the response.
-
-
-```
-HTTP/1.1 200 OK
-Content-type: application/json
-{    
-    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
-    "value": [
-        {
-            "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
-            "computerDnsName": "mymachine1.contoso.com",
-            "firstSeen": "2018-08-02T14:55:03.7791856Z",
-			"lastSeen": "2018-08-02T14:55:03.7791856Z",
-            "osPlatform": "Windows10",
-            "osVersion": "10.0.0.0",
-            "lastIpAddress": "172.17.230.209",
-            "lastExternalIpAddress": "167.220.196.71",
-            "agentVersion": "10.5830.18209.1001",
-            "osBuild": 18209,
-            "healthStatus": "Active",
-            "rbacGroupId": 140,
-			"rbacGroupName": "The-A-Team",
-            "riskScore": "Low",
-            "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
-			"machineTags": [ "test tag 1", "test tag 2" ]
-        },
-        {
-            "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
-            "computerDnsName": "mymachine2.contoso.com",
-            "firstSeen": "2018-07-09T13:22:45.1250071Z",
-			"lastSeen": "2018-07-09T13:22:45.1250071Z",
-            "osPlatform": "Windows10",
-            "osVersion": "10.0.0.0",
-            "lastIpAddress": "192.168.12.225",
-            "lastExternalIpAddress": "79.183.65.82",
-            "agentVersion": "10.5820.17724.1000",
-            "osBuild": 17724,
-            "healthStatus": "Inactive",
-			"rbacGroupId": 140,
-			"rbacGroupName": "The-A-Team",
-            "riskScore": "Low",
-            "aadDeviceId": null,
-			"machineTags": [ "test tag 1" ]
-        }
-    ]
-}
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md b/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md
new file mode 100644
index 0000000000..30e6e789bd
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md
@@ -0,0 +1,60 @@
+---
+title: Helpful Microsoft Defender Advanced Threat Protection resources
+description: Access helpful resources such as links to blogs and other resources related to  Microsoft Defender Advanced Threat Protection
+keywords: Microsoft Defender Security Center, product brief, brief, capabilities, licensing
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: conceptual 
+---
+
+# Helpful Microsoft Defender Advanced Threat Protection resources
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Access helpful resources such as links to blogs and other resources related to  Microsoft Defender Advanced Threat Protection.
+
+## Endpoint protection platform
+-   [Top scoring in industry
+    tests](https://docs.microsoft.com/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests)
+
+-   [Inside out: Get to know the advanced technologies at the core of Microsoft
+    Defender ATP next generation
+    protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/)
+
+-   [Protecting disconnected devices with Microsoft Defender
+    ATP](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Protecting-disconnected-devices-with-Microsoft-Defender-ATP/ba-p/500341)
+
+-   [Tamper protection in Microsoft Defender
+    ATP](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Tamper-protection-in-Microsoft-Defender-ATP/ba-p/389571)
+
+## Endpoint Detection Response
+
+-   [Incident response at your fingertips with Microsoft Defender ATP live
+    response](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Incident-response-at-your-fingertips-with-Microsoft-Defender-ATP/ba-p/614894)
+
+## Threat Vulnerability Management
+
+-   [Microsoft Defender ATP Threat & Vulnerability Management now publicly
+    available!](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/MDATP-Threat-amp-Vulnerability-Management-now-publicly-available/ba-p/460977)
+
+## Operational
+
+-   [The Golden Hour remake - Defining metrics for a successful security
+    operations](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/The-Golden-Hour-remake-Defining-metrics-for-a-successful/ba-p/782014)
+
+-   [Microsoft Defender ATP Evaluation lab is now available in public preview
+    ](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Microsoft-Defender-ATP-Evaluation-lab-is-now-available-in-public/ba-p/770271)
+
+-   [How automation brings value to your security
+    teams](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/How-automation-brings-value-to-your-security-teams/ba-p/729297)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/09833d16df7f37eda97ea1d5009b651a.png b/windows/security/threat-protection/microsoft-defender-atp/images/09833d16df7f37eda97ea1d5009b651a.png
new file mode 100644
index 0000000000..abea5e0e79
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/09833d16df7f37eda97ea1d5009b651a.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/0a6536f2c4024c08709cac8fcf800060.png b/windows/security/threat-protection/microsoft-defender-atp/images/0a6536f2c4024c08709cac8fcf800060.png
new file mode 100644
index 0000000000..6ecfd587f2
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/0a6536f2c4024c08709cac8fcf800060.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/0ccfe3e803be4b56c668b220b51da7f7.png b/windows/security/threat-protection/microsoft-defender-atp/images/0ccfe3e803be4b56c668b220b51da7f7.png
new file mode 100644
index 0000000000..03b88ba1b1
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/0ccfe3e803be4b56c668b220b51da7f7.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/112a19b825f4e7b60795ffbd1be52fa9.png b/windows/security/threat-protection/microsoft-defender-atp/images/112a19b825f4e7b60795ffbd1be52fa9.png
new file mode 100644
index 0000000000..0fd52ae187
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/112a19b825f4e7b60795ffbd1be52fa9.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/13201b477bc9a9ae0020814915fe80cc.png b/windows/security/threat-protection/microsoft-defender-atp/images/13201b477bc9a9ae0020814915fe80cc.png
new file mode 100644
index 0000000000..f09c0502a5
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/13201b477bc9a9ae0020814915fe80cc.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/1566ad81bae3d714cc9e0d47575a8cbd.png b/windows/security/threat-protection/microsoft-defender-atp/images/1566ad81bae3d714cc9e0d47575a8cbd.png
new file mode 100644
index 0000000000..a28b8fdac5
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/1566ad81bae3d714cc9e0d47575a8cbd.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/1b9f85316170cfe24b46330afa8517d5.png b/windows/security/threat-protection/microsoft-defender-atp/images/1b9f85316170cfe24b46330afa8517d5.png
new file mode 100644
index 0000000000..dd1e768536
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/1b9f85316170cfe24b46330afa8517d5.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/1c3795a91872940f0850bcd1619d6d17.png b/windows/security/threat-protection/microsoft-defender-atp/images/1c3795a91872940f0850bcd1619d6d17.png
new file mode 100644
index 0000000000..c15c6bfbd5
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/1c3795a91872940f0850bcd1619d6d17.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/1e439168370e6821083f2c0e91cfabef.png b/windows/security/threat-protection/microsoft-defender-atp/images/1e439168370e6821083f2c0e91cfabef.png
new file mode 100644
index 0000000000..ce5171fa8b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/1e439168370e6821083f2c0e91cfabef.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/2177e2b9b72a444243acd770e7017457.png b/windows/security/threat-protection/microsoft-defender-atp/images/2177e2b9b72a444243acd770e7017457.png
new file mode 100644
index 0000000000..db6b6881f4
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/2177e2b9b72a444243acd770e7017457.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/227f249bcb6e7f29c4d43aa1ffaccd20.png b/windows/security/threat-protection/microsoft-defender-atp/images/227f249bcb6e7f29c4d43aa1ffaccd20.png
new file mode 100644
index 0000000000..2576c45c77
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/227f249bcb6e7f29c4d43aa1ffaccd20.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/24bfb16ed561cbb468bd8ce51130ca9d.png b/windows/security/threat-protection/microsoft-defender-atp/images/24bfb16ed561cbb468bd8ce51130ca9d.png
new file mode 100644
index 0000000000..ccba2cefda
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/24bfb16ed561cbb468bd8ce51130ca9d.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/262a41839704d6da2bbd72ed6b4a826a.png b/windows/security/threat-protection/microsoft-defender-atp/images/262a41839704d6da2bbd72ed6b4a826a.png
new file mode 100644
index 0000000000..d9e4d196b0
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/262a41839704d6da2bbd72ed6b4a826a.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/26efa2711bca78f6b6d73712f86b5bd9.png b/windows/security/threat-protection/microsoft-defender-atp/images/26efa2711bca78f6b6d73712f86b5bd9.png
new file mode 100644
index 0000000000..79fb39ee6c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/26efa2711bca78f6b6d73712f86b5bd9.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/2c7f9d05a2ebd19607cc76b6933b945b.png b/windows/security/threat-protection/microsoft-defender-atp/images/2c7f9d05a2ebd19607cc76b6933b945b.png
new file mode 100644
index 0000000000..9418fb64f3
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/2c7f9d05a2ebd19607cc76b6933b945b.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/33f08a38f2f4dd12a364f8eac95e8c6b.png b/windows/security/threat-protection/microsoft-defender-atp/images/33f08a38f2f4dd12a364f8eac95e8c6b.png
new file mode 100644
index 0000000000..52392e9097
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/33f08a38f2f4dd12a364f8eac95e8c6b.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/36c7c2ed737f2f4b54918a4f20791d4b.png b/windows/security/threat-protection/microsoft-defender-atp/images/36c7c2ed737f2f4b54918a4f20791d4b.png
new file mode 100644
index 0000000000..a6947f5624
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/36c7c2ed737f2f4b54918a4f20791d4b.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/3876ca687391bfc0ce215d221c683970.png b/windows/security/threat-protection/microsoft-defender-atp/images/3876ca687391bfc0ce215d221c683970.png
new file mode 100644
index 0000000000..786273e269
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/3876ca687391bfc0ce215d221c683970.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/3a01c7970ce3ec977a35883c0a01f0a2.png b/windows/security/threat-protection/microsoft-defender-atp/images/3a01c7970ce3ec977a35883c0a01f0a2.png
new file mode 100644
index 0000000000..20f45112fc
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/3a01c7970ce3ec977a35883c0a01f0a2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/3c1cf2e3df19509b198c084f264b410d.png b/windows/security/threat-protection/microsoft-defender-atp/images/3c1cf2e3df19509b198c084f264b410d.png
new file mode 100644
index 0000000000..b5a56d8ff7
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/3c1cf2e3df19509b198c084f264b410d.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/41b9a023bc96364062c2041a8f5c344e.png b/windows/security/threat-protection/microsoft-defender-atp/images/41b9a023bc96364062c2041a8f5c344e.png
new file mode 100644
index 0000000000..85a0cce645
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/41b9a023bc96364062c2041a8f5c344e.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/4a37f3687e6ff53a593d3670b1dad3aa.png b/windows/security/threat-protection/microsoft-defender-atp/images/4a37f3687e6ff53a593d3670b1dad3aa.png
new file mode 100644
index 0000000000..6aefd54b7b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/4a37f3687e6ff53a593d3670b1dad3aa.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/5420a8790c550f39f189830775a6d4c9.png b/windows/security/threat-protection/microsoft-defender-atp/images/5420a8790c550f39f189830775a6d4c9.png
new file mode 100644
index 0000000000..3222b68426
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/5420a8790c550f39f189830775a6d4c9.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/653db482c7ccaf31d06f29fb2aa24b7a.png b/windows/security/threat-protection/microsoft-defender-atp/images/653db482c7ccaf31d06f29fb2aa24b7a.png
new file mode 100644
index 0000000000..c38fa668f8
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/653db482c7ccaf31d06f29fb2aa24b7a.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/6d325a2f9a638337823e03ad5ca08651.png b/windows/security/threat-protection/microsoft-defender-atp/images/6d325a2f9a638337823e03ad5ca08651.png
new file mode 100644
index 0000000000..280bd8fe5a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/6d325a2f9a638337823e03ad5ca08651.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/728c10ef26042bbdbcd270b6343f1a8a.png b/windows/security/threat-protection/microsoft-defender-atp/images/728c10ef26042bbdbcd270b6343f1a8a.png
new file mode 100644
index 0000000000..6004368075
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/728c10ef26042bbdbcd270b6343f1a8a.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/80db725cdf6502f4579b7513e5e8ecd4.png b/windows/security/threat-protection/microsoft-defender-atp/images/80db725cdf6502f4579b7513e5e8ecd4.png
new file mode 100644
index 0000000000..982987eecc
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/80db725cdf6502f4579b7513e5e8ecd4.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/8999dd697e3b495c04eb911f8b68a1ef.png b/windows/security/threat-protection/microsoft-defender-atp/images/8999dd697e3b495c04eb911f8b68a1ef.png
new file mode 100644
index 0000000000..d44ef55ea4
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/8999dd697e3b495c04eb911f8b68a1ef.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/91b738e4b97c4272fd6d438d8c2d5269.png b/windows/security/threat-protection/microsoft-defender-atp/images/91b738e4b97c4272fd6d438d8c2d5269.png
new file mode 100644
index 0000000000..04e48619f5
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/91b738e4b97c4272fd6d438d8c2d5269.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/945c9c5d66797037c3caeaa5c19f135c.png b/windows/security/threat-protection/microsoft-defender-atp/images/945c9c5d66797037c3caeaa5c19f135c.png
new file mode 100644
index 0000000000..7635b49f3e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/945c9c5d66797037c3caeaa5c19f135c.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/95d23a07c2c8bc79176788f28cef7557.png b/windows/security/threat-protection/microsoft-defender-atp/images/95d23a07c2c8bc79176788f28cef7557.png
new file mode 100644
index 0000000000..8e07f27524
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/95d23a07c2c8bc79176788f28cef7557.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/9736e0358e86bc778ce1bd4c516adb8b.png b/windows/security/threat-protection/microsoft-defender-atp/images/9736e0358e86bc778ce1bd4c516adb8b.png
new file mode 100644
index 0000000000..a205159bcc
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/9736e0358e86bc778ce1bd4c516adb8b.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/a22081b675da83e8f62a046ae6922b0d.png b/windows/security/threat-protection/microsoft-defender-atp/images/a22081b675da83e8f62a046ae6922b0d.png
new file mode 100644
index 0000000000..ea76ada5b0
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/a22081b675da83e8f62a046ae6922b0d.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/a28afc02c1940d5220b233640364970c.png b/windows/security/threat-protection/microsoft-defender-atp/images/a28afc02c1940d5220b233640364970c.png
new file mode 100644
index 0000000000..ed201870fc
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/a28afc02c1940d5220b233640364970c.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/a8b934dab2dbba289cf64fe30e0e8aa4.png b/windows/security/threat-protection/microsoft-defender-atp/images/a8b934dab2dbba289cf64fe30e0e8aa4.png
new file mode 100644
index 0000000000..c37385be18
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/a8b934dab2dbba289cf64fe30e0e8aa4.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/a9d3cd78aa5ca90d3c2fbd2e57618faf.png b/windows/security/threat-protection/microsoft-defender-atp/images/a9d3cd78aa5ca90d3c2fbd2e57618faf.png
new file mode 100644
index 0000000000..cce824fab2
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/a9d3cd78aa5ca90d3c2fbd2e57618faf.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/adc17988b0984ca2aa3ff8f41ddacaf9.png b/windows/security/threat-protection/microsoft-defender-atp/images/adc17988b0984ca2aa3ff8f41ddacaf9.png
new file mode 100644
index 0000000000..82dee6a0cc
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/adc17988b0984ca2aa3ff8f41ddacaf9.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/add-permission.png b/windows/security/threat-protection/microsoft-defender-atp/images/add-permission.png
index 74d57acf8e..5483c98dd4 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/add-permission.png and b/windows/security/threat-protection/microsoft-defender-atp/images/add-permission.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/api-and-integration.png b/windows/security/threat-protection/microsoft-defender-atp/images/api-and-integration.png
new file mode 100644
index 0000000000..b7dea8615b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/api-and-integration.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/app-consent-partner.png b/windows/security/threat-protection/microsoft-defender-atp/images/app-consent-partner.png
new file mode 100644
index 0000000000..86ef9c2f7f
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/app-consent-partner.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/app-id.png b/windows/security/threat-protection/microsoft-defender-atp/images/app-id.png
new file mode 100644
index 0000000000..38bf20cac7
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/app-id.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/application-permissions.png b/windows/security/threat-protection/microsoft-defender-atp/images/application-permissions.png
index 15977b7c35..d0ad871edc 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/application-permissions.png and b/windows/security/threat-protection/microsoft-defender-atp/images/application-permissions.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-api-new-app-partner.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-api-new-app-partner.png
new file mode 100644
index 0000000000..ffb7163ee0
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-api-new-app-partner.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-apis.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-apis.png
new file mode 100644
index 0000000000..7a74411ba6
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-apis.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/c039b2e05dba1ade6fb4512456380c9f.png b/windows/security/threat-protection/microsoft-defender-atp/images/c039b2e05dba1ade6fb4512456380c9f.png
new file mode 100644
index 0000000000..d829f21d90
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/c039b2e05dba1ade6fb4512456380c9f.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/cd7daeb392ad5a36f2d3a15d650f1e96.png b/windows/security/threat-protection/microsoft-defender-atp/images/cd7daeb392ad5a36f2d3a15d650f1e96.png
new file mode 100644
index 0000000000..94c9207f1e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/cd7daeb392ad5a36f2d3a15d650f1e96.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/cf5f3aa9ab4dafc99cac2571e9fba84e.png b/windows/security/threat-protection/microsoft-defender-atp/images/cf5f3aa9ab4dafc99cac2571e9fba84e.png
new file mode 100644
index 0000000000..a730ac1438
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/cf5f3aa9ab4dafc99cac2571e9fba84e.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/d18e40c9e60aecf1f9a93065cb7567bd.png b/windows/security/threat-protection/microsoft-defender-atp/images/d18e40c9e60aecf1f9a93065cb7567bd.png
new file mode 100644
index 0000000000..51953de984
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/d18e40c9e60aecf1f9a93065cb7567bd.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/e156a7ef87ea6472d57a3dc594bf08c2.png b/windows/security/threat-protection/microsoft-defender-atp/images/e156a7ef87ea6472d57a3dc594bf08c2.png
new file mode 100644
index 0000000000..36d62a08a7
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/e156a7ef87ea6472d57a3dc594bf08c2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/f5508317cd8c7870627cb4726acd5f3d.png b/windows/security/threat-protection/microsoft-defender-atp/images/f5508317cd8c7870627cb4726acd5f3d.png
new file mode 100644
index 0000000000..b900487c3e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/f5508317cd8c7870627cb4726acd5f3d.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/f91f406e6e0aae197a947d3b0e8b2d0d.png b/windows/security/threat-protection/microsoft-defender-atp/images/f91f406e6e0aae197a947d3b0e8b2d0d.png
new file mode 100644
index 0000000000..37a9e5ac2e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/f91f406e6e0aae197a947d3b0e8b2d0d.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/grant-consent.png b/windows/security/threat-protection/microsoft-defender-atp/images/grant-consent.png
index 0735940d05..ce44610a06 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/grant-consent.png and b/windows/security/threat-protection/microsoft-defender-atp/images/grant-consent.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-apis.png b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-apis.png
new file mode 100644
index 0000000000..26eed612da
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-apis.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-download-package.png b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-download-package.png
new file mode 100644
index 0000000000..6d49c8b659
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-download-package.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-onboarding-wizard.png b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-onboarding-wizard.png
new file mode 100644
index 0000000000..39b714cdd4
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-onboarding-wizard.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-platform.png b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-platform.png
new file mode 100644
index 0000000000..ad86ffd4aa
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-platform.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/remediation_flyouteolsw.png b/windows/security/threat-protection/microsoft-defender-atp/images/remediation_flyouteolsw.png
new file mode 100644
index 0000000000..fe88265080
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/remediation_flyouteolsw.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/remediation_swupdatefilter.png b/windows/security/threat-protection/microsoft-defender-atp/images/remediation_swupdatefilter.png
new file mode 100644
index 0000000000..a0f5f3e295
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/remediation_swupdatefilter.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/remediationtype-swupdatefilter.png b/windows/security/threat-protection/microsoft-defender-atp/images/remediationtype-swupdatefilter.png
new file mode 100644
index 0000000000..7bea07f260
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/remediationtype-swupdatefilter.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/remediationtype_swupdatefilter.png b/windows/security/threat-protection/microsoft-defender-atp/images/remediationtype_swupdatefilter.png
new file mode 100644
index 0000000000..7bea07f260
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/remediationtype_swupdatefilter.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-addrule.png b/windows/security/threat-protection/microsoft-defender-atp/images/sccm-addrule.png
new file mode 100644
index 0000000000..ecef165279
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/sccm-addrule.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-confirm.png b/windows/security/threat-protection/microsoft-defender-atp/images/sccm-confirm.png
new file mode 100644
index 0000000000..fe2925eca1
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/sccm-confirm.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-create-device-collection.png b/windows/security/threat-protection/microsoft-defender-atp/images/sccm-create-device-collection.png
new file mode 100644
index 0000000000..7e23f6385d
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/sccm-create-device-collection.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-create-policy.png b/windows/security/threat-protection/microsoft-defender-atp/images/sccm-create-policy.png
new file mode 100644
index 0000000000..92acd79c2f
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/sccm-create-policy.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-criteria.png b/windows/security/threat-protection/microsoft-defender-atp/images/sccm-criteria.png
new file mode 100644
index 0000000000..42c18d2b1c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/sccm-criteria.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-device-collections.png b/windows/security/threat-protection/microsoft-defender-atp/images/sccm-device-collections.png
new file mode 100644
index 0000000000..fd3d91a008
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/sccm-device-collections.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-direct-membership.png b/windows/security/threat-protection/microsoft-defender-atp/images/sccm-direct-membership.png
new file mode 100644
index 0000000000..cac48b7605
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/sccm-direct-membership.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-limiting-collection.png b/windows/security/threat-protection/microsoft-defender-atp/images/sccm-limiting-collection.png
new file mode 100644
index 0000000000..37fa96777b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/sccm-limiting-collection.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-membership-rules.png b/windows/security/threat-protection/microsoft-defender-atp/images/sccm-membership-rules.png
new file mode 100644
index 0000000000..22b6b6419e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/sccm-membership-rules.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-policy-name.png b/windows/security/threat-protection/microsoft-defender-atp/images/sccm-policy-name.png
new file mode 100644
index 0000000000..d1987ab4cb
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/sccm-policy-name.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-query-rule.png b/windows/security/threat-protection/microsoft-defender-atp/images/sccm-query-rule.png
new file mode 100644
index 0000000000..ecef165279
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/sccm-query-rule.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-simple-value.png b/windows/security/threat-protection/microsoft-defender-atp/images/sccm-simple-value.png
new file mode 100644
index 0000000000..78d20dc4ee
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/sccm-simple-value.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secrec-flyouteolsw.png b/windows/security/threat-protection/microsoft-defender-atp/images/secrec-flyouteolsw.png
new file mode 100644
index 0000000000..ca51512b09
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/secrec-flyouteolsw.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secrec_flyout.png b/windows/security/threat-protection/microsoft-defender-atp/images/secrec_flyout.png
new file mode 100644
index 0000000000..3631b163d6
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/secrec_flyout.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secrec_flyouteolsw.png b/windows/security/threat-protection/microsoft-defender-atp/images/secrec_flyouteolsw.png
new file mode 100644
index 0000000000..ca51512b09
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/secrec_flyouteolsw.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secrec_sw_details.png b/windows/security/threat-protection/microsoft-defender-atp/images/secrec_sw_details.png
new file mode 100644
index 0000000000..31e550b1e1
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/secrec_sw_details.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/software_inventory_filter.png b/windows/security/threat-protection/microsoft-defender-atp/images/software_inventory_filter.png
new file mode 100644
index 0000000000..e7fdf586b6
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/software_inventory_filter.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-report-inaccuracy.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-report-inaccuracy.png
new file mode 100644
index 0000000000..4b1c91c9e4
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-report-inaccuracy.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-report-inaccuracyflyout.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-report-inaccuracyflyout.png
new file mode 100644
index 0000000000..9af2ad6945
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-report-inaccuracyflyout.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-report-inaccuracyoptions.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-report-inaccuracyoptions.png
new file mode 100644
index 0000000000..09c4876e1d
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-report-inaccuracyoptions.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_securityrecommendation-graph.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_securityrecommendation-graph.png
new file mode 100644
index 0000000000..68de0e52d9
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_securityrecommendation-graph.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvmsecrec-updated.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvmsecrec-updated.png
new file mode 100644
index 0000000000..80dbf3635b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvmsecrec-updated.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvmsecrec_updated.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvmsecrec_updated.png
new file mode 100644
index 0000000000..80dbf3635b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvmsecrec_updated.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-create-key2.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-create-key2.png
index 99339be6a7..64b830f1ef 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-create-key2.png and b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-create-key2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-decoded-token.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-decoded-token.png
index be98e49216..3df1514164 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-decoded-token.png and b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-decoded-token.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md
index 7578bad95e..6f16b9a43a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md
@@ -59,4 +59,4 @@ Learn how to use data sensitivity labels to prioritize incident investigation.
 
 
 >[!TIP]
->These data points are also exposed through the ‘FileCreationEvents’ in advanced hunting, allowing advanced queries and schedule detection to take into account sensitivity labels and file protection status. 
\ No newline at end of file
+>These data points are also exposed through the ‘DeviceFileEvents’ in advanced hunting, allowing advanced queries and schedule detection to take into account sensitivity labels and file protection status. 
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md
index f875c8027f..3e95295b96 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md
@@ -1,7 +1,7 @@
 ---
-title: Initiate machine investigation API
-description: Use this API to create calls related to initiating an investigation on a machine.
-keywords: apis, graph api, supported apis, initiate AutoIR investigation
+title: Start Investigation API
+description: Use this API to start investigation on a machine.
+keywords: apis, graph api, supported apis, investigation
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -16,38 +16,39 @@ ms.collection: M365-security-compliance
 ms.topic: article
 ---
 
-# Initiate machine investigation API (Preview)
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+# Start Investigation API
 
-> [!IMPORTANT]
-> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-Initiate AutoIR investigation on a machine.
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+
+
+## API description
+Start automated investigation on a machine.
+
See [Overview of automated investigations](automated-investigations.md) for more information.
 
->[!Note]
-> This page focuses on performing an automated investigation on a machine. See [automated investigation](automated-investigations.md) for more information.
 
 ## Limitations
-1. The number of executions is limited (up to 5 calls per hour).
-2. For Automated Investigation limitations, see [Automated Investigation](automated-investigations.md).
+1. Rate limitations for this API are 50 calls per hour.
+
 
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
 
 Permission type |	Permission	|	Permission display name
 :---|:---|:---
-Application |	Alert.ReadWrite.All	 |	'Read and write all alerts'
-Delegated (work or school account) |	Alert.ReadWrite |	'Read and write alerts'
+Application |	Alert.ReadWrite.All |	'Read and write all alerts'
+Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
 
 >[!Note]
 > When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles.md) for more information)
+>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles.md) for more information)
 >- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
 
+
 ## HTTP request
 ```
-POST https://api.securitycenter.windows.com/api/machines/{id}/InitiateInvestigation
+POST https://api.securitycenter.microsoft.com/api/machines/{id}/startInvestigation
 ```
 
 ## Request headers
@@ -64,8 +65,10 @@ Parameter |	Type	| Description
 :---|:---|:---
 Comment |	String |	Comment to associate with the action. **Required**.
 
+
 ## Response
-If successful, this method returns 200 OK response code with object that holds the investigation ID in the "value" parameter. If machine was not found - 404 Not Found.
+If successful, this method returns 201 - Created response code and [Investigation](investigation.md) in the response body.
+
 
 ## Example
 
@@ -76,23 +79,8 @@ Here is an example of the request.
 [!include[Improve request performance](../../includes/improve-request-performance.md)]
 
 ```
-POST https://api.securitycenter.windows.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/InitiateInvestigation
+POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/startInvestigation
 Content-type: application/json
 {
-  "Comment": "Initiate an investigation on machine fb9ab6be3965095a09c057be7c90f0a2"
+  "Comment": "Test investigation",
 }
-```
-
-**Response**
-
-Here is an example of the response.
-
-```
-HTTP/1.1 200 Created
-Content-type: application/json
-{
-    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Edm.Int64",
-    "value": 5146
-}
-
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md
index 487d24f359..88ac0b8be9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md
@@ -44,7 +44,7 @@ If you turn network protection off, users or apps will not be blocked from conne
 
 If you do not configure it, network blocking will be turned off by default.
 
-For more information, see [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection).
+For more information, see [Enable network protection](enable-network-protection.md).
 
 ## Investigation impact
 When network protection is turned on, you'll see that on a machine's timeline the IP address will keep representing the proxy, while the real target address shows up.
@@ -60,12 +60,12 @@ Event's information:
 
 
 ## Hunt for connection events using advanced hunting 
-All new connection events are available for you to hunt on through advanced hunting as well. Since these events are connection events, you can find them under the NetworkCommunicationEvents table under the `ConnecionSuccess` action type.
+All new connection events are available for you to hunt on through advanced hunting as well. Since these events are connection events, you can find them under the DeviceNetworkEvents table under the `ConnecionSuccess` action type.
 
 Using this simple query will show you all the relevant events:
 
 ```
-NetworkCommunicationEvents
+DeviceNetworkEvents
 | where ActionType == "ConnectionSuccess" 
 | take 10
 ```
@@ -77,7 +77,7 @@ You can also filter out  events that are related to connection to the proxy itse
 Use the following query to filter out the connections to the proxy:
 
 ```
-NetworkCommunicationEvents
+DeviceNetworkEvents
 | where ActionType == "ConnectionSuccess" and RemoteIP != "ProxyIP"  
 | take 10
 ```
@@ -86,4 +86,3 @@ NetworkCommunicationEvents
 
 ## Related topics
 - [Applying network protection with GP - policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection)
-- [Protect your network](https://docs.microsoft.comwindows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigation.md b/windows/security/threat-protection/microsoft-defender-atp/investigation.md
new file mode 100644
index 0000000000..ec516a1afc
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigation.md
@@ -0,0 +1,64 @@
+---
+title: Investigation resource type
+description: Microsoft Defender ATP Investigation entity.
+keywords: apis, graph api, supported apis, get, alerts, investigations
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+---
+
+# Investigation resource type
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+
+Represent an Automated Investigation entity in Microsoft Defender ATP.
+
 See [Overview of automated investigations](automated-investigations.md) for more information.
+
+## Methods
+Method|Return Type |Description
+:---|:---|:---
+[List Investigations](get-investigation-collection.md) | Investigation collection | Get collection of Investigation
+[Get single Investigation](get-investigation-collection.md) | Investigation entity | Gets single Investigation entity.
+[Start Investigation](initiate-autoir-investigation.md) | Investigation entity | Starts Investigation on a machine.
+
+
+## Properties
+Property |	Type	|	Description
+:---|:---|:---
+id | String | Identity of the investigation entity. 
+startTime | DateTime Nullable | The date and time when the investigation was created. 
+endTime | DateTime Nullable | The date and time when the investigation was completed. 
+cancelledBy | String | The ID of the user/application that cancelled that investigation. 
+investigationState | Enum | The current state of the investigation. Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign', 'Failed', 'PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert'.
+statusDetails | String | Additional information about the state of the investigation.
+machineId | String | The ID of the machine on which the investigation is executed.
+computerDnsName | String | The name of the machine on which the investigation is executed.
+triggeringAlertId | String | The ID of the alert that triggered the investigation.
+
+
+## Json representation
+
+```json
+{
+    "id": "63004",
+    "startTime": "2020-01-06T13:05:15Z",
+    "endTime": null,
+    "state": "Running",
+    "cancelledBy": null,
+    "statusDetails": null,
+    "machineId": "e828a0624ed33f919db541065190d2f75e50a071",
+    "computerDnsName": "desktop-test123",
+    "triggeringAlertId": "da637139127150012465_1011995739"
+}
+```
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md
index 4a1fb9b49b..8b8c759287 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md
@@ -18,12 +18,19 @@ ms.topic: article
 
 # Isolate machine API
 
-**Applies to:**
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 
+
+## API description
 Isolates a machine from accessing external network.
 
+
+## Limitations
+1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
+
+
 [!include[Machine actions note](../../includes/machineactionsnote.md)]
 
 ## Permissions
@@ -85,27 +92,5 @@ Content-type: application/json
   “IsolationType”: “Full” 
 }
 
-```
-**Response**
 
-Here is an example of the response.
-
-```
-HTTP/1.1 201 Created
-Content-type: application/json
-{
-    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
-    "id": "b89eb834-4578-496c-8be0-03f004061435",
-    "type": "Isolate",
-    "requestor": "Analyst@contoso.com ",
-    "requestorComment": "Isolate machine due to alert 1234",
-    "status": "InProgress",
-    "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
-    "creationDateTimeUtc": "2017-12-04T12:12:18.9725659Z",
-    "lastUpdateTimeUtc": "2017-12-04T12:12:18.9725659Z",
-	"relatedFileInfo": null
-}
-
-```
-
-To unisolate a machine, see [Release machine from isolation](unisolate-machine.md).
+- To unisolate a machine, see [Release machine from isolation](unisolate-machine.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md
index 259e8692cd..083d1a181e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md
@@ -225,7 +225,7 @@ $ mdatp --health healthy
 The above command prints "1" if the product is onboarded and functioning as expected.
 
 If the product is not healthy, the exit code (which can be checked through `echo $?`) indicates the problem:
-- 1 if the device is not yet onboarded
+- 0 if the device is not yet onboarded
 - 3 if the connection to the daemon cannot be established—for example, if the daemon is not running
 
 ## Logging installation issues
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
index c5b8407fc6..85deccc918 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
@@ -371,10 +371,6 @@ The following configuration profile will:
 ### Intune profile
 
 ```XML
-
-
-
-    
         PayloadUUID
         C4E6A782-0C8D-44AB-A025-EB893987A295
         PayloadType
@@ -443,8 +439,6 @@ The following configuration profile will:
                 
             
         
-    
-
 ```
 
 ## Full configuration profile example
@@ -530,10 +524,6 @@ The following configuration profile contains entries for all settings described
 ### Intune profile
 
 ```XML
-
-
-
-    
         PayloadUUID
         C4E6A782-0C8D-44AB-A025-EB893987A295
         PayloadType
@@ -640,8 +630,6 @@ The following configuration profile contains entries for all settings described
                 
             
         
-    
-
 ```
 
 ## Configuration profile deployment
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
index 171cf371d6..43323ca96d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
@@ -19,6 +19,14 @@ ms.topic: conceptual
 
 # What's new in Microsoft Defender Advanced Threat Protection for Mac
 
+## 100.82.60
+
+- Addressed an issue where the product fails to start following a definition update.
+
+## 100.80.42
+
+- Bug fixes
+
 ## 100.79.42
 
 - Fixed an issue where Microsoft Defender ATP for Mac was sometimes interfering with Time Machine
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md b/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md
index 608409befc..daf8b70f1e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md
@@ -76,8 +76,8 @@ Machines with similar tags can be handy when you need to apply contextual action
 Use the following registry key entry to add a tag on a machine:
 
 - Registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\`
-- Registry key name: `Group`
-- Registry key value (REG_SZ): `Name of the tag you want to set`
+- Registry key value (REG_SZ): `Group`
+- Registry key data: `Name of the tag you want to set`
 
 >[!NOTE]
 >The device tag is part of the machine information report that's generated once a day. As an alternative, you may choose to restart the endpoint that would transfer a new machine information report.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine.md b/windows/security/threat-protection/microsoft-defender-atp/machine.md
index a4227c1113..4edb6f1e70 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machine.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machine.md
@@ -17,8 +17,10 @@ ms.topic: article
 ---
 
 # Machine resource type
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 
 
 ## Methods
@@ -38,15 +40,41 @@ id | String | [machine](machine.md) identity.
 computerDnsName | String | [machine](machine.md) fully qualified name.
 firstSeen | DateTimeOffset | First date and time where the [machine](machine.md) was observed by Microsoft Defender ATP.
 lastSeen | DateTimeOffset | Last date and time where the [machine](machine.md) was observed by Microsoft Defender ATP.
-osPlatform | String | OS platform.
-osVersion | String | OS Version.
+osPlatform | String | Operating system platform.
+version | String | Operating system Version.
+osBuild | Nullable long | Operating system build number.
 lastIpAddress | String | Last IP on local NIC on the [machine](machine.md).
 lastExternalIpAddress | String | Last IP through which the [machine](machine.md) accessed the internet.
-agentVersion | String | Version of Microsoft Defender ATP agent.
-osBuild | Nullable long | OS build number.
 healthStatus | Enum | [machine](machine.md) health status. Possible values are: "Active", "Inactive", "ImpairedCommunication", "NoSensorData" and "NoSensorDataImpairedCommunication"
-rbacGroupId | Int | RBAC Group ID.
-rbacGroupName | String | RBAC Group Name.
+rbacGroupName | String | Machine group Name.
+rbacGroupId | Int | Machine group unique ID.
 riskScore | Nullable Enum | Risk score as evaluated by Microsoft Defender ATP. Possible values are: 'None', 'Low', 'Medium' and 'High'.
-aadDeviceId | Nullable Guid | AAD Device ID (when [machine](machine.md) is Aad Joined).
+exposureScore | Nullable Enum | [Exposure score](tvm-exposure-score.md) as evaluated by Microsoft Defender ATP. Possible values are: 'None', 'Low', 'Medium' and 'High'.
+aadDeviceId | Nullable representation Guid | AAD Device ID (when [machine](machine.md) is Aad Joined).
 machineTags | String collection | Set of [machine](machine.md) tags.
+
+
+## Json representation
+
+```json
+{
+    "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+    "computerDnsName": "mymachine1.contoso.com",
+    "firstSeen": "2018-08-02T14:55:03.7791856Z",
+	"lastSeen": "2018-08-02T14:55:03.7791856Z",
+    "osPlatform": "Windows10",
+    "version": "1709",
+	"osProcessor": "x64",
+    "lastIpAddress": "172.17.230.209",
+    "lastExternalIpAddress": "167.220.196.71",
+    "osBuild": 18209,
+    "healthStatus": "Active",
+    "rbacGroupId": 140,
+	"rbacGroupName": "The-A-Team",
+    "riskScore": "Low",
+	"exposureLevel": "Medium",
+	"isAadJoined": true,
+    "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
+	"machineTags": [ "test tag 1", "test tag 2" ]
+}
+```
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machineaction.md b/windows/security/threat-protection/microsoft-defender-atp/machineaction.md
index 714a678227..fdd4146f99 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machineaction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machineaction.md
@@ -18,8 +18,11 @@ ms.topic: article
 
 # MachineAction resource type
 
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+
+- See [Response Actions](respond-machine-alerts.md) for more information
 
 | Method                                                            | Return Type                        | Description                                                 |
 |:------------------------------------------------------------------|:-----------------------------------|:------------------------------------------------------------|
@@ -33,6 +36,7 @@ ms.topic: article
 | [Remove app restriction](unrestrict-code-execution.md)            | [Machine Action](machineaction.md) | Remove application execution restriction.                   |
 | [Run antivirus scan](run-av-scan.md)                              | [Machine Action](machineaction.md) | Run an AV scan using Windows Defender (when applicable).    |
 | [Offboard machine](offboard-machine-api.md)                       | [Machine Action](machineaction.md) | Offboard [machine](machine.md) from Microsoft Defender ATP. |
+| [Stop and quarantine file](stop-and-quarantine-file.md)           | [Machine Action](machineaction.md) | Stop execution of a file on a machine and delete it.        |
 
 

 
@@ -42,11 +46,31 @@ ms.topic: article
 |:--------------------|:---------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | id                  | Guid           | Identity of the [Machine Action](machineaction.md) entity.                                                                                                                                                     |
 | type                | Enum           | Type of the action. Possible values are: "RunAntiVirusScan", "Offboard", "CollectInvestigationPackage", "Isolate", "Unisolate", "StopAndQuarantineFile", "RestrictCodeExecution" and "UnrestrictCodeExecution" |
+| scope				  | string         | Scope of the action. "Full" or "Selective" in case of Isolation, "Quick" or "Full" in case of Anti-Virus scan.						                                                                            |
 | requestor           | String         | Identity of the person that executed the action.                                                                                                                                                               |
 | requestorComment    | String         | Comment that was written when issuing the action.                                                                                                                                                              |
 | status              | Enum           | Current status of the command. Possible values are: "Pending", "InProgress", "Succeeded", "Failed", "TimeOut" and "Cancelled".                                                                                 |
-| machineId           | String         | Id of the machine on which the action was executed.                                                                                                                                                            |
+| machineId           | String         | Id of the [machine](machine.md) on which the action was executed.                                                                                                                                              |
+| machineId           | String         | Name of the [machine](machine.md) on which the action was executed.                                                                                                                                            |
 | creationDateTimeUtc | DateTimeOffset | The date and time when the action was created.                                                                                                                                                                 |
 | lastUpdateTimeUtc   | DateTimeOffset | The last date and time when the action status was updated.                                                                                                                                                     |
-| relatedFileInfo     | Class          | Contains two Properties. 1) string 'fileIdentifier' 2) Enum 'fileIdentifierType' with the possible values: "Sha1" ,"Sha256" and "Md5".                                                                         |
+| relatedFileInfo     | Class          | Contains two Properties. string ```fileIdentifier```, Enum ```fileIdentifierType``` with the possible values: "Sha1" ,"Sha256" and "Md5".                                                                         |
 
+
+## Json representation
+
+```json
+{
+        "id": "5382f7ea-7557-4ab7-9782-d50480024a4e",
+        "type": "Isolate",
+		"scope": "Selective",
+        "requestor": "Analyst@TestPrd.onmicrosoft.com",
+        "requestorComment": "test for docs",
+        "status": "Succeeded",
+        "machineId": "7b1f4967d9728e5aa3c06a9e617a22a4a5a17378",
+        "computerDnsName": "desktop-test",
+        "creationDateTimeUtc": "2019-01-02T14:39:38.2262283Z",
+        "lastUpdateDateTimeUtc": "2019-01-02T14:40:44.6596267Z",
+        "relatedFileInfo": null
+}
+```
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/management-apis.md b/windows/security/threat-protection/microsoft-defender-atp/management-apis.md
index 30bbd5efe4..e23db78609 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/management-apis.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/management-apis.md
@@ -1,8 +1,8 @@
 ---
 title: Overview of management and APIs
 ms.reviewer: 
-description: 
-keywords: 
+description: Learn about the management tools and API categories in Microsoft Defender ATP
+keywords: onboarding, api, siem, rbac, access, portal, integration, investigation, response, entities, entity, user context, application context, streaming
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
@@ -29,40 +29,51 @@ Microsoft Defender ATP supports a wide variety of options to ensure that custome
 
 Acknowledging that customer environments and structures can vary, Microsoft Defender ATP was created with flexibility and granular control to fit varying customer requirements. 
 
+## Endpoint onboarding and portal access 
+
 Machine onboarding is fully integrated into System Center Configuration Manager and Microsoft Intune for client machines and Azure Security Center for server machines, providing complete end-to-end experience of configuration, deployment, and monitoring. In addition, Microsoft Defender ATP supports Group Policy and other third-party tools used for machines management.
 
 Microsoft Defender ATP provides fine-grained control over what users with access to the portal can see and do through the flexibility of role-based access control (RBAC). The RBAC model supports all flavors of security teams structure:
 - Globally distributed organizations and security teams
 - Tiered model security operations teams
-- Fully segregated devisions with single centralized global security operations teams 
+- Fully segregated divisions with single centralized global security operations teams 
 
-The Microsoft Defender ATP solution is built on top of an integration-ready platform:
-- It supports integration with a number of security information and event management (SIEM) solutions and also exposes APIs to fully support pulling all the alerts and detection information into any SIEM solution. 
-- It supports a rich set of application programming interface (APIs) providing flexibility for those who are already heavily invested in data enrichment and automation:
-   - Enriching events coming from other security systems with foot print or prevalence information
-   - Triggering file or machine level response actions through APIs
-   - Keeping systems in-sync such as importing machine tags from asset management systems into Microsoft Defender ATP, synchronize alerts and incidents status cross ticketing systems with Microsoft Defender ATP.
+## Available APIs
+The Microsoft Defender ATP solution is built on top of an integration-ready platform.
 
-An important aspect of machine management is the ability to analyze the environment from varying and broad perspectives. This often helps drive new insights and proper priority identification: 
-- The Secure score dashboard provides metrics based method of prioritizing the most important proactive security measures.
-- Microsoft Defender ATP includes a built-in PowerBI based reporting solution to quickly review trends and details related to Microsoft Defender ATP alerts and secure score of  machines. The platform also supports full customization of the reports, including mashing of Microsoft Defender ATP data with your own data stream to produce business specific reports.
+Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Microsoft Defender ATP capabilities.
+
+![Image of available API and integration in Microsoft Defender ATP](images/mdatp-apis.png)
+
+The Microsoft Defender ATP APIs can be grouped into three:
+- Microsoft Defender ATP APIs 
+- Raw data streaming API
+- SIEM integration
 
 
-## In this section
-Topic | Description 
-:---|:---
-Understand threat intelligence concepts | Learn about alert definitions, indicators of compromise, and other threat intelligence concepts.
-Managed security service provider | Get a quick overview on managed security service provider support.
+## Microsoft Defender ATP APIs
+
+Microsoft Defender ATP offers a layered API model exposing data and capabilities in a structured, clear and easy to use model, exposed through a standard Azure  AD-based authentication and authorization model allowing access in context of users or SaaS applications. The API model was designed to expose entities and capabilities in a consistent form. 
+
+The **Investigation API** exposes the richness of Microsoft Defender ATP - exposing calculated or 'profiled' entities (for example, machine, user, and file) and discrete events (for example, process creation and file creation) which typically describes a behavior related to an entity, enabling access to data via investigation interfaces allowing a query-based access to data. For more information see, [Supported APIs](exposed-apis-list.md).
+
+The **Response API** exposes the ability to take actions in the service and on devices, enabling customers to ingest indicators, manage settings, alert status, as well as take response actions on devices programmatically such as isolate machines from the network, quarantine files, and others. 
+
+## Raw data streaming API 
+Microsoft Defender ATP raw data streaming API provides the ability for customers to ship real-time events and alerts from their instances as they occur within a single data stream, providing a low latency, high throughput delivery mechanism.
+
+The Microsoft Defender ATP event information is pushed directly to Azure storage for long-term data retention, or to Azure Event Hubs for consumption by visualization services or additional data processing engines. 
+
+For more information see, [Raw data streaming API](raw-data-export.md).
 
 
+## SIEM API
+When you enable security information and event management (SIEM) integration it allows you to pull detections from Microsoft Defender Security Center using your SIEM solution or by connecting directly to the detections REST API. This activates the SIEM connector access details section with pre-populated values and an application is created under you Azure Active Directory (AAD) tenant. For more information see, [SIEM integration](enable-siem-integration.md)
 
 
 ## Related topics
-- [Onboard machines](onboard-configure.md)
-- [Enable the custom threat intelligence application](enable-custom-ti.md)
-- [Microsoft Defender ATP Public API](apis-intro.md)
-- [Pull alerts to your SIEM tools](configure-siem.md)
-- [Create and build Power BI reports using Microsoft Defender ATP data](powerbi-reports.md)
-- [Role-based access control](rbac.md)
+- [Access the Microsoft Defender Advanced Threat Protection APIs ](apis-intro.md)
+- [Supported APIs](exposed-apis-list.md)
+- [Technical partner opportunities](partner-integration.md)
 
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md
index 0eb9f57648..b005d81545 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md
@@ -1,7 +1,7 @@
 ---
 title: Microsoft Cloud App Security integration overview
 ms.reviewer: 
-description: Microsoft Defender ATP integrates with Cloud App Security by collecting and forwarding all cloud app networking activities, providing unparalleled visibility to cloud app usage
+description: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) integrates with Cloud App Security by forwarding all cloud app networking activities.
 keywords: cloud, app, networking, visibility, usage
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
index 6cad2a8034..be43f23ee8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
@@ -63,7 +63,7 @@ The three most recent major releases of macOS are supported.
 - 10.15 (Catalina), 10.14 (Mojave), 10.13 (High Sierra)
 - Disk space: 650 MB
 
-Beta versions of macOS are not supported. macOS Sierra (10.12) support will end on January 1, 2020.
+Beta versions of macOS are not supported. macOS Sierra (10.12) support ended on January 1, 2020.
 
 After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints.
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
index aaf95f6065..b2c1bdcbf9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
@@ -174,6 +174,9 @@ When Windows Defender Antivirus is not the active antimalware in your organizati
 
 If you are onboarding servers and Windows Defender Antivirus is not the active antimalware on your servers, you shouldn't uninstall Windows Defender Antivirus. You'll need to configure it to run on passive mode. For more information, see [Onboard servers](configure-server-endpoints.md).
 
+> [!NOTE]
+> Your regular group policy doesn’t apply to Tamper Protection, and changes to Windows Defender Antivirus settings will be ignored when Tamper Protection is on.
+
 
 For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md b/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md
index 4859c4cd49..dc86cb4ea9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md
@@ -1,5 +1,5 @@
 ---
-title: Managed security service provider (MSSP) support
+title: Managed security service provider (MSSP) partnership opportunities
 description: Understand how Microsoft Defender ATP integrates with managed security service providers (MSSP)
 keywords: mssp, integration, managed, security, service, provider
 search.product: eADQiWindows 10XVcnh
@@ -17,7 +17,7 @@ ms.collection: M365-security-compliance
 ms.topic: conceptual
 ---
 
-# Managed security service provider support
+# Managed security service provider partnership opportunities
 
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -25,14 +25,13 @@ ms.topic: conceptual
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)
 
 
-
 Security is recognized as a key component in running an enterprise, however some organizations might not have the capacity or expertise to have a dedicated security operations team to manage the security of their endpoints and network, others may want to have a second set of eyes to review alerts in their network.
 
 
 To address this demand, managed security service providers (MSSP) offer to deliver managed detection and response (MDR) services on top of Microsoft Defender ATP. 
 
 
-Microsoft Defender ATP adds support for this scenario and to allow MSSPs to take the following actions:
+Microsoft Defender ATP adds partnership opportunities for this scenario and allows MSSPs to take the following actions:
 
 - Get access to MSSP customer's Microsoft Defender Security Center portal
 - Get email notifications, and 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
index 6c0c0b5d21..3c6f9f6bc7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
@@ -52,12 +52,12 @@ Windows 10 version 1709 or later | [Windows Defender AV real-time protection](..
 
 Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
 
-You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to see how network protection settings would affect your environment if they were enabled.
+You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use advanced hunting to see how network protection settings would affect your environment if they were enabled.
 
 Here is an example query
 
-```PowerShell
-MiscEvents
+```kusto
+DeviceEvents
 | where ActionType in ('ExploitGuardNetworkProtectionAudited','ExploitGuardNetworkProtectionBlocked')
 ```
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md
index 314f1a67e6..ab3dd486d7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md
@@ -18,12 +18,19 @@ ms.topic: article
 
 # Offboard machine API
 
-**Applies to:**
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 
+
+## API description
 Offboard machine from Microsoft Defender ATP.
 
+
+## Limitations
+1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
+
+
 [!include[Machine actions note](../../includes/machineactionsnote.md)]
 
 ## Permissions
@@ -76,26 +83,4 @@ Content-type: application/json
 {
   "Comment": "Offboard machine by automation"
 }
-```
-
-**Response**
-
-Here is an example of the response.
-
-```
-HTTP/1.1 201 Created
-Content-type: application/json
-{
-    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
-    "id": "c9042f9b-8483-4526-87b5-35e4c2532223",
-    "type": "OffboardMachine",
-    "requestor": "Analyst@contoso.com",
-    "requestorComment": "offboard machine by automation",
-    "status": "InProgress",
-    "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
-    "creationDateTimeUtc": "2018-12-04T12:09:24.1785079Z",
-    "lastUpdateTimeUtc": "2018-12-04T12:09:24.1785079Z",
-	"relatedFileInfo": null
-}
-
-```
+```
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt
index c4263e9958..987d3c8ce0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt
+++ b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt
@@ -341,6 +341,7 @@
 ###### [Hello World](api-hello-world.md)
 ###### [Get access with application context](exposed-apis-create-app-webapp.md)
 ###### [Get access with user context](exposed-apis-create-app-nativeapp.md)
+###### [Get partner application access](microsoft-defender-atp/exposed-apis-create-app-partners.md)
 
 ##### [APIs]()
 ###### [Supported Microsoft Defender ATP APIs](exposed-apis-list.md)
@@ -380,7 +381,12 @@
 ####### [Run antivirus scan](run-av-scan.md)
 ####### [Offboard machine](offboard-machine-api.md)
 ####### [Stop and quarantine file](stop-and-quarantine-file.md)
-####### [Initiate investigation (preview)](initiate-autoir-investigation.md)
+
+###### [Automated Investigation]()
+####### [Investigation methods and properties](microsoft-defender-atp/investigation.md)
+####### [List Investigation](microsoft-defender-atp/get-investigation-collection.md)
+####### [Get Investigation](microsoft-defender-atp/get-investigation-object.md)
+####### [Start Investigation](microsoft-defender-atp/initiate-autoir-investigation.md)
 
 ###### [Indicators]()
 ####### [Methods and properties](ti-indicator.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md
index 03e0f5ca62..470e593502 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md
@@ -1,7 +1,7 @@
 ---
 title: Overview of custom detections in Microsoft Defender ATP
 ms.reviewer: 
-description: Understand how you can use Advanced hunting to create custom detections and generate alerts
+description: Understand how you can use advanced hunting to create custom detections and generate alerts
 keywords: custom detections, alerts, detection rules, advanced hunting, hunt, query, response actions, interval, mdatp, microsoft defender atp
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
@@ -28,7 +28,7 @@ With custom detections, you can proactively monitor for and respond to various e
 Custom detections work with [Advanced hunting](advanced-hunting-overview.md), which provides a powerful, flexible query language that covers a broad set of event and system information from your network. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
 
 Custom detections provide:
-- Alerts for rule-based detections built from Advanced hunting queries
+- Alerts for rule-based detections built from advanced hunting queries
 - Automatic response actions that apply to files and machines
 
 >[!NOTE]
diff --git a/windows/security/threat-protection/microsoft-defender-atp/partner-integration.md b/windows/security/threat-protection/microsoft-defender-atp/partner-integration.md
new file mode 100644
index 0000000000..f9914b49c5
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/partner-integration.md
@@ -0,0 +1,55 @@
+---
+title: Microsoft Defender ATP partner opportunities and scenarios
+ms.reviewer: 
+description: Learn how you can extend existing security offerings on top of the open framework and a rich set of APIs to build extensions and integrations with Microsoft Defender ATP
+keywords: API, partner, extend, open framework, apis, extensions, integrations, detection, management, response, vulnerabilities, intelligence
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: conceptual 
+---
+
+# Microsoft Defender ATP partner opportunities and scenarios
+
+**Applies to:** 
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+
+
+Partners can easily extend their existing security offerings on top of the open framework and a rich and complete set of APIs to build extensions and integrations with Microsoft Defender ATP. 
+
+The APIs span functional areas including detection, management, response, vulnerabilities and intelligence wide range of use cases. Based on the use case and need, partners can either stream or query data from Microsoft Defender ATP. 
+
+
+## Scenario 1: External alert correlation and Automated investigation and remediation
+Microsoft Defender ATP offers unique automated investigation and remediation capabilities to drive incident response at scale. 
+
+Integrating the automated investigation and response capability with other solutions such as network security products or other endpoint security products will help to address alerts and minimize the complexities surrounding network and device signal correlation, effectively streamlining the investigation and threat remediation actions on devices.
+
+Microsoft Defender ATP adds support for this scenario in the following forms:
+- External alerts can be pushed into Microsoft Defender ATP and presented side-by-side with additional device-based alerts from Microsoft Defender ATP. This view provides the full context of the alert - with the real process and the full story of attack.
+
+- Once an alert is generated, the signal is shared across all Microsoft Defender ATP protected endpoints in the enterprise. Microsoft Defender ATP takes immediate automated or operator-assisted response to address the alert.
+
+## Scenario 2: Security orchestration and automation response (SOAR) integration
+Orchestration solutions can help build playbooks and integrate the rich data model and actions that Microsoft Defender ATP APIs exposes to orchestrate responses, such as query for device data, trigger machine isolation, block/allow, resolve alert and others.
+
+## Scenario 3: Indicators matching 
+Indicator of compromise (IoCs) matching is an essential feature in every endpoint protection solution. This capability is available in Microsoft Defender ATP and gives the ability to set a list of indicators for prevention, detection and exclusion of entities. One can define the action to be taken as well as the duration for when to apply the action.
+
+The above scenarios serve as examples of the extensibility of the platform. You are not limited to these and we certainly encourage you leverage the open framework to discover and explore other scenarios.
+
+Follow the steps in [Become a Microsoft Defender ATP partner](get-started-partner-integration.md) to integrate your solution in Microsoft Defender ATP.
+
+## Related topic
+- [Overview of management and APIs](management-apis.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
index 060f4d77f0..480df72feb 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
@@ -1,6 +1,6 @@
 ---
 title: Microsoft Defender Advanced Threat Protection portal overview
-description: Use Microsoft Defender Security Center to monitor your enterprise network and assist in responding to alerts to potential advanced persistent threat (APT) activity or data breaches.
+description: Microsoft Defender Security Center can monitor your enterprise network and assist in responding to potential advanced persistent threats (APT) or data breaches.
 keywords: Microsoft Defender Security Center, portal, cybersecurity threat intelligence, dashboard, alerts queue, machines list, settings, machine management, advanced attacks
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
diff --git a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md
index 2165a3f073..b865033486 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md
@@ -18,18 +18,19 @@ ms.topic: article
 
 # Submit or Update Indicator API
 
-**Applies to:** 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 
 
->[!NOTE]
-> Currently this API is supported only for AppOnly context requests. (See [Get access with application context](exposed-apis-create-app-webapp.md) for more information)
+## API description
+Submits or Updates new [Indicator](ti-indicator.md) entity.
+
CIDR notation for IPs is supported.
 
+## Limitations
+1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
+2. There is a limit of 5,000 active indicators per tenant. 
 
-- Submits or Updates new [Indicator](ti-indicator.md) entity.
-
->[!NOTE]
->There is a limit of 5000 indicators per tenant. 
 
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Get started](apis-intro.md)
@@ -38,6 +39,7 @@ Permission type |	Permission	|	Permission display name
 :---|:---|:---
 Application |	Ti.ReadWrite |	'Read and write Indicators'
 Application |	Ti.ReadWrite.All |	'Read and write All Indicators'
+Delegated (work or school account) |	Ti.ReadWrite |	'Read and write Indicators'
 
 
 ## HTTP request
@@ -63,16 +65,17 @@ Parameter |	Type	| Description
 indicatorValue | String | Identity of the [Indicator](ti-indicator.md) entity. **Required**
 indicatorType | Enum | Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url". **Required**
 action | Enum | The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed". **Required**
-title | String | Indicator alert title. **Optional**
+application | String | The application associated with the indicator. **Optional**
+title | String | Indicator alert title. **Required**
+description | String | Description of the indicator. **Required**
 expirationTime | DateTimeOffset | The expiration time of the indicator. **Optional**
 severity | Enum | The severity of the indicator. possible values are: "Informational", "Low", "Medium" and "High". **Optional**
-description | String | Description of the indicator. **Optional**
 recommendedActions | String | TI indicator alert recommended actions. **Optional**
 
 
 ## Response
 - If successful, this method returns 200 - OK response code and the created / updated [Indicator](ti-indicator.md) entity in the response body.
-- If not successful: this method return 400 - Bad Request / 409 - Conflict with the failure reason. Bad request usually indicates incorrect body and Conflict can happen if you try to submit an Indicator that conflicts with an existing Indicator type or Action.  
+- If not successful: this method return 400 - Bad Request. Bad request usually indicates incorrect body.
 
 ## Example
 
@@ -84,40 +87,16 @@ Here is an example of the request.
 POST https://api.securitycenter.windows.com/api/indicators
 Content-type: application/json
 {
-	"indicatorValue": "220e7d15b0b3d7fac48f2bd61114db1022197f7f",
+	"indicatorValue": "220e7d15b011d7fac48f2bd61114db1022197f7f",
 	"indicatorType": "FileSha1",
 	"title": "test",
+	"application": "demo-test",
 	"expirationTime": "2020-12-12T00:00:00Z",
 	"action": "AlertAndBlock",
 	"severity": "Informational",
 	"description": "test",
-	"recommendedActions": "TEST"
+	"recommendedActions": "nothing"
 }
 
-```
-**Response**
-
-Here is an example of the response.
-
-```
-HTTP/1.1 200 OK
-Content-type: application/json
-{
-    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Indicators/$entity",
-    "indicatorValue": "220e7d15b0b3d7fac48f2bd61114db1022197f7f",
-    "indicatorType": "FileSha1",
-    "title": "test",
-    "creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z",
-    "createdBy": "45097602-1234-5678-1234-9f453233e62c",
-    "expirationTime": "2020-12-12T00:00:00Z",
-    "action": "AlertAndBlock",
-    "severity": "Informational",
-    "description": "test",
-    "recommendedActions": "TEST",
-	"rbacGroupNames": []
-}
-
-```
-
 ## Related topic
 - [Manage indicators](manage-indicators.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md
new file mode 100644
index 0000000000..60c0833058
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md
@@ -0,0 +1,162 @@
+---
+title: Prepare Microsoft Defender ATP deployment
+description: Prepare stakeholder sign-off, timelines, environment considerations, and adoption order when deploying Microsoft Defender ATP
+keywords: deploy, prepare, stakeholder, timeline, environment, endpoint, server, management, adoption
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article 
+---
+
+# Prepare Microsoft Defender ATP deployment
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+## Stakeholders and Sign-off
+The following section serves to identify all the stakeholders that are involved
+in this project and need to sign-off, review, or stay informed. Add stakeholders
+to the table below as appropriate for your organization.
+
+-   SO = Sign-off on this project
+
+-   R = Review this project and provide input
+
+-   I = Informed of this project
+
+| Name                 | Role                                                                                                                                                                                                          | Action |
+|----------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|
+| Enter name and email | **Chief Information Security Officer (CISO)** *An executive representative who serves as sponsor inside the organization for the new technology deployment.*                                                  | SO     |
+| Enter name and email | **Head of Cyber Defense Operations Center (CDOC)** *A representative from the CDOC team in charge of defining how this change is aligned with the processes in the customers security operations team.*       | SO     |
+| Enter name and email | **Security Architect** *A representative from the Security team in charge of defining how this change is aligned with the core Security architecture in the organization.*                         | R      |
+| Enter name and email | **Workplace Architect** *A representative from the IT team in charge of defining how this change is aligned with the core workplace architecture in the organization.*                             | R      |
+| Enter name and email | **Security Analyst** *A representative from the CDOC team who can provide input on the detection capabilities, user experience and overall usefulness of this change from a security operations perspective.* | I      |
+
+## Project Management
+
+### In Scope
+
+The following is in scope for this project:
+
+-   Enabling Microsoft Defender ATP endpoint protection platform (EPP)
+    capabilities
+
+    -   Next Generation Protection
+
+    -   Attack Surface Reduction
+
+-   Enabling Microsoft Defender ATP endpoint detection and response (EDR)
+    capabilities including automatic investigation and remediation
+
+-   Enabling Microsoft Defender ATP threat and vulnerability management (TVM)
+-   Use of System Center Configuration Manager to onboard endpoints into the service.
+
+### Out of scope
+
+The following are out of scope of this project:
+
+-   Configuration of third-party solutions that might integrate with Microsoft
+    Defender ATP.
+
+-   Penetration testing in production environment.
+
+## Environment 
+
+
+This section is used to ensure your environment is deeply understood by the
+stakeholders which will help identify potential dependencies and/or changes
+required in technologies or processes.
+
+| What                                  | Description |
+|---------------------------------------|-------------|
+| Endpoint count                        |             |
+| Server count                          |             |
+| Management engine                     |             |
+| CDOC distribution                     |             |
+| Security information and event (SIEM) |             |
+
+
+## Role-based access control
+
+Microsoft recommends using the concept of least privileges. Microsoft Defender
+ATP leverages built-in roles within Azure Active Directory. Microsoft recommend
+[review the different roles that are
+available](https://docs.microsoft.com/azure/active-directory/active-directory-assign-admin-roles-azure-portal)
+and choose the right one to solve your needs for each persona for this
+application. Some roles may need to be applied temporarily and removed after the
+deployment has been completed.
+
+| Personas                     | Roles | Azure AD Role (if required) | Assign to |
+|------------------------------|-------|-----------------------------|-----------|
+| Security Administrator       |       |                             |           |
+| Security Analyst             |       |                             |           |
+| Endpoint Administrator       |       |                             |           |
+| Infrastructure Administrator |       |                             |           |
+| Business Owner/Stakeholder   |       |                             |           |
+
+Microsoft recommends using [Privileged Identity
+Management](https://docs.microsoft.com/azure/active-directory/active-directory-privileged-identity-management-configure)
+to manage your roles to provide additional auditing, control, and access review
+for users with directory permissions.
+
+Microsoft Defender ATP supports two ways to manage permissions:
+
+-   **Basic permissions management**: Set permissions to either full access or
+    read-only. In the case of basic permissions management users with Global
+    Administrator or Security Administrator role in Azure Active Directory have
+    full access while the Security reader role has read-only access.
+
+-   **Role-based access control (RBAC)**: Set granular permissions by defining
+    roles, assigning Azure AD user groups to the roles, and granting the user
+    groups access to machine groups. For more information. see [Manage portal access using role-based access control](rbac.md).
+
+Microsoft recommends leveraging RBAC to ensure that only users that have a
+business justification can access Microsoft Defender ATP.
+
+You can find details on permission guidelines
+[here](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group).
+
+The following example table serves to identify the Cyber Defense Operations
+Center structure in your environment that will help you determine the RBAC
+structure required for your environment.
+
+| Tier   | Description                                                                                                                                                                                                 | Permission Required |
+|--------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------|
+| Tier 1 | **Local security operations team / IT team**
This team usually triages and investigates alerts contained within their geolocation and escalates to Tier 2 in cases where an active remediation is required.                                              |                     |
+| Tier 2 | **Regional security operations team**
This team can see all the machines for their region and perform remediation actions.                                                                                                                        |        View data               |
+| Tier 3 | **Global security operations team**
This team consists of security experts and are authorized to see and perform all actions from the portal. | View data 
  Alerts investigation Active remediation actions 
 Alerts investigation Active remediation actions 
 Manage portal system settings 
 Manage security settings |
+
+
+
+## Adoption Order
+In many cases organizations will have existing endpoint security products in
+place. The bare minimum every organization should have is an antivirus solution. But in some cases an organization might also already implanted an EDR solution.
+Historically, replacing any security solution was time intensive and difficult
+to achieve due to the tight hooks into the application layer and infrastructure
+dependencies. However, because Microsoft Defender ATP is built into the
+operating system, replacing third-party solutions is easy to achieve.
+
+Choose which component of Microsoft Defender ATP to be used and remove the ones
+that do not apply. The table below indicates the Microsoft recommendation on the
+order on how the endpoint security suite should be enabled.
+
+| Component                               | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | Adoption Order Rank |
+|-----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------|
+| Endpoint Detection & Response (EDR)     | Microsoft Defender ATP endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats. [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response)                                                                                                                                                                                                                                             | 1                   |
+| Next Generation Protection (NGP)        | Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers. Windows Defender Antivirus includes:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | 2                   |
+| Attack Surface Reduction (ASR)          | Attack surface reduction capabilities in Microsoft Defender ATP helps protect the devices and applications in the organization from new and emerging threats. [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction)                                                                                                                                                                                                                                                                                                                                                                                       | 3                   |
+| Threat & Vulnerability Management (TVM) | Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | 4                   |
+| Auto Investigation & Remediation (AIR)  | Microsoft Defender ATP uses Automated investigations to significantly reduce the volume of alerts that need to be investigated individually. The Automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) | Not applicable      |
+| Microsoft Threat Experts (MTE)          | Microsoft Threat Experts is a managed hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don't get missed. [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts)                                                                                                                                                                                                                                                                                                                     | Not applicable      |
+
+## Related topic
+- [Production deployment](production-deployment.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview.md b/windows/security/threat-protection/microsoft-defender-atp/preview.md
index 92302ac241..b02f8e485d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/preview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/preview.md
@@ -24,7 +24,8 @@ ms.topic: conceptual
 
 The Microsoft Defender ATP service is constantly being updated to include new feature enhancements and capabilities.
 
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-preview-abovefoldlink) 
+> [!TIP] 
+> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-preview-abovefoldlink) 
 
 Learn about new features in the Microsoft Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience.
 
@@ -42,11 +43,11 @@ Turn on the preview experience setting to be among the first to try upcoming fea
 ## Preview features
 The following features are included in the preview release:
 
- - [Threat & Vulnerability supported operating systems and platforms](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os) 
Ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your devices are properly accounted for. Threat & Vulnerability Management supports Windows 7, Windows 10 1607-1703, Windows 10 1709+, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019.
+ - [Threat & Vulnerability supported operating systems and platforms](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os) 
Ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your devices are properly accounted for. Threat & Vulnerability Management supports Windows 7, Windows 10 1607-1703, Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, Windows Server 2019.
 
-- [Threat & Vulnerability Management Report inaccuracy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy) 
Report a false positive when you see any vague, inaccurate, incomplete, or already remediated [security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy), [software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory#report-inaccuracy), and [discovered vulnerabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses#report-inaccuracy).  
+- [Threat & Vulnerability Management granular exploit details](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses) 
 You can now see a comprehensive set of details on the vulnerabilities found in your machine to give you informed decision on your next steps. The threat insights icon now shows more granular details, such as if the exploit is a part of an exploit kit, connected to specific advanced persistent campaigns or activity groups for which, Threat Analytics report links are provided that you can read, has associated zero-day exploitation news, disclosures, or related security advisories.
  
-- [Threat & Vulnerability Management granular exploit details](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses) 
See a comprehensive set of details on the vulnerabilities found in your machine to give you informed decision on your next steps. The threat insights icon now shows more granular details, such as if the exploit is a part of an exploit kit, connected to specific advanced persistent campaigns or activity groups for which, Threat Analytics report links are provided that you can read, has associated zero-day exploitation news, disclosures, or related security advisories.
+ - [Threat & Vulnerability Management Report inaccuracy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy) 
 You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated [security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy), [software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory#report-inaccuracy), and [discovered vulnerabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses#report-inaccuracy).  
 
 - [Machine health and compliance report](machine-reports.md)  The machine health and compliance report provides high-level information about the devices in your organization.
 
@@ -66,4 +67,5 @@ Information protection is an integral part of Microsoft 365 Enterprise suite, pr
 - [Power BI reports using Microsoft Defender ATP data](powerbi-reports.md) 

 Microsoft Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the portal.
 
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-preview-belowfoldlink)  
+> [!TIP] 
+> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-preview-belowfoldlink)  
diff --git a/windows/security/threat-protection/microsoft-defender-atp/product-brief.md b/windows/security/threat-protection/microsoft-defender-atp/product-brief.md
new file mode 100644
index 0000000000..2a83d109de
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/product-brief.md
@@ -0,0 +1,74 @@
+---
+title: Microsoft Defender Advanced Threat Protection product brief
+description: Learn about the Microsoft Defender Advanced Threat Protection capabilities and licensing requirements
+keywords: Microsoft Defender Security Center, product brief, brief, capabilities, licensing
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: conceptual 
+---
+
+# Microsoft Defender Advanced Threat Protection product brief 
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+
+Microsoft Defender ATP is a platform designed to
+help enterprise networks prevent, detect, investigate, and respond to advanced
+threats.
+
+![Image of the Microsoft Defender ATP components](images/mdatp-platform.png)
+
+## Platform capabilities
+
+Capability | Description 
+:---|:---
+**Threat and Vulnerability Management**  | This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
+**Attack Surface Reduction** |  The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations.
+**Next Generation Protection** |  To further reinforce the security perimeter of the organizations network, Microsoft Defender ATP uses next generation protection designed to catch all types of emerging threats.
+**Endpoint Detection & Response** | Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. 
+**Auto Investigation & Remediation** | In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. 
+**Microsoft Threat Experts** | Microsoft Defender ATP's new managed threat hunting service provides proactive hunting, prioritization, and additional context and insights that further empower Security operation centers (SOCs) to identify and respond to threats quickly and accurately.
+**Secure Score** | Microsoft Defender ATP includes a secure score to help dynamically assess the security state of the enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of the organization. 
+ **Advance Hunting** | Create custom threat intelligence and use a powerful search and query tool to hunt for possible threats in the organization.
+**Management and API** | Integrate Microsoft Defender Advanced Threat Protection into existing workflows.  
+ **Microsoft Threat Protection** | Microsoft Defender ATP is part of the Microsoft Threat Protection solution that helps implement end-to-end security across possible attack surfaces in the modern workplace. Bring the power of Microsoft threat protection to the organization.             |   |
+
+Microsoft Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service:
+
+-   **Endpoint behavioral sensors**: Embedded in Windows 10, these sensors
+    collect and process behavioral signals from the operating system and sends this sensor data to your private, isolated, cloud instance of Microsoft Defender ATP.
+
+
+-   **Cloud security analytics**: Leveraging big-data, machine-learning, and
+    unique Microsoft optics across the Windows ecosystem,
+    enterprise cloud products (such as Office 365), and online assets, behavioral signals
+    are translated into insights, detections, and recommended responses
+    to advanced threats.
+
+-   **Threat intelligence**: Generated by Microsoft hunters, security teams,
+    and augmented by threat intelligence provided by partners, threat
+    intelligence enables Microsoft Defender ATP to identify attacker
+    tools, techniques, and procedures, and generate alerts when these
+    are observed in collected sensor data.
+
+## Licensing requirements
+Microsoft Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
+
+- Windows 10 Enterprise E5
+- Windows 10 Education A5
+- Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5
+- Microsoft 365 A5 (M365 A5)
+
+## Related topic
+- [Prepare deployment](prepare-deployment.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
new file mode 100644
index 0000000000..4e93583820
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
@@ -0,0 +1,602 @@
+---
+title: Microsoft Defender ATP production deployment
+description: 
+keywords:
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article 
+---
+
+# Microsoft Defender ATP production deployment
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Proper planning is the foundation of a successful deployment. In this deployment scenario, you'll be guided through the steps on:
+- Tenant configuration
+- Network configuration
+- Onboarding using System Center Configuration Manager
+- Endpoint detection and response
+- Next generation protection
+- Attack surface reduction
+
+>[!NOTE]
+>For the purpose of guiding you through a typical deployment, this scenario will only cover the use of System Center Configuration Manager. Microsoft Defnder ATP supports the use of other onboarding tools but will not cover those scenarios in the deployment guide. For more information, see [Onboard machines to Microsoft Defender ATP](onboard-configure.md).
+
+## Tenant Configuration
+
+When accessing [Microsoft Defender Security Center](https://securitycenter.windows.com/) for the first time there will be a setup wizard that will guide you through some initial steps. At the end of the setup wizard there will be a dedicated cloud instance of Microsoft Defender ATP created. The easiest method is to perform these steps from a Windows 10 client machine.
+
+1. From a web browser, navigate to .
+
+    ![Image of Set up your permissions for Microsoft Defender ATP](images/atp-setup-permissions-wdatp-portal.png)
+
+2. If going through a TRIAL license, go to the link ()
+
+    Once the authorization step is completed, the **Welcome** screen will be displayed.
+3. Go through the authorization steps.
+
+    ![Image of Welcome screen for portal set up](images/welcome1.png)
+
+4. Set up preferences.
+
+   **Data storage location** - It's important to set this up correctly. Determine where the customer wants to be primarily hosted: US, EU or UK. You cannot change the location after this setup and Microsoft will not transfer the data from the specified geolocation. 
+
+    **Data retention** - The default is 6 months.
+
+    **Enable preview features** - The default is on, can be changed later.
+
+    ![Image of geographic location in set up](images/setup-preferences.png)
+
+5. Select **Next**.
+
+     ![Image of final preference set up](images/setup-preferences2.png)
+
+6. Select **Continue**.
+
+
+## Network configuration
+If the organization does not require the endpoints to use a Proxy to access the
+Internet, skip this section.
+
+The Microsoft Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to
+report sensor data and communicate with the Microsoft Defender ATP service. The
+embedded Microsoft Defender ATP sensor runs in the system context using the
+LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP)
+to enable communication with the Microsoft Defender ATP cloud service. The
+WinHTTP configuration setting is independent of the Windows Internet (WinINet)
+internet browsing proxy settings and can only discover a proxy server by using
+the following discovery methods:
+
+**Auto-discovery methods:**
+
+-   Transparent proxy
+
+-   Web Proxy Auto-discovery Protocol (WPAD)
+
+If a Transparent proxy or WPAD has been implemented in the network topology,
+there is no need for special configuration settings. For more information on
+Microsoft Defender ATP URL exclusions in the proxy, see the
+Appendix section in this document for the URLs Whitelisting or on
+[Microsoft
+Docs](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection#enable-access-to-windows-defender-atp-service-urls-in-the-proxy-server).
+
+**Manual static proxy configuration:**
+
+-   Registry based configuration
+
+-   WinHTTP configured using netsh command 
 Suitable only for desktops in a
+    stable topology (for example: a desktop in a corporate network behind the
+    same proxy)
+
+### Configure the proxy server manually using a registry-based static proxy
+
+Configure a registry-based static proxy to allow only Microsoft Defender ATP
+sensor to report diagnostic data and communicate with Microsoft Defender ATP
+services if a computer is not permitted to connect to the Internet. The static
+proxy is configurable through Group Policy (GP). The group policy can be found
+under:
+
+-   Administrative Templates \> Windows Components \> Data Collection and
+    Preview Builds \> Configure Authenticated Proxy usage for the Connected User
+    Experience and Telemetry Service
+
+    -   Set it to **Enabled** and select**Disable Authenticated Proxy usage**
+
+1. Open the Group Policy Management Console.
+2. Create a policy or edit an existing policy based off the organizational practices.
+3. Edit the Group Policy and navigate to **Administrative Templates \> Windows Components \> Data Collection and Preview Builds \> Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service**. 
+    ![Image of Group Policy setting](images/atp-gpo-proxy1.png)
+
+4. Select **Enabled**.
+5. Select **Disable Authenticated Proxy usage**.
+   
+6. Navigate to **Administrative Templates \> Windows Components \> Data Collection and Preview Builds \> Configure connected user experiences and telemetry**.
+    ![Image of Group Policy setting](images/atp-gpo-proxy2.png)
+7. Select **Enabled**.
+8. Enter the **Proxy Server Name**.
+
+The policy sets two registry values `TelemetryProxyServer` as REG_SZ and `DisableEnterpriseAuthProxy` as REG_DWORD under the registry key `HKLM\Software\Policies\Microsoft\Windows\DataCollection`.
+
+The registry value `TelemetryProxyServer` takes the following string format:
+
+```text
+:
+```
+
+For example: 10.0.0.6:8080
+
+The registry value `DisableEnterpriseAuthProxy` should be set to 1.
+
+###  Configure the proxy server manually using netsh command
+
+Use netsh to configure a system-wide static proxy.
+
+> [!NOTE]
+> - This will affect all applications including Windows services which use WinHTTP with default proxy.

+> - Laptops that are changing topology (for example: from office to home) will malfunction with netsh. Use the registry-based static proxy configuration.
+
+1. Open an elevated command-line:
+
+    a. Go to **Start** and type **cmd**.
+
+    b. Right-click **Command prompt** and select **Run as administrator**.
+
+2. Enter the following command and press **Enter**:
+
+   ```PowerShell
+   netsh winhttp set proxy :
+   ```
+
+   For example: netsh winhttp set proxy 10.0.0.6:8080
+
+
+###  Proxy Configuration for down-level machines
+
+Down-Level machines include Windows 7 SP1 and Windows 8.1 workstations as well
+as Windows Server 2008 R2, Windows Sever 2012, Windows Server 2012 R2, and
+versions of Windows Server 2016 prior to Windows Server CB 1803. These operating
+systems will have the proxy configured as part of the Microsoft Management Agent
+to handle communication from the endpoint to Azure. Refer to the
+Microsoft Management Agent Fast Deployment Guide for information on how a proxy
+is configured on these machines.
+
+### Proxy Service URLs
+URLs that include v20 in them are only needed if you have Windows 10, version
+1803 or later machines. For example, ```us-v20.events.data.microsoft.com``` is only
+needed if the machine is on Windows 10, version 1803 or later.
+
+ Service location | Microsoft.com DNS record
+-|-
+Common URLs for all locations | ```crl.microsoft.com```
 ```ctldl.windowsupdate.com``` 
```events.data.microsoft.com```
```notify.windows.com```
 ```settings-win.data.microsoft.com```
+European Union | ```eu.vortex-win.data.microsoft.com``` 
 ```eu-v20.events.data.microsoft.com``` 
 ```usseu1northprod.blob.core.windows.net```  
```usseu1westprod.blob.core.windows.net``` 
 ```winatp-gw-neu.microsoft.com``` 
 ```winatp-gw-weu.microsoft.com``` 
```wseu1northprod.blob.core.windows.net``` 
```wseu1westprod.blob.core.windows.net``` 
+United Kingdom | ```uk.vortex-win.data.microsoft.com``` 
```uk-v20.events.data.microsoft.com``` 
```ussuk1southprod.blob.core.windows.net``` 
```ussuk1westprod.blob.core.windows.net``` 
```winatp-gw-uks.microsoft.com``` 
```winatp-gw-ukw.microsoft.com``` 
```wsuk1southprod.blob.core.windows.net``` 
```wsuk1westprod.blob.core.windows.net``` 
+United States | ```us.vortex-win.data.microsoft.com``` 
 ```ussus1eastprod.blob.core.windows.net``` 
 ```ussus1westprod.blob.core.windows.net``` 
 ```ussus2eastprod.blob.core.windows.net``` 
 ```ussus2westprod.blob.core.windows.net``` 
 ```ussus3eastprod.blob.core.windows.net``` 
 ```ussus3westprod.blob.core.windows.net``` 
 ```ussus4eastprod.blob.core.windows.net``` 
 ```ussus4westprod.blob.core.windows.net``` 
 ```us-v20.events.data.microsoft.com``` 
 ```winatp-gw-cus.microsoft.com``` 
 ```winatp-gw-eus.microsoft.com``` 
 ```wsus1eastprod.blob.core.windows.net``` 
 ```wsus1westprod.blob.core.windows.net``` 
 ```wsus2eastprod.blob.core.windows.net``` 
 ```wsus2westprod.blob.core.windows.net```
+
+
+If a proxy or firewall is blocking anonymous traffic, as Microsoft Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the previously listed URLs.
+
+###  Microsoft Defender ATP service backend IP range
+
+If you network devices don't support the URLs white-listed in the prior section, you can use the following information.
+
+Microsoft Defender ATP is built on Azure cloud, deployed in the following regions:
+
+- \+\
+- \+\
+- \+\
+- \+\
+- \+\
+- \+\
+- \+\
+
+You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https://www.microsoft.com/en-us/download/details.aspx?id=41653).
+
+> [!NOTE]
+> As a cloud-based solution, the IP range can change. It's recommended you move to DNS resolving setting.
+
+## Onboarding using System Center Configuration Manager 
+### Collection creation
+To onboard Windows 10 devices with System Center Configuration Manager, the
+deployment can target either and existing collection or a new collection can be
+created for testing. The onboarding like group policy or manual method does
+not install any agent on the system. Within the Configuration Manager console
+the onboarding process will be configured as part of the compliance settings
+within the console. Any system that receives this required configuration will
+maintain that configuration for as long as the Configuration Manager client
+continues to receive this policy from the management point. Follow the steps
+below to onboard systems with Configuration Manager.
+
+1. In System Center Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Device Collections**.            
+
+    ![Image of System Center Configuration Manager wizard](images/sccm-device-collections.png)
+
+2. Right Click **Device Collection** and select **Create Device Collection**.
+
+    ![Image of System Center Configuration Manager wizard](images/sccm-create-device-collection.png)
+
+3. Provide a **Name** and **Limiting Collection**, then select **Next**.
+
+    ![Image of System Center Configuration Manager wizard](images/sccm-limiting-collection.png)
+
+4. Select **Add Rule** and choose **Query Rule**.
+
+    ![Image of System Center Configuration Manager wizard](images/sccm-query-rule.png)
+
+5.  Click **Next** on the **Direct Membership Wizard** and click on **Edit Query Statement**.
+
+     ![Image of System Center Configuration Manager wizard](images/sccm-direct-membership.png)
+
+6. Select **Criteria** and then choose the star icon.
+
+     ![Image of System Center Configuration Manager wizard](images/sccm-criteria.png)
+
+7. Keep criterion type as **simple value**, choose where as **Operating System - build number**, operator as **is equal to** and value **10240** and click on **OK**.
+
+    ![Image of System Center Configuration Manager wizard](images/sccm-simple-value.png)
+
+8. Select **Next** and **Close**.
+
+    ![Image of System Center Configuration Manager wizard](images/sccm-membership-rules.png)
+
+9. Select **Next**.
+
+    ![Image of System Center Configuration Manager wizard](images/sccm-confirm.png)
+
+After completing this task, you now have a device collection with all the Windows 10 endpoints in the environment. 
+
+## Endpoint detection and response
+### Windows 10
+From within the Microsoft Defender Security Center it is possible to download
+the '.onboarding' policy that can be used to create the policy in System Center Configuration
+Manager and deploy that policy to Windows 10 devices.
+
+1. From a Microsoft Defender Security Center Portal, select [Settings and then Onboarding](https://securitycenter.windows.com/preferences2/onboarding).
+
+
+
+2. Under Deployment method select the supported version of **System Center Configuration Manager**.
+
+    ![Image of Microsoft Defender ATP onboarding wizard](images/mdatp-onboarding-wizard.png)
+
+3.	Select **Download package**.
+
+    ![Image of Microsoft Defender ATP onboarding wizard](images/mdatp-download-package.png)
+
+4. Save the package to an accessible location.
+5. In  System Center Configuration Manager, navigate to: **Assets and Compliance > Overview > Endpoint Protection > Microsoft Defender ATP Policies**.
+
+6. Right-click **Microsoft Defender ATP Policies** and select **Create Microsoft Defender ATP Policy**.
+
+    ![Image of System Center Configuration Manager wizard](images/sccm-create-policy.png)
+
+7. Enter the name and description, verify **Onboarding** is selected, then select **Next**.
+
+    ![Image of System Center Configuration Manager wizard](images/sccm-policy-name.png)
+
+8. Click **Browse**.
+
+9. Navigate to the location of the downloaded file from step 4 above.
+
+    ![Image of configuration settings](images/1b9f85316170cfe24b46330afa8517d5.png)
+
+10. Click **Next**.
+11. Configure the Agent with the appropriate samples (**None** or **All file types**).
+
+    ![Image of configuration settings](images/1b9f85316170cfe24b46330afa8517d5.png)
+
+12. Select the appropriate telemetry (**Normal** or **Expedited**) then click **Next**.
+
+    ![Image of configuration settings](images/13201b477bc9a9ae0020814915fe80cc.png)
+
+14. Verify the configuration, then click **Next**.
+
+     ![Image of configuration settings](images/adc17988b0984ca2aa3ff8f41ddacaf9.png)
+
+15. Click **Close** when the Wizard completes.
+
+16.  In the System Center Configuration Manager console, right-click the Microsoft Defender ATP policy you just created and select **Deploy**.
+
+     ![Image of configuration settings](images/4a37f3687e6ff53a593d3670b1dad3aa.png)
+
+17. On the right panel, select the previously created collection and click **OK**.
+
+    ![Image of configuration settings](images/26efa2711bca78f6b6d73712f86b5bd9.png)
+
+
+### Previous versions of Windows Client (Windows 7 and Windows 8.1)
+Follow the steps below to identify the Microsoft Defender ATP Workspace ID and Workspace Key, that will be required for the onboarding of previous versions of Windows.
+
+1. From a Microsoft Defender Security Center Portal, select **Settings > Onboarding**.
+
+2. Under operating system choose **Windows 7 SP1 and 8.1**.
+
+    ![Image of onboarding](images/91b738e4b97c4272fd6d438d8c2d5269.png)
+
+3. Copy the **Workspace ID** and **Workspace Key** and save them. They will be used later in the process.
+
+Before the systems can be onboarded into the workspace, the deployment scripts need to be updated to contain the correct information. Failure to do so will result in the systems not being properly onboarded. Depending on the deployment method, this step may have already been completed.
+
+Edit the InstallMMA.cmd with a text editor, such as notepad and update the
+following lines and save the file:
+
+   ![Image of onboarding](images/a22081b675da83e8f62a046ae6922b0d.png)
+
+Edit the ConfiguerOMSAgent.vbs with a text editor, such as notepad, and update the following lines and save the file:
+
+   ![Image of onboarding](images/09833d16df7f37eda97ea1d5009b651a.png)
+
+Microsoft Monitoring Agent (MMA) is currently (as of January 2019) supported on the following Windows Operating
+Systems:
+
+-   Server SKUs: Windows Server 2008 SP1 or Newer
+
+-   Client SKUs: Windows 7 SP1 and later
+
+The MMA agent will need to be installed on Windows devices. To install the
+agent, some systems will need to download the [Update for customer experience
+and diagnostic
+telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
+in order to collect the data with MMA. These system versions include but may not
+be limited to:
+
+-   Windows 8.1
+
+-   Windows 7
+
+-   Windows Server 2016
+
+-   Windows Server 2012 R2
+
+-   Windows Server 2008 R2
+
+Specifically, for Windows 7 SP1, the following patches must be installed:
+
+-   Install
+    [KB4074598](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598)
+
+-   Install either [.NET Framework
+    4.5](https://www.microsoft.com/en-us/download/details.aspx?id=30653) (or
+    later) **or**
+    [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework).
+    Do not install both on the same system.
+
+To deploy the MMA with System Center Configuration Manager, follow the steps
+below to utilize the provided batch files to onboard the systems. The CMD file
+when executed, will require the system to copy files from a network share by the
+System, the System will install MMA, Install the DependencyAgent, and configure
+MMA for enrollment into the workspace.
+
+
+1. In  System Center Configuration Manager console, navigate to **Software
+    Library**.
+
+2.  Expand **Application Management**.
+
+3.  Right-click **Packages**  then select **Create Package**.
+
+4. Provide a Name for the package, then click **Next**
+
+    ![Image of System Center Configuration Manager console](images/e156a7ef87ea6472d57a3dc594bf08c2.png)
+
+5. Verify **Standard Program** is selected.
+
+   ![Image of System Center Configuration Manager console](images/227f249bcb6e7f29c4d43aa1ffaccd20.png)
+
+6.  Click **Next**.
+
+    ![Image of System Center Configuration Manager console](images/2c7f9d05a2ebd19607cc76b6933b945b.png)
+
+7. Enter a program name.
+
+8.  Browse to the location of the InstallMMA.cmd.
+
+9.  Set Run to **Hidden**.
+
+10.  Set **Program can run** to **Whether or not a user is logged on**.
+
+11.  Click **Next**.
+
+12.  Set the **Maximum allowed run time** to 720.
+
+13.  Click **Next**.
+
+   ![Image of System Center Configuration Manager console](images/262a41839704d6da2bbd72ed6b4a826a.png)
+
+14. Verify the configuration, then click **Next**.
+
+    ![Image of System Center Configuration Manager console](images/a9d3cd78aa5ca90d3c2fbd2e57618faf.png)
+
+15. Click **Next**.
+
+16. Click **Close**.
+
+17.  In the System Center Configuration Manager console, right-click the Microsoft Defender ATP
+    Onboarding Package just created and select **Deploy**.
+
+18. On the right panel select the appropriate collection.
+
+19.  Click **OK**.
+
+## Next generation protection 
+Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers.
+
+1. In the System Center Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Antimalware Polices** and choose **Create Antimalware Policy**.
+
+    ![Image of antimalware policy](images/9736e0358e86bc778ce1bd4c516adb8b.png)
+
+2. Select **Scheduled scans**, **Scan settings**, **Default actions**, **Real-time protection**, **Exclusion settings**, **Advanced**, **Threat overrides**, **Cloud Protection Service** and **Security intelligence   updates** and choose **OK**.
+
+    ![Image of next generation protection pane](images/1566ad81bae3d714cc9e0d47575a8cbd.png)
+
+    In certain industries or some select enterprise customers might have specific
+needs on how Antivirus is configured.
+
+  
+    [Quick scan versus full scan and custom scan](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus#quick-scan-versus-full-scan-and-custom-scan)
+
+    For more details, see [Windows Security configuration framework](https://docs.microsoft.com/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework)
+  
+    
+    ![Image of next generation protection pane](images/cd7daeb392ad5a36f2d3a15d650f1e96.png)
+
+    ![Image of next generation protection pane](images/36c7c2ed737f2f4b54918a4f20791d4b.png)
+
+    ![Image of next generation protection pane](images/a28afc02c1940d5220b233640364970c.png)
+
+    ![Image of next generation protection pane](images/5420a8790c550f39f189830775a6d4c9.png)
+
+    ![Image of next generation protection pane](images/33f08a38f2f4dd12a364f8eac95e8c6b.png)
+
+    ![Image of next generation protection pane](images/41b9a023bc96364062c2041a8f5c344e.png)
+
+    ![Image of next generation protection pane](images/945c9c5d66797037c3caeaa5c19f135c.png)
+
+    ![Image of next generation protection pane](images/3876ca687391bfc0ce215d221c683970.png)
+
+3. Right-click on the newly created antimalware policy and select **Deploy** .
+
+    ![Image of next generation protection pane](images/f5508317cd8c7870627cb4726acd5f3d.png)
+
+4. Target the new antimalware policy to your Windows 10 collection and click **OK**.
+
+     ![Image of next generation protection pane](images/26efa2711bca78f6b6d73712f86b5bd9.png)
+
+After completing this task, you now have successfully configured Windows
+Defender Antivirus.
+
+## Attack Surface Reduction
+The attack surface reduction pillar of Microsoft Defender ATP includes the feature set that is available under Exploit Guard. Attack surface reduction (ASR) rules, Controlled Folder Access, Network Protection and Exploit
+Protection. All these features provide an audit mode and a block mode. In audit mode there is no end user impact all it does is collect additional telemetry and make it available in the Microsoft Defender Security Center. The goal with a deployment is to step by step move security controls into block mode.
+
+To set ASR rules in Audit mode:
+
+1. In the System Center Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
+
+   ![Image of System Center Configuration Manager console](images/728c10ef26042bbdbcd270b6343f1a8a.png)
+
+
+2.  Select **Attack Surface Reduction**.
+   
+
+3. Set rules to **Audit** and click **Next**.
+
+    ![Image of System Center Configuration Manager console](images/d18e40c9e60aecf1f9a93065cb7567bd.png)
+
+4. Confirm the new Exploit Guard policy by clicking on **Next**.
+
+    ![Image of System Center Configuration Manager console](images/0a6536f2c4024c08709cac8fcf800060.png)
+
+    
+5. Once the policy is created click **Close**.
+
+    ![Image of System Center Configuration Manager console](images/95d23a07c2c8bc79176788f28cef7557.png)
+
+    
+
+6.  Right-click on the newly created policy and choose **Deploy**.
+    
+    ![Image of System Center Configuration Manager console](images/8999dd697e3b495c04eb911f8b68a1ef.png)
+
+7. Target the policy to the newly created Windows 10 collection and click **OK**.
+
+    ![Image of System Center Configuration Manager console](images/0ccfe3e803be4b56c668b220b51da7f7.png)
+
+After completing this task, you now have successfully configured ASR rules in audit mode.  
+  
+Below are additional steps to verify whether ASR rules are correctly applied to
+endpoints. (This may take few minutes)
+
+
+1. From a web browser, navigate to .
+
+2.  Select **Configuration management** from left side menu.
+
+    ![A screenshot of a cell phone Description automatically generated](images/653db482c7ccaf31d06f29fb2aa24b7a.png)
+
+3. Click **Go to attack surface management** in the Attack surface management panel. 
+    
+    ![Image of attack surface management](images/3a01c7970ce3ec977a35883c0a01f0a2.png)
+
+4. Click **Configuration** tab in Attack Surface reduction rules reports. It shows ASR rules configuration overview and ASR rules status on each devices.
+
+    ![A screenshot of attack surface reduction rules reports](images/f91f406e6e0aae197a947d3b0e8b2d0d.png)
+
+5. Click each device shows configuration details of ASR rules.
+
+    ![A screenshot of attack surface reduction rules reports](images/24bfb16ed561cbb468bd8ce51130ca9d.png)
+
+See [Optimize ASR rule deployment and
+detections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr)   for more details.  
+
+
+### To set Network Protection rules in Audit mode:
+1. In the System Center Configuration Manager console, navigate to **Assets and  Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
+
+    ![A screenshot System Center Confirugatiom Manager](images/728c10ef26042bbdbcd270b6343f1a8a.png)
+
+2. Select **Network protection**.
+
+3. Set the setting to **Audit** and click **Next**. 
+
+    ![A screenshot System Center Confirugatiom Manager](images/c039b2e05dba1ade6fb4512456380c9f.png)
+
+4. Confirm the new Exploit Guard Policy by clicking **Next**.
+    
+    ![A screenshot Exploit GUard policy](images/0a6536f2c4024c08709cac8fcf800060.png)
+
+5. Once the policy is created click on **Close**.
+
+    ![A screenshot Exploit GUard policy](images/95d23a07c2c8bc79176788f28cef7557.png)
+
+6. Right-click on the newly created policy and choose **Deploy**.
+
+    ![A screenshot System Center Configuration Manager](images/8999dd697e3b495c04eb911f8b68a1ef.png)
+
+7. Select the policy to the newly created Windows 10 collection and choose **OK**.
+
+    ![A screenshot System Center Configuration Manager](images/0ccfe3e803be4b56c668b220b51da7f7.png)
+
+After completing this task, you now have successfully configured Network
+Protection in audit mode.
+
+### To set Controlled Folder Access rules in Audit mode:
+
+1. In the System Center Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
+
+    ![A screenshot of System Center Configuration Manager](images/728c10ef26042bbdbcd270b6343f1a8a.png)
+
+2. Select **Controlled folder access**.
+    
+3. Set the configuration to **Audit** and click **Next**.
+
+    ![A screenshot of System Center Configuration Manager](images/a8b934dab2dbba289cf64fe30e0e8aa4.png)    
+    
+4. Confirm the new Exploit Guard Policy by clicking on **Next**.
+
+    ![A screenshot of System Center Configuration Manager](images/0a6536f2c4024c08709cac8fcf800060.png)
+
+5. Once the policy is created click on **Close**.
+
+    ![A screenshot of System Center Configuration Manager](images/95d23a07c2c8bc79176788f28cef7557.png)
+
+6. Right-click on the newly created policy and choose **Deploy**.
+
+    ![A screenshot of System Center Configuration Manager](images/8999dd697e3b495c04eb911f8b68a1ef.png)
+
+7.  Target the policy to the newly created Windows 10 collection and click **OK**.
+
+    ![A screenshot of System Center Configuration Manager](images/0ccfe3e803be4b56c668b220b51da7f7.png)
+
+After completing this task, you now have successfully configured Controlled folder access in audit mode.
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md b/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md
index dd7b5aa37f..6addf06827 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md
@@ -18,11 +18,18 @@ ms.topic: article
 
 # Restrict app execution API
 
-**Applies to:**
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+
+
+## API description
+Restrict execution of all applications on the machine except a predefined set.
+
+
+## Limitations
+1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
 
-Restrict execution of all applications on the machine except a predefined set (see [Response machine alerts](respond-machine-alerts.md) for more information)
 
 [!include[Machine actions note](../../includes/machineactionsnote.md)]
 
@@ -76,29 +83,6 @@ Content-type: application/json
 }
 
 ```
-**Response**
 
-Here is an example of the response.
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-```
-HTTP/1.1 201 Created
-Content-type: application/json
-{
-    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
-    "id": "78d408d1-384c-4c19-8b57-ba39e378011a",
-    "type": "RestrictCodeExecution",
-    "requestor": "Analyst@contoso.com ",
-    "requestorComment": "Restrict code execution due to alert 1234",
-    "status": "InProgress",
-    "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
-    "creationDateTimeUtc": "2018-12-04T12:15:04.3825985Z",
-    "lastUpdateTimeUtc": "2018-12-04T12:15:04.3825985Z",
-	"relatedFileInfo": null
-}
-
-```
-
-To remove code execution restriction from a machine, see [Remove app restriction](unrestrict-code-execution.md).
+- To remove code execution restriction from a machine, see [Remove app restriction](unrestrict-code-execution.md).
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md b/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md
index 648cd1a9ee..10a0f81607 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md
@@ -18,12 +18,19 @@ ms.topic: article
 
 # Run antivirus scan API
 
-**Applies to:**
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 
+
+## API description
 Initiate Windows Defender Antivirus scan on a machine.
 
+
+## Limitations
+1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
+
+
 [!include[Machine actions note](../../includes/machineactionsnote.md)]
 
 ## Permissions
@@ -85,26 +92,3 @@ Content-type: application/json
 }
 ```
 
-**Response**
-
-Here is an example of the response.
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-```
-HTTP/1.1 201 Created
-Content-type: application/json
-{
-    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
-    "id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba",
-    "type": "RunAntiVirusScan",
-    "requestor": "Analyst@contoso.com",
-    "requestorComment": "Check machine for viruses due to alert 3212",
-    "status": "InProgress",
-    "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
-    "creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z",
-    "lastUpdateTimeUtc": "2018-12-04T12:18:27.1293487Z",
-	"relatedFileInfo": null
-}
-
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md b/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md
index 90a5c9e590..edfd07e6a7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md
@@ -18,12 +18,19 @@ ms.topic: article
 
 # Stop and quarantine file API
 
-**Applies to:**
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 
+
+## API description
 Stop execution of a file on a machine and delete it.
 
+
+## Limitations
+1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
+
+
 [!include[Machine actions note](../../includes/machineactionsnote.md)]
 
 ## Permissions
@@ -78,30 +85,3 @@ Content-type: application/json
 }
 
 ```
-**Response**
-
-Here is an example of the response.
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-```
-HTTP/1.1 201 Created
-Content-type: application/json
-{
-    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
-    "id": "141408d1-384c-4c19-8b57-ba39e378011a",
-    "type": "StopAndQuarantineFile",
-    "requestor": "Analyst@contoso.com ",
-    "requestorComment": "Stop and quarantine file on machine due to alert 441688558380765161_2136280442",
-    "status": "InProgress",
-    "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
-    "creationDateTimeUtc": "2018-12-04T12:15:04.3825985Z",
-    "lastUpdateTimeUtc": "2018-12-04T12:15:04.3825985Z",
-	"relatedFileInfo": {
-        "fileIdentifier": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9",
-        "fileIdentifierType": "Sha1"
-	}
-}
-
-```
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
index 13b98ef44d..55ffb2b7ca 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
@@ -1,6 +1,6 @@
 ---
 title: Threat & Vulnerability Management scenarios
-description: Learn how to use Threat & Vulnerability Management in the context of scenarios that Security Administrators encounter when you collaborate with IT Administrators and SecOps as you protect your organization from cybersecurity threats.    
+description: Learn how Threat & Vulnerability Management can be used to help security admins, IT admins, and SecOps collaborate in defending against security threats.
 keywords: mdatp-tvm scenarios, mdatp, tvm, tvm scenarios, reduce threat & vulnerability exposure, reduce threat and vulnerability, improve security configuration, increase configuration score, increase threat & vulnerability configuration score, configuration score, exposure score, security controls 
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
@@ -159,7 +159,7 @@ When an exception is created for a recommendation, the recommendation is no long
 6. Navigate to the **Remediation** page under the **Threat & Vulnerability Management** menu and click the **Exceptions** tab to view all your exceptions (current and past). 
 ![Screenshot of exception list of exceptions in the Remediation page](images/tvm-exception-list.png) 
 
-## Use Advanced hunting query to search for machines with High active alerts or critical CVE public exploit 
+## Use advanced hunting query to search for machines with High active alerts or critical CVE public exploit 
 
 1. Go to **Advanced hunting** from the left-hand navigation pane.
 
@@ -167,21 +167,38 @@ When an exception is created for a recommendation, the recommendation is no long
 
 3. Enter the following queries:
 
-```
+```kusto
 // Search for machines with High active alerts or Critical CVE public exploit 
 DeviceTvmSoftwareInventoryVulnerabilities 
 | join kind=inner(DeviceTvmSoftwareVulnerabilitiesKB) on CveId 
 | where IsExploitAvailable == 1 and CvssScore >= 7
 | summarize NumOfVulnerabilities=dcount(CveId), 
-ComputerName=any(ComputerName) by MachineId 
-| join kind =inner(AlertEvents) on MachineId  
+DeviceName=any(DeviceName) by DeviceId 
+| join kind =inner(AlertEvents) on DeviceId  
 | summarize NumOfVulnerabilities=any(NumOfVulnerabilities), 
-ComputerName=any(ComputerName) by MachineId, AlertId 
-| project ComputerName, NumOfVulnerabilities, AlertId  
+DeviceName=any(DeviceName) by DeviceId, AlertId 
+| project DeviceName, NumOfVulnerabilities, AlertId  
 | order by NumOfVulnerabilities desc 
 
 ```
 
+## Conduct an inventory of software or software versions which have reached their end-of-life
+End-of-life for software or software versions means that they will no longer be supported nor serviced. When you use software or software versions which have reached their end-of-life, you're exposing your organization to security vulnerabilities, legal, and financial risks. 
+
+It is crucial for you as Security and IT Administrators to work together and ensure that your organization's software inventory is configured for optimal results, compliance, and a healthy network ecosystem. 
+
+To conduct an inventory of software or software versions which have reached their end of life:
+1. From the Threat & Vulnerability Management menu, navigate to **Security recommendations**.
+2. Go to the **Filters** panel and select **Software uninstall** from **Remediation Type** options if you want to see the list of software recommendations associated with software which have reached their end-of-life (tagged as **EOL software**). Select **Software update** from **Remediation Type** options if you want to see the list of software recommendations associated with software and software versions which have reached their end-of-life (tagged as **EOL versions installed**). 
+3. Select a software that you'd like to investigate. A fly-out screen opens where you can select **Open software page**.
+![Screenshot of Security recommendation for a software that reached its end of life page](images/secrec_flyout.png) 
+
+4. In the **Software page** select the **Version distribution** tab to know which versions of the software have reached their end-of-life, and how many vulnerabilities were discovered in it.
+![Screenshot of software details for a software that reached its end of life](images/secrec_sw_details.png) 
+
+After you have identified which software and software versions are vulnerable due to its end-of-life status, remediate them to lower your organizations exposure to vulnerabilities and advanced persistent threats. See [Remediation and exception](tvm-remediation.md) for details.
+
+
 ## Related topics
 - [Supported operating systems and platforms](tvm-supported-os.md)
 - [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
@@ -193,5 +210,5 @@ ComputerName=any(ComputerName) by MachineId, AlertId
 - [Software inventory](tvm-software-inventory.md)
 - [Weaknesses](tvm-weaknesses.md)
 - [Advanced hunting overview](overview-hunting.md)
-- [All Advanced hunting tables](advanced-hunting-reference.md)
+- [All advanced hunting tables](advanced-hunting-reference.md)
 - [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md b/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md
index c9d50043b1..c003b67a2d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md
@@ -50,5 +50,19 @@ Here is an example of an IOC:
 
 IOCs have a many-to-one relationship with alert definitions such that an alert definition can have many IOCs that correspond to it.
 
+## In this section
+
+Topic | Description
+:---|:---
+[Pull detections to your SIEM tools](configure-siem.md)| Learn about different ways to pull detections.
+[Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)| Learn about enabling the SIEM integration feature in the **Settings** page in the portal so that you can use and generate the required information to configure supported SIEM tools.
+[Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md)| Learn about installing the REST API Modular Input App and other configuration settings to enable Splunk to pull Microsoft Defender ATP detections.
+[Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Microsoft Defender ATP detections.
+[Microsoft Defender ATP Detection fields](api-portal-mapping.md) | Understand what data fields are exposed as part of the alerts API and how they map to Microsoft Defender Security Center.
+[Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md) | Use the Client credentials OAuth 2.0 flow to pull detections from Microsoft Defender ATP using REST API.
+[Troubleshoot SIEM tool integration issues](troubleshoot-siem.md) | Address issues you might encounter when using the SIEM integration feature.
+
+
+
 ## Related topics
 - [Manage indicators](manage-indicators.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md b/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md
index 28e3bd225c..8e4d732734 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md
@@ -18,9 +18,11 @@ ms.topic: article
 
 # Indicator resource type
 
-**Applies to:**
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+
+- See the corresponding [Indicators page](https://securitycenter.windows.com/preferences2/custom_ti_indicators/files) in the portal. 
 
 Method|Return Type |Description
 :---|:---|:---
@@ -28,23 +30,49 @@ Method|Return Type |Description
 [Submit Indicator](post-ti-indicator.md) | [Indicator](ti-indicator.md) | Submits [Indicator](ti-indicator.md) entity.
 [Delete Indicator](delete-ti-indicator-by-id.md) | No Content | Deletes [Indicator](ti-indicator.md) entity.
 
-- See the corresponding [page](https://securitycenter.windows.com/preferences2/custom_ti_indicators/files) in the portal. 
-
-For more information on creating indicators, see [Manage indicators](manage-indicators.md).
 
 ## Properties
 Property |	Type	|	Description
 :---|:---|:---
-indicatorValue | String | Identity of the [Indicator](ti-indicator.md) entity.
-indicatorType | Enum | Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url"
-title | String | Indicator alert title.
+id | String | Identity of the [Indicator](ti-indicator.md) entity.
+indicatorValue | String | The value of the [Indicator](ti-indicator.md).
+indicatorType | Enum | Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url".
+application | String | The application associated with the indicator. 
+action | Enum | The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed".
+sourceType | Enum | "User" in case the Indicator created by a user (e.g. from the portal), "AadApp" in case it submitted using automated application via the API.
+source | string | The name of the user/application that submitted the indicator.
+createdBy | String | Unique identity of the user/application that submitted the indicator.
+lastUpdatedBy | String | Identity of the user/application that last updated the indicator.
 creationTimeDateTimeUtc | DateTimeOffset | The date and time when the indicator was created.
-createdBy | String | Identity of the user/application that submitted the indicator.
-expirationTime | DateTimeOffset | The expiration time of the indicator
-action | Enum | The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed"
-severity | Enum | The severity of the indicator. possible values are: "Informational", "Low", "Medium" and "High"
+expirationTime | DateTimeOffset | The expiration time of the indicator.
+lastUpdateTime | DateTimeOffset | The last time the indicator was updated.
+severity | Enum | The severity of the indicator. possible values are: "Informational", "Low", "Medium" and "High".
+title | String | Indicator title.
 description | String | Description of the indicator.
-recommendedActions | String | Indicator alert recommended actions.
-rbacGroupNames | List of strings | RBAC group names where the indicator is exposed. Empty list in case it exposed to all groups.
+recommendedActions | String | Recommended actions for the indicator.
+rbacGroupNames | List of strings | RBAC machine group names where the indicator is exposed and active. Empty list in case it exposed to all machines.
 
 
+## Json representation
+
+```json
+{
+    "id": "994",
+    "indicatorValue": "881c0f10c75e64ec39d257a131fcd531f47dd2cff2070ae94baa347d375126fd",
+    "indicatorType": "FileSha256",
+    "action": "AlertAndBlock",
+	"application": null,
+    "source": "user@contoso.onmicrosoft.com",
+    "sourceType": "User",
+	"createdBy": "user@contoso.onmicrosoft.com",
+    "severity": "Informational",
+    "title": "Michael test",
+    "description": "test",
+    "recommendedActions": "nothing",
+    "creationTimeDateTimeUtc": "2019-12-19T09:09:46.9139216Z",
+    "expirationTime": null,
+    "lastUpdateTime": "2019-12-19T09:09:47.3358111Z",
+    "lastUpdatedBy": null,
+    "rbacGroupNames": ["team1"]
+}
+```
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
index 07bd73d2d2..662c116683 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
@@ -1,6 +1,6 @@
 ---
 title: What's in the dashboard and what it means for my organization's security posture
-description: What's in the Threat & Vulnerability Management dashboard and how it can help SecOps and Security Administrators arrive at informed decisions to address cybersecurity threat vulnerabilities and build their organization's security resilience. 
+description: The Threat & Vulnerability Management dashboard can help SecOps and security admins address cybersecurity threats and build their org's security resilience.
 keywords: mdatp-tvm, mdatp-tvm dashboard, threat & vulnerability management, risk-based threat & vulnerability management, security configuration, configuration score, exposure score    
 search.appverid: met150
 search.product: eADQiWindows 10XVcnh
@@ -52,16 +52,16 @@ Area | Description
 (1) Menu | Select menu to expand the navigation pane and see the names of the Threat & Vulnerability Management capabilities.
 (2) Threat & Vulnerability Management navigation pane | Use the navigation pane to move across the **Threat and Vulnerability Management Dashboard**, **Security recommendations**, **Remediation**, **Software inventory**, and **Weaknesses**.
 **Dashboards**	| Get a high-level view of the organization exposure score, organization configuration score, machine exposure distribution, top security recommendations, top vulnerable software, top remediation activities, and top exposed machines data.
-**Security recommendations** | See the list of security recommendations, their related components, whether the software in your network have reached their end-of-life, insights, number or exposed devices, impact, and request for remediation. You can click each item on the list, a flyout panel opens with vulnerability details, open the software page, see the remediation, and exception options. You can also open a ticket in Intune if your machines are joined through Azure Active Directory and you have enabled your Intune connections in Microsoft Defender ATP. See [Security recommendations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) for more information.
+**Security recommendations** | See the list of security recommendations, their related components, whether software or software versions in your network have reached their end-of-life, insights, number or exposed devices, impact, and request for remediation. You can click each item on the list, a flyout panel opens with vulnerability details, open the software page, see the remediation, and exception options. You can also open a ticket in Intune if your machines are joined through Azure Active Directory and you have enabled your Intune connections in Microsoft Defender ATP. See [Security recommendations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) for more information.
 **Remediation** | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV, and active exceptions. See [Remediation and exception](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation) for more information.
-**Software inventory** | See the list of software, versions, weaknesses, whether there’s an exploit found on the software, whether the software has reached its end-of-life, prevalence in the organization, how many were installed, how many exposed devices are there, and the numerical value of the impact. You can select each item in the list and opt to open the software page which shows the associated vulnerabilities, misconfigurations, affected machine, version distribution details, and missing KBs or security updates. See [Software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory) for more information.
+**Software inventory** | See the list of software, versions, weaknesses, whether there’s an exploit found on the software, whether the software or software version has reached its end-of-life, prevalence in the organization, how many were installed, how many exposed devices are there, and the numerical value of the impact. You can select each item in the list and opt to open the software page which shows the associated vulnerabilities, misconfigurations, affected machine, version distribution details, and missing KBs or security updates. See [Software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory) for more information.
 **Weaknesses** | See the list of common vulnerabilities and exposures, the severity, its common vulnerability scoring system (CVSS) V3 score, related software, age, when it was published, related threat alerts, and how many exposed machines are there. You can select each item in the list and it opens a flyout panel with the vulnerability description and other details. See [Weaknesses](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses) for more information.
 (3) Threat & Vulnerability Management dashboard | Access the **Exposure score**, **Configuration score**, **Exposure distribution**, **Top security recommendations**, **Top vulnerable software**, **Top remediation activities**, and **Top exposed machines**.
 **Selected machine groups (#/#)**	| Filter the Threat & Vulnerability Management data that you want to see in the dashboard and widgets by machine groups. What you select in the filter applies throughout the Threat & Vulnerability management pages only. 
 **Organization Exposure score**	| See the current state of your organization’s device exposure to threats and vulnerabilities. Several factors affect your organization’s exposure score: weaknesses discovered in your devices, likelihood of your devices to be breached, value of the devices to your organization, and relevant alerts discovered with your devices. The goal is to lower down the exposure score of your organization to be more secure. To reduce the score, you need to remediate the related security configuration issues listed in the security recommendations. See [Exposure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score) for more information.
 **Organization Configuration score** | See the security posture of the operating system, applications, network, accounts and security controls of your organization. The goal is to remediate the related security configuration issues to increase your configuration score. You can click the bars and it takes you to the **Security recommendation** page for details. See [Configuration score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configuration-score) for more information.
 **Machine exposure distribution** | See how many machines are exposed based on their exposure level. You can click the sections in the doughnut chart and it takes you to the **Machines list** page where you'll see the affected machine names, exposure level side by side with risk level, among other details such as domain, operating system platform, its health state, when it was last seen, and its tags. 
-**Top security recommendations** | See the collated security recommendations which are sorted and prioritized based on your organization’s risk exposure and the urgency that it requires. Useful icons also quickly calls your attention on possible active alerts ![Possible active alert](images/tvm_alert_icon.png), associated public exploits ![Threat insight](images/tvm_bug_icon.png), and recommendation insights ![Recommendation insight](images/tvm_insight_icon.png). You can drill down on the security recommendation to see the potential risks, list of exposed machines, and read the insights. Thus, providing you with an informed decision to either proceed with a remediation request. Click **Show more** to see the rest of the security recommendations in the list.
+**Top security recommendations** | See the collated security recommendations which are sorted and prioritized based on your organization’s risk exposure and the urgency that it requires. Useful icons also quickly calls your attention on possible active alerts ![Possible active alert](images/tvm_alert_icon.png), associated public exploits ![Threat insight](images/tvm_bug_icon.png), and recommendation insights ![Recommendation insight](images/tvm_insight_icon.png). Tags also indicates the remediation type required, such as **Configuration change**, **Software uninstall** (if the software has reached its end-of-life), and **Software update** (if the software version has reached its end-of-life, or if the vulnerable version requires security updates and needs to be updated to the latest one). You can drill down on the security recommendation to see the potential risks, list of exposed machines, and read the insights. Thus, providing you with an informed decision to either proceed with a remediation request. Click **Show more** to see the rest of the security recommendations in the list.
 **Top vulnerable software** | Get real-time visibility into the organizational software inventory, with stack-ranked list of vulnerable software installed on your network’s devices and how they impact on your organizational exposure score. Click each item for details or **Show more** to see the rest of the vulnerable software list in the **Software inventory** page.
 **Top remediation activities** | Track the remediation activities generated from the security recommendations. You can click each item on the list to see the details in the **Remediation** page or click **Show more** to see the rest of the remediation activities, and active exceptions.
 **Top exposed machines** | See the exposed machine names and their exposure level. You can click each machine name from the list and it will take you to the machine page where you can view the alerts, risks, incidents, security recommendations, installed software, discovered vulnerabilities associated with the exposed machines. You can also do other EDR-related tasks in it, such as: manage tags, initiate automated investigations, initiate a live response session, collect an investigation package, run antivirus scan, restrict app execution, and isolate machine. You can also click **Show more** to see the rest of the exposed machines list.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
index aafd2f2e36..ee48894e3f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
@@ -1,6 +1,6 @@
 ---
 title: Exposure score
-description: Your exposure level reflects how vulnerable your organization is to cybersecurity threats. Apply the Threat & Vulnerability Management security recommendations to keep your exposure level low.
+description: The Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) exposure score reflects how vulnerable your organization is to cybersecurity threats.
 keywords: exposure score, mdatp exposure score, mdatp tvm exposure score, organization exposure score, tvm organization exposure score
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
index 1d7a8392e8..a7dbb7c0ea 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
@@ -1,6 +1,6 @@
 ---
 title: Remediation and exception
-description: You can lower down your organization's exposure from vulnerabilities and increase your security configuration by remediating the security recommendations or filing exceptions provided there are compensation controls. Threat & Vulnerability Management bridges the gap between security administration and IT administration during remediation process. It does so by creating a security task or ticket through integration with Microsoft Intune and Microsoft System Center Configuration Manager (SCCM). 
+description: Remediate security weaknesses and fill exceptions by integrating Microsoft Intune and Microsoft System Center Configuration Manager (SCCM). 
 keywords: microsoft defender atp tvm remediation, mdatp tvm, threat & vulnerability management, threat & vulnerability management remediation, tvm remediation intune, tvm remediation sccm
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
@@ -50,8 +50,11 @@ You can access the remediation page in a few places in the portal:
 If you want to check how the ticket shows up in Intune, see [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details.
 
 *Remediation in the navigation menu*
-1. Go to the Threat & Vulnerability Management navigation menu and select **Remediation** to open up the list of remediation activities and exceptions found in your organization. You can filter your view based on remediation type, machine remediation progress, and exception justification. If you want to see the remediation activities of software which have reached their end-of-life, select **Software uninstall** from the **Remediation type** filter.  
-2. Select the remediation activity that you need to see or process.
+1. Go to the Threat & Vulnerability Management navigation menu and select **Remediation** to open up the list of remediation activities and exceptions found in your organization. You can filter your view based on remediation type, machine remediation progress, and exception justification. If you want to see the remediation activities of software which have reached their end-of-life, select **Software uninstall** from the **Remediation type** filter. If you want to see the remediation activities of software and software versions which have reached their end-of-life, select **Software update** from the **Remediation type** filter. Select **In progress** then click **Apply**.
+![Screenshot of the remediation page filters for software update and uninstall](images/remediation_swupdatefilter.png)
+
+2. Select the remediation activity that you need to see or process. 
+![Screenshot of the remediation page flyout for a software which reached its end-of-life](images/remediation_flyouteolsw.png)
 
 *Top remediation activities widget in the dashboard*
 1. Go to the Threat & Vulnerability Management dashboard and scroll down to the **Top remediation activities** widget. The list is sorted and prioritized based on what is listed in the **Top security recommendations**. 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
index 186b46eb57..047a7888c1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
@@ -21,7 +21,8 @@ ms.date: 04/11/2019
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) 
+> [!TIP]
+> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) 
 
 [!include[Prerelease information](../../includes/prerelease.md)]
 
@@ -43,17 +44,32 @@ Each machine in the organization is scored based on three important factors: thr
 
 You can access the security recommendation from the Microsoft Defender ATP Threat & Vulnerability Management menu, dashboard, software page, and machine page, to give you the context that you need, as you require it. 
 
-There are security recommendations for application, operating system, network, accounts, and security controls. 
+*Security recommendations option from the left navigation menu* 
+
+1. Go to the Threat & Vulnerability Management navigation menu and select **Security recommendations** to open up the list of security recommendations for the threats and vulnerabilities found in your organization. It gives you an overview of the security recommendation context: weaknesses found, related components, the application and operating system where the threat or vulnerabilities were found, network, accounts, and security controls, associated breach, threats, and recommendation insights, exposed machine trends, status, remediation type and activities. 
+![Screenshot of Security recommendations page](images/tvmsecrec-updated.png)
+
+    >[!NOTE]
+    > The color of the **Exposed machines** graph changes as the trend changes. If the number of exposed machines is on the rise, the color changes into red. If there's a decrease in the amount of exposed machines, the color of the graph will change into green. This happens when the numbers on the right hand side is greater than what’s on the left,  which means an increase or decrease at the end of even a single machine will change the graph's color.
+
+    You can filter your view based on related components, status, and remediation type. If you want to see the remediation activities of software and software versions which have reached their end-of-life, select **Active**, then select **Software update** from the **Remediation Type** filter, and click **Apply**.
+    

![Screenshot of the remediation type filters for software update and uninstall](images/remediationtype-swupdatefilter.png)
+
+2. Select the security recommendation that you need to investigate or process. 
+

![Screenshot of the security recommendation page flyout for a software which reached its end-of-life](images/secrec-flyouteolsw.png)
+
+    
+*Top security recommendations from the dashboard*
 
 In a given day as a Security Administrator, you can take a look at the dashboard to see your exposure score side-by-side with your configuration score. The goal is to lower down your organization's exposure from vulnerabilities, and increase your organization's security configuration to be more resilient against cybersecurity threat attacks. The top security recommendations list can help you achieve that goal. 
 
 The top security recommendations lists down the improvement opportunities prioritized based on the three important factors mentioned in the previous section - threat, likelihood to be breached, and value.   
 
-You can click on each one of them and see the details, the description, the potential risk if you don't act on or remediate it, insights, how many exposed devices are associated with the security recommendation, vulnerabilities, and other threats.
+You can click on each one of them and see the details, the description, the potential risk if you don't act on or remediate it, insights, vulnerabilities, other threats found, how many exposed devices are associated with the security recommendation, and business impact of each security recommendation on the organizational exposure and configuration score.
 
 From that page, you can do any of the following depending on what you need to do:
 
-- Open software page - Drill down and open the software page to get more context of the software details, prevalence in the organization, weaknesses discovered, version distribution, software end-of-life, and charts so you can see the exposure trend over time. 
+- Open software page - Drill down and open the software page to get more context of the software details, prevalence in the organization, weaknesses discovered, version distribution, software or software version end-of-life, and charts so you can see the exposure trend over time. 
 
 - Choose from remediation options - Submit a remediation request to open a ticket in Microsoft Intune for your IT Administrator to pick up and address.
 
@@ -66,19 +82,19 @@ You can report a false positive when you see any vague, inaccurate, incomplete,
 1. Select the **Security recommendation** tab.
 
 2. Click **:** beside the security recommendation that you want to report about,  then select **Report inaccuracy**. 
-![Screenshot of Report inaccuracy control from the machine page under the Security recommendation column](images/tvm_report_inaccuracy.png)
+![Screenshot of Report inaccuracy control from the machine page under the Security recommendation column](images/tvm-report-inaccuracy.png)
 
A flyout pane opens.

-![Screenshot of Report inaccuracy flyout pane](images/tvm_report_inaccuracyflyout.png)
+![Screenshot of Report inaccuracy flyout pane](images/tvm-report-inaccuracyflyout.png)
 
 3. From the flyout pane, select the inaccuracy category from the drop-down menu. 
-
![Screenshot of Report inaccuracy categories drop-down menu](images/tvm_report_inaccuracyoptions.png)

+
![Screenshot of Report inaccuracy categories drop-down menu](images/tvm-report-inaccuracyoptions.png)

 
 4. Include your email address so Microsoft can send you feedback regarding the inaccuracy you reported.
 
 5. Include your machine name for investigation context.
 
->[!NOTE]
-> You can also provide details regarding the inaccuracy you reported in the **Tell us more (optional)** field to give the threat and vulnerability management investigators context. 
+    >[!TIP]
+    > You can also provide details regarding the inaccuracy you reported in the **Tell us more (optional)** field to give the threat and vulnerability management investigators context. 
 
 6. Click **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts with its context.
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
index 2dd1bfc005..0eb7c6a988 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
@@ -1,6 +1,6 @@
 ---
 title: Software inventory
-description: Microsoft Defender ATP Threat & Vulnerability management's discovery capability shows in the software inventory page. You can see the name of the product, vendor, the latest version it is in, and the number of weaknesses and vulnerabilities detected.
+description: Microsoft Defender ATP Threat & Vulnerability Management's software inventory page shows how many weaknesses and vulnerabilities have been detected in software.
 keywords: microsoft defender atp, microsoft defender atp software inventory, mdatp threat & vulnerability management, mdatp threat & vulnerability management software inventory, mdatp tvm software inventory, tvm software inventory
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
@@ -28,9 +28,10 @@ ms.date: 04/11/2019
 Microsoft Defender ATP Threat & Vulnerability management's discovery capability shows in the **Software inventory** page. The software inventory includes the name of the product or vendor, the latest version it is in, and the number of weaknesses and vulnerabilities detected with it.
 
 ## Navigate through your software inventory
-1. Select **Software inventory** from the Threat & Vulnerability management navigation menu. The **Software inventory** page opens with a list of software installed in your network, vendor name, weaknesses found, threats associated with them, exposed machines, impact, tags. You can also filter the software inventory list view based on weaknesses found in the software, threats associated with them, and whether the software have reached their end-of-life.      
+1. Select **Software inventory** from the Threat & Vulnerability management navigation menu. The **Software inventory** page opens with a list of software installed in your network, vendor name, weaknesses found, threats associated with them, exposed machines, impact, tags. You can also filter the software inventory list view based on weaknesses found in the software, threats associated with them, and whether the software or software versions have reached their end-of-life.      
+![Screenshot of software inventory page](images/software_inventory_filter.png) 
 2. In the **Software inventory** page, select the software that you want to investigate and a flyout panel opens up with the same details mentioned above but in a more compact view. You can either dive deeper into the investigation and select **Open software page** or flag any technical inconsistencies by selecting **Report inaccuracy**. 
-3. Select **Open software page** to dive deeper into your software inventory to see how many weaknesses are discovered in the software, devices exposed, installed machines, version distribution, and the corresponding security recommendations for the weaknesses and vulnerabilities identified.
+3. Select **Open software page** to dive deeper into your software inventory to see how many weaknesses are discovered in the software, devices exposed, installed machines, version distribution, and the corresponding security recommendations for the weaknesses and vulnerabilities identified. From the **Version distribution** tab, you can also filter the view by **Version EOL** if you want to see the software versions that has reached their end-of-life which needs to be uninstalled, replaced, or updated.
 
 ## How it works
 In the field of discovery, we are leveraging the same set of signals in Microsoft Defender ATP's endpoint detection and response that's responsible for detection, for vulnerability assessment. 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
index 4a0ed9a714..aa146289f2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
@@ -1,6 +1,6 @@
 ---
 title: Weaknesses
-description: The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization, their severity, Common Vulnerability Scoring System (CVSS) rating, its prevalence in your organization, breach, and threat insights.    
+description: Windows Defender Security Center offers a Weaknesses page, which lists vulnerabilities found in the infected software running in your organization. 
 keywords: mdatp threat & vulnerability management, mdatp tvm weaknesses page, finding weaknesses through tvm, tvm vulnerability list, vulnerability details in tvm 
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
@@ -50,8 +50,8 @@ You can access the list of vulnerabilities in a few places in the portal:
 ![tvm-vuln-globalsearch](images/tvm-vuln-globalsearch.png)
 3. Select the CVE and a flyout panel opens up with more information - the vulnerability description, exploits available, severity level, CVSS v3 rating, publishing and update dates. 
 
->[!NOTE]
->To see the rest of the vulnerabilities in the **Weaknesses** page, type CVE, then click search. 
+    > [!NOTE]
+    > To see the rest of the vulnerabilities in the **Weaknesses** page, type CVE, then click search. 
 
 *Weaknesses page in the menu* 
 1. Go to the Threat & Vulnerability Management navigation menu and select **Weaknesses** to open up the list of vulnerabilities found in your organization.
@@ -116,8 +116,8 @@ You can report a false positive when you see any vague, inaccurate, missing, or
 
 5. Include your machine name for investigation context.
 
->[!NOTE]
-> You can also provide details regarding the inaccuracy you reported in the **Tell us more (optional)** field to give the threat and vulnerability management investigators context. 
+    > [!NOTE]
+    > You can also provide details regarding the inaccuracy you reported in the **Tell us more (optional)** field to give the threat and vulnerability management investigators context. 
 
 6. Click **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts with its context.
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md b/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md
index 9c17d1b578..40c5117a86 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md
@@ -19,12 +19,19 @@ ms.topic: article
 
 # Release machine from isolation API
 
-**Applies to:**
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 
+
+## API description
 Undo isolation of a machine.
 
+
+## Limitations
+1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
+
+
 [!include[Machine actions note](../../includes/machineactionsnote.md)]
 
 ## Permissions
@@ -80,30 +87,7 @@ Content-type: application/json
 }
 
 ```
-**Response**
 
-Here is an example of the response.
 
->[!NOTE]
->The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
-
-```
-HTTP/1.1 201 Created
-Content-type: application/json
-{
-    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
-    "id": "09a0f91e-a2eb-409d-af33-5577fe9bd558",
-    "type": "Unisolate",
-    "requestor": "Analyst@contoso.com ",
-    "requestorComment": "Unisolate machine since it was clean and validated ",
-    "status": "InProgress",
-    "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
-    "creationDateTimeUtc": "2018-12-04T12:13:15.0104931Z",
-    "lastUpdateTimeUtc": "2018-12-04T12:13:15.0104931Z",
-	"relatedFileInfo": null
-}
-
-```
-
-To isolate a machine, see [Isolate machine](isolate-machine.md).
+- To isolate a machine, see [Isolate machine](isolate-machine.md).
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md b/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md
index fdb3691cc4..9687b34e41 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md
@@ -18,12 +18,19 @@ ms.topic: article
 
 # Remove app restriction API
 
-**Applies to:**
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 
+
+## API description
 Enable execution of any application on the machine.
 
+
+## Limitations
+1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
+
+
 [!include[Machine actions note](../../includes/machineactionsnote.md)]
 
 ## Permissions
@@ -78,26 +85,5 @@ Content-type: application/json
 
 ```
 
-**Response**
-
-Here is an example of the response.
-
-```
-HTTP/1.1 201 Created
-Content-type: application/json
-{
-    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
-    "id": "44cffc15-0e3d-4cbf-96aa-bf76f9b27f5e",
-    "type": "UnrestrictCodeExecution",
-    "requestor": "Analyst@contoso.com",
-    "requestorComment": "Unrestrict code execution since machine was cleaned and validated ",
-    "status": "InProgress",
-    "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
-    "creationDateTimeUtc": "2018-12-04T12:15:40.6052029Z",
-    "lastUpdateTimeUtc": "2018-12-04T12:15:40.6052029Z",
-	"relatedFileInfo": null
-}
-
-```
 
 To restrict code execution on a machine, see [Restrict app execution](restrict-code-execution.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/update-alert.md b/windows/security/threat-protection/microsoft-defender-atp/update-alert.md
index 1f6195d622..d51346f8f2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/update-alert.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/update-alert.md
@@ -18,11 +18,21 @@ ms.topic: article
 
 # Update alert
 
-**Applies to:**
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+
+
+## API description
+Updates properties of existing [Alert](alerts.md).
+
Submission of **comment** is available with or without updating properties.
+
Updatable properties are: ```status```, ```determination```, ```classification``` and ```assignedTo```.
+
+
+## Limitations
+1. You can update alerts that available in the API. See [List Alerts](get-alerts.md) for more information.
+2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
 
-Update the properties of an alert entity.
 
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
@@ -51,7 +61,9 @@ Content-Type | String | application/json. **Required**.
 
 
 ## Request body
-In the request body, supply the values for the relevant fields that should be updated. Existing properties that are not included in the request body will maintain their previous values or be recalculated based on changes to other property values. For best performance you shouldn't include existing values that haven't change.
+In the request body, supply the values for the relevant fields that should be updated.
+
Existing properties that are not included in the request body will maintain their previous values or be recalculated based on changes to other property values. 
+
For best performance you shouldn't include existing values that haven't change.
 
 Property | Type | Description
 :---|:---|:---
@@ -59,6 +71,7 @@ status | String | Specifies the current status of the alert. The property values
 assignedTo | String | Owner of the alert
 classification | String | Specifies the specification of the alert. The property values are: 'Unknown', 'FalsePositive', 'TruePositive'. 
 determination | String | Specifies the determination of the alert. The property values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'
+comment | String | Comment to be added to the alert.
 
 [!include[Improve request performance](../../includes/improve-request-performance.md)]
 
@@ -75,35 +88,12 @@ Here is an example of the request.
 ```
 PATCH https://api.securitycenter.windows.com/api/alerts/121688558380765161_2136280442
 Content-Type: application/json
+
 {
-	"assignedTo": "secop2@contoso.com"
-}
-```
-
-**Response**
-
-Here is an example of the response.
-
-```
-{
-    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts/$entity",
-    "id": "121688558380765161_2136280442",
-	"incidentId": 7696,
+    "status": "Resolved",
 	"assignedTo": "secop2@contoso.com",
-	"severity": "High",
-	"status": "New",
-	"classification": "TruePositive",
-	"determination": "Malware",
-	"investigationState": "Running",
-	"category": "MalwareDownload",
-	"detectionSource": "WindowsDefenderAv",
-	"threatFamilyName": "Mikatz",
-	"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
-	"description": "Some description",
-	"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
-	"firstEventTime": "2018-11-26T16:17:50.0948658Z",
-	"lastEventTime": "2018-11-26T16:18:01.809871Z",
-	"resolvedTime": null,
-	"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
+    "classification": "FalsePositive",
+    "determination": "Malware",
+    "comment": "Resolve my alert and assign to secop2"
 }
 ```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
index dd8733ed35..379bc21985 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
@@ -43,6 +43,11 @@ The following steps guide you on how to create roles in Microsoft Defender Secur
       
         - **Alerts investigation** - Users can manage alerts, initiate automated investigations, collect investigation packages, manage machine tags, and export machine timeline.
          - **Active remediation actions** - Users can take response actions and approve or dismiss pending remediation actions.
+            - Security operations - Take response actions
+              - Approve or dismiss pending remediation actions
+              - Manage allowed/blocked lists for automation
+              - Manage allowed/blocked create Indicators
+
          >[!NOTE]
          >To enable your Security operation personnel to choose remediation options and file exceptions, select **Threat and vulnerability management - Remediation handling**, and **Threat and vulnerability management - Exception handling**.
         
diff --git a/windows/security/threat-protection/microsoft-defender-atp/user.md b/windows/security/threat-protection/microsoft-defender-atp/user.md
index 9700fea0cb..bd76e783d9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/user.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/user.md
@@ -18,8 +18,9 @@ ms.topic: article
 
 # User resource type
 
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 
 Method|Return Type |Description
 :---|:---|:---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
index dbec95617e..2d9187a57f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
@@ -31,11 +31,11 @@ For more information preview features, see [Preview features](https://docs.micro
 
 - [Microsoft Defender ATP for Mac](microsoft-defender-atp-mac.md) 
 Microsoft Defender ATP for Mac brings the next-generation protection to Mac devices. Core components of the unified endpoint security platform will now be available for Mac devices, including [endpoint detection and response](endpoint-detection-response-mac-preview.md).
  
+- [Threat & Vulnerability Management application and application version end-of-life information](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) 
Applications and application versions which have reached their end-of-life are tagged or labeled as such so you are aware that they will no longer be supported, and can take action to either uninstall or replace. Doing so will help lessen the risks related to various vulnerability exposures due to unpatched applications.
+
 - [Threat & Vulnerability Management Advanced Hunting Schemas](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference) 
Use the Threat & Vulnerability Management tables in the Advanced hunting schema to query about software inventory, vulnerability knowledgebase, security configuration assessment, and security configuration knowledgebase. 
  
  - [Threat & Vulnerability Management role-based access controls](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group) 
Use the new permissions to allow maximum flexibility to create SecOps-oriented roles, Threat & Vulnerability Management-oriented roles, or hybrid roles so only authorized users are accessing specific data to do their task. You can also achieve even further granularity by specifying whether a Threat & Vulnerability Management role can only view vulnerability-related data, or can create and manage remediation and exceptions.
- 
-- [Threat & Vulnerability Management application end-of-life tag](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) 
Applications which have reached their end-of-life are tagged or labeled as such so you are aware that they will no longer be supported, and can take action to either uninstall or replace. Doing so will help lessen the risks related to various vulnerability exposures due to unpatched applications.
 
 ## October 2019
 
@@ -98,7 +98,7 @@ For more information preview features, see [Preview features](https://docs.micro
 
 - [Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard)
 Controlled folder access is now supported on Windows Server 2019.
 
-- [Custom detection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-custom-detections)
With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules. 
+- [Custom detection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-custom-detections)
With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of advanced hunting through the creation of custom detection rules. 
 
 - [Integration with Azure Security Center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center)
 Microsoft Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Microsoft Defender ATP to provide improved threat detection for Windows Servers.
 
@@ -124,7 +124,7 @@ Threat Analytics is a set of interactive reports published by the Microsoft Defe
   
 ## March 2018
 - [Advanced Hunting](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection) 

-Query data using Advanced hunting in Microsoft Defender ATP.
+Query data using advanced hunting in Microsoft Defender ATP.
 
 - [Attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)

     New attack surface reduction rules: 
diff --git a/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md
index 4b9f7e599b..b777bb0066 100644
--- a/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md
@@ -99,6 +99,7 @@ Over time, new ways to manage security policy settings have been introduced, whi
 
 
MessageDate
Windows 7 has reached end of support
Windows 7 reached end of support on January 14, 2020. If your organization has not yet been able to complete your transition from Windows 7 to Windows 10, and want to continue to receive security updates while you complete your upgrade projects, please read How to get Extended Security Updates for eligible Windows devices. For more information on end of service dates for currently supported versions of Windows 10, see the Windows lifecycle fact sheet.
January 15, 2020 
10:00 AM PT
Take action: January 2020 security update available for all supported versions of Windows
The January 2020 security update release, referred to as our “B” release, is now available for Windows 10, version 1909 and all supported versions of Windows. We recommend that you install these updates promptly. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. To be informed about the latest updates and releases, follow us on Twitter @WindowsUpdate.
January 14, 2020 
08:00 AM PT
Advisory: Windows CryptoAPI certificate validation vulnerability
On January 14, 2020, Microsoft released security updates to address an elliptic-curve cryptography (ECC) certificate validation issue in the Windows CryptoAPI. This vulnerability applies to all versions of the Windows 10 operating system, client and server. While we have not observed an attack exploiting this vulnerability, we recommend that you apply this update to all of your Windows 10 devices with priority. Here is what you need to know:
  • If you are running a supported version of Windows 10 and have automatic updates enabled, you are automatically protected and do not need to take any further action.
  • If you are managing updates on behalf of your organization, you should download the latest updates from the Microsoft Security Update Guide and apply those updates to your Windows 10 devices and servers as soon as possible.
If you are running an unsupported version of Windows 10, we recommend that you upgrade to the current version of Windows 10 to benefit from the latest security protections. For more information about this vulnerability, see the Microsoft Security Guidance for CVE-2020-0601 and the Microsoft Security Response Center blog, January 2020 Security Updates: CVE-2020-0601.
January 14, 2020 
08:00 AM PT

       
Take action: December 2019 security update available for all supported versions of Windows
The December 2019 security update release, referred to as our “B” release, is now available for Windows 10, version 1909 and all supported versions of Windows. We recommend that you install these updates promptly. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. To be informed about the latest updates and releases, follow us on Twitter @WindowsUpdate.
December 10, 2019 
08:00 AM PT

       
Timing of Windows 10 optional update releases (December 2019)
For the balance of this calendar year, there will be no optional non-security “C” and “D” releases for Windows 10. The \"C\" releases normally target the third week of the month, with \"D\" releases targeting the fourth week. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer.
December 10, 2019 
08:00 AM PT

       
Windows 10, version 1909 now available
Learn how to get Windows 10, version 1909 (the November 2019 Update), and explore how we’ve worked to make this a great experience for all devices, including a new, streamlined (and fast) update experience for devices updating directly from the May 2019 Update.
November 12, 2019 
10:00 AM PT

 

+
  
 ## Using the Local Security Policy snap-in
 
@@ -135,7 +136,7 @@ The Security Compliance Manager is a downloadable tool that helps you plan, depl
 
 **To administer security policies by using the Security Compliance Manager**
 
-1.  Download the most recent version. You can find out more info on the [Microsoft Security Guidance](http://blogs.technet.com/b/secguide/) blog.
+1.  Download the most recent version. You can find out more info on the [Microsoft Security Guidance](https://blogs.technet.com/b/secguide/) blog.
 2.  Read the relevant security baseline documentation that is included in this tool.
 3.  Download and import the relevant security baselines. The installation process steps you through baseline selection.
 4.  Open the Help and follow instructions how to customize, compare, or merge your security baselines before deploying those baselines.
@@ -208,6 +209,7 @@ The following table lists the features of the Security Configuration Manager.
 
 
 
+
  
 ### Security Configuration and Analysis
 
diff --git a/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md b/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md
index d1dd82ef56..518c760a7e 100644
--- a/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md
+++ b/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md
@@ -1,6 +1,6 @@
 ---
 title: Allow log on through Remote Desktop Services (Windows 10)
-description: Describes the best practices, location, values, policy management, and security considerations for the Allow log on through Remote Desktop Services security policy setting.
+description: Best practices, location, values, policy management, and security considerations for the security policy setting, Allow log on through Remote Desktop Services.
 ms.assetid: 6267c376-8199-4f2b-ae56-9c5424e76798
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md b/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md
index 1c0450ff49..023e1eac23 100644
--- a/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md
+++ b/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md
@@ -1,6 +1,6 @@
 ---
 title: Audit Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings (Windows 10)
-description: Describes the best practices, location, values, and security considerations for the Audit Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings security policy setting.
+description: Learn more about the security policy setting, Audit Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings.
 ms.assetid: 8ddc06bc-b6d6-4bac-9051-e0d77035bd4e
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md b/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
index 01185ae6a6..1e3fb1aac8 100644
--- a/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
+++ b/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
@@ -1,6 +1,6 @@
 ---
 title: DCOM Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax (Windows 10)
-description: Describes the best practices, location, values, and security considerations for the DCOM Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax security policy setting.
+description: Best practices and more for the security policy setting, DCOM Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax.
 ms.assetid: 4b95d45f-dd62-4c34-ba32-43954528dabe
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md
index 5440a05596..065ea3434c 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md
@@ -1,6 +1,6 @@
 ---
 title: Domain member Digitally encrypt or sign secure channel data (always) (Windows 10)
-description: Describes the best practices, location, values, and security considerations for the Domain member Digitally encrypt or sign secure channel data (always) security policy setting.
+description: Best practices, location, values, and security considerations for the policy setting, Domain member Digitally encrypt or sign secure channel data (always).
 ms.assetid: 4480c7cb-adca-4f29-b4b8-06eb68d272bf
 ms.reviewer: 
 ms.author: dansimp
@@ -37,7 +37,7 @@ The following policy settings determine whether a secure channel can be establis
 
 Setting **Domain member: Digitally encrypt or sign secure channel data (always)** to **Enabled** prevents establishing a secure channel with any domain controller that cannot sign or encrypt all secure channel data.
 
-To protect authentication traffic from man-in-the-middle, replay, and other types of network attacks, Windows-based computers create a communication channel through NetLogon called secure channels. These channels authenticate machine accounts. They also authenticate user accounts when a remote user connects to a network resource and the user account exists in a trusted domain. This is called pass-through authentication, and it allows a device running Windows othat has joined a domain to have access to the user account database in its domain and in any trusted domains.
+To protect authentication traffic from man-in-the-middle, replay, and other types of network attacks, Windows-based computers create a communication channel through NetLogon called secure channels. These channels authenticate machine accounts. They also authenticate user accounts when a remote user connects to a network resource and the user account exists in a trusted domain. This is called pass-through authentication, and it allows a device running Windows that has joined a domain to have access to the user account database in its domain and in any trusted domains.
 
 To enable the **Domain member: Digitally encrypt or sign secure channel data (always)** policy setting on a member workstation or server, all domain controllers in the domain that the member belongs to must be capable of signing or encrypting all secure-channel data.
 
diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md
index e91f76f50f..0540ffa16a 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md
@@ -1,6 +1,6 @@
 ---
 title: Domain member Digitally encrypt secure channel data (when possible) (Windows 10)
-description: Describes the best practices, location, values, and security considerations for the Domain member Digitally encrypt secure channel data (when possible) security policy setting.
+description: Best practices, security considerations, and more for the security policy setting, Domain member Digitally encrypt secure channel data (when possible).
 ms.assetid: 73e6023e-0af3-4531-8238-82f0f0e4965b
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md
index ad341bc3f9..e0127d72d7 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md
@@ -1,6 +1,6 @@
 ---
 title: Domain member Digitally sign secure channel data (when possible) (Windows 10)
-description: Describes the best practices, location, values, and security considerations for the Domain member Digitally sign secure channel data (when possible) security policy setting.
+description: Best practices, location, values, and security considerations for the security policy setting, Domain member Digitally sign secure channel data (when possible).
 ms.assetid: a643e491-4f45-40ea-b12c-4dbe47e54f34
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
index 802f0fdc28..92ffe6cd6c 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
@@ -19,7 +19,7 @@ ms.date: 04/19/2017
 # Interactive logon: Do not require CTRL+ALT+DEL
 
 **Applies to**
--   Windows 10
+- Windows 10
 
 Describes the best practices, location, values, and security considerations for the **Interactive logon: Do not require CTRL+ALT+DEL** security policy setting.
 
@@ -27,7 +27,7 @@ Describes the best practices, location, values, and security considerations for
 
 This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on.
 
-If this policy setting is enabled on a device, a user is not required to press CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the users' passwords. Requiring CTRL+ALT+DEL before users log on ensures that users are communicating by means of a trusted path when entering their passwords.
+If this policy setting is enabled on a device, a user is not required to press CTRL+ALT+DEL to log on.
 
 If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to the Windows operating system (unless they are using a smart card for logon).
 
@@ -37,13 +37,13 @@ A malicious user might install malware that looks like the standard logon dialog
 
 ### Possible values
 
--   Enabled
--   Disabled
--   Not defined
+- Enabled
+- Disabled
+- Not defined
 
 ### Best practices
 
--   It is advisable to set **Disable CTRL+ALT+DEL requirement for logon** to **Not configured**.
+- It is advisable to set **Disable CTRL+ALT+DEL requirement for logon** to **Not configured**.
 
 ### Location
 
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md
index b836aabd10..accf7f1ab2 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md
@@ -26,7 +26,7 @@ Describes the best practices, location, values, management, and security conside
 
 ## Reference
 
-Beginning with Windows Server 2012 and Windows 8, Windows detects user-input inactivity of a sign-in (logon) session by using the security policy setting **Interactive logon: Machine inactivity limit**. If the amount of inactive time exceeds the inactivity limit set by this policy, then the user’s session locks by invoking the screen saver (screen saver should be active on the destination machine). This policy setting allows you to control the locking time by using Group Policy.
+Beginning with Windows Server 2012 and Windows 8, Windows detects user-input inactivity of a sign-in (logon) session by using the security policy setting **Interactive logon: Machine inactivity limit**. If the amount of inactive time exceeds the inactivity limit set by this policy, then the user’s session locks by invoking the screen saver (screen saver should be active on the destination machine). You can activate the screen saver by enabling the Group Policy **User Configuration\Administrative Templates\Control Panel\Personalization\Enable screen saver**. This policy setting allows you to control the locking time by using Group Policy.
 
 ### Possible values
 
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md
index a66a0bb4f3..bf4611c235 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md
@@ -1,6 +1,6 @@
 ---
 title: Interactive logon Message title for users attempting to log on (Windows 10)
-description: Describes the best practices, location, values, policy management and security considerations for the Interactive logon Message title for users attempting to log on security policy setting.
+description: Best practices, security considerations, and more for the security policy setting, Interactive logon Message title for users attempting to log on.
 ms.assetid: f2596470-4cc0-4ef1-849c-bef9dc3533c6
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md
index de6c9be4ad..93b8bde24d 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md
@@ -1,6 +1,6 @@
 ---
 title: Interactive logon Number of previous logons to cache (in case domain controller is not available) (Windows 10)
-description: Describes the best practices, location, values, policy management and security considerations for the Interactive logon Number of previous logons to cache (in case domain controller is not available) security policy setting.
+description: Best practices and more for the security policy setting, Interactive logon Number of previous logons to cache (in case domain controller is not available).
 ms.assetid: 660e925e-cc3e-4098-a41e-eb8db8062d8d
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md
index e76c70eaa0..217b812683 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md
@@ -1,6 +1,6 @@
 ---
 title: Interactive logon Prompt user to change password before expiration (Windows 10)
-description: Describes the best practices, location, values, policy management and security considerations for the Interactive logon Prompt user to change password before expiration security policy setting.
+description: Best practices, security considerations, and more for the security policy setting, Interactive logon Prompt user to change password before expiration.
 ms.assetid: 8fe94781-40f7-4fbe-8cfd-5e116e6833e9
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md
index 4fcccdefa1..216de3c43e 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md
@@ -1,6 +1,6 @@
 ---
 title: Interactive logon Require Domain Controller authentication to unlock workstation (Windows 10)
-description: Describes the best practices, location, values, policy management, and security considerations for the Interactive logon Require Domain Controller authentication to unlock workstation security policy setting.
+description: Best practices security considerations, and more for the policy setting, Interactive logon Require Domain Controller authentication to unlock workstation.
 ms.assetid: 97618ed3-e946-47db-a212-b5e7a4fc6ffc
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md
index 07d967bae1..c9c8515fe5 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md
@@ -1,6 +1,6 @@
 ---
 title: Interactive logon Smart card removal behavior (Windows 10)
-description: Describes the best practices, location, values, policy management and security considerations for the Interactive logon Smart card removal behavior security policy setting.
+description: Best practices, location, values, policy management and security considerations for the security policy setting, Interactive logon Smart card removal behavior.
 ms.assetid: 61487820-9d49-4979-b15d-c7e735999460
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md b/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md
index cac506ca6d..880ce8d6ab 100644
--- a/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md
+++ b/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md
@@ -1,6 +1,6 @@
 ---
 title: Maximum tolerance for computer clock synchronization (Windows 10)
-description: Describes the best practices, location, values, policy management, and security considerations for the Maximum tolerance for computer clock synchronization security policy setting.
+description: Best practices, location, values, policy management, and security considerations for the policy setting, Maximum tolerance for computer clock synchronization.
 ms.assetid: ba2cf59e-d69d-469e-95e3-8e6a0ba643af
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
index b407df66f1..d36aa5c106 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
@@ -1,6 +1,6 @@
 ---
 title: Microsoft network client Digitally sign communications (always) (Windows 10)
-description: For SMBv3 and SMBv2, describes the best practices, location, values, policy management and security considerations for the Microsoft network client Digitally sign communications (always) security policy setting.
+description: Best practices, security considerations and more for the security policy setting, Microsoft network client Digitally sign communications (always).
 ms.assetid: 4b7b0298-b130-40f8-960d-60418ba85f76
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md
index eec79a7055..7bfb786b1e 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md
@@ -1,6 +1,6 @@
 ---
 title: Microsoft network server Amount of idle time required before suspending session (Windows 10)
-description: Describes the best practices, location, values, and security considerations for the Microsoft network server Amount of idle time required before suspending session security policy setting.
+description: Best practices, security considerations, and more for the policy setting, Microsoft network server Amount of idle time required before suspending session.
 ms.assetid: 8227842a-569d-480f-b43c-43450bbaa722
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md
index 0674adb11c..2e7b8cc704 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md
@@ -1,6 +1,6 @@
 ---
 title: Microsoft network server Digitally sign communications (always) (Windows 10)
-description: For SMBv3 and SMBv2, describes the best practices, location, values, policy management and security considerations for the Microsoft network server Digitally sign communications (always) security policy setting.
+description: Best practices, security considerations, and more for the security policy setting, Microsoft network server Digitally sign communications (always).
 ms.assetid: 2007b622-7bc2-44e8-9cf1-d34b62117ea8
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md
index 6e1da49f14..d763e077ca 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md
@@ -1,6 +1,6 @@
 ---
 title: Microsoft network server Disconnect clients when logon hours expire (Windows 10)
-description: Describes the best practices, location, values, and security considerations for the Microsoft network server Disconnect clients when logon hours expire security policy setting.
+description: Best practices, location, values, and security considerations for the policy setting, Microsoft network server Disconnect clients when logon hours expire.
 ms.assetid: 48b5c424-9ba8-416d-be7d-ccaabb3f49af
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md
index e54608a533..f45ef84792 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md
@@ -1,6 +1,6 @@
 ---
 title: Microsoft network server Server SPN target name validation level (Windows 10)
-description: Describes the best practices, location, and values, policy management and security considerations for the Microsoft network server Server SPN target name validation level security policy setting.
+description: Best practices, security considerations, and more for the security policy setting, Microsoft network server Server SPN target name validation level.
 ms.assetid: 18337f78-eb45-42fd-bdbd-f8cd02c3e154
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md b/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md
index 2e17d9dba9..0b21eb13c9 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md
@@ -1,6 +1,6 @@
 ---
 title: Network access Allow anonymous SID/Name translation (Windows 10)
-description: Describes the best practices, location, values, policy management and security considerations for the Network access Allow anonymous SID/Name translation security policy setting.
+description: Best practices, location, values, policy management and security considerations for the policy setting, Network access Allow anonymous SID/Name translation.
 ms.assetid: 0144477f-22a6-4d06-b70a-9c9c2196e99e
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md
index e06ab0c6cf..a221329ce9 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md
@@ -1,6 +1,6 @@
 ---
 title: Network access Remotely accessible registry paths and subpaths (Windows 10)
-description: Describes the best practices, location, values, and security considerations for the Network access Remotely accessible registry paths and subpaths security policy setting.
+description: Describes best practices, location, values, and security considerations for the policy setting, Network access Remotely accessible registry paths and subpaths.
 ms.assetid: 3fcbbf70-a002-4f85-8e86-8dabad21928e
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md
index b82dda2f41..62e028051b 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md
@@ -1,6 +1,6 @@
 ---
 title: Network access Remotely accessible registry paths (Windows 10)
-description: Describes the best practices, location, values, policy management and security considerations for the Network access Remotely accessible registry paths security policy setting.
+description: Best practices, location, values, policy management and security considerations for the policy setting, Network access Remotely accessible registry paths.
 ms.assetid: 977f86ea-864f-4f1b-9756-22220efce0bd
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md b/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md
index 38608bdb4d..7f2010f35f 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md
@@ -1,6 +1,6 @@
 ---
 title: Network access Restrict anonymous access to Named Pipes and Shares (Windows 10)
-description: Describes the best practices, location, values, policy management and security considerations for the Network access Restrict anonymous access to Named Pipes and Shares security policy setting.
+description: Best practices, security considerations, and more for the security policy setting, Network access Restrict anonymous access to Named Pipes and Shares.
 ms.assetid: e66cd708-7322-4d49-9b57-1bf8ec7a4c10
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md b/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md
index 4ec22d8d3f..8ae8bcfd3d 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md
@@ -1,6 +1,6 @@
 ---
 title: Network access Sharing and security model for local accounts (Windows 10)
-description: Describes the best practices, location, values, policy management and security considerations for the Network access Sharing and security model for local accounts security policy setting.
+description: Best practices, security considerations, and more for the security policy setting, Network access Sharing and security model for local accounts.
 ms.assetid: 0b3d703c-ea27-488f-8f59-b345af75b994
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md
index 0d0633f105..43611938d0 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md
@@ -1,6 +1,6 @@
 ---
 title: Network security Allow Local System to use computer identity for NTLM (Windows 10)
-description: Describes the location, values, policy management, and security considerations for the Network security Allow Local System to use computer identity for NTLM security policy setting.
+description: Location, values, policy management, and security considerations for the policy setting, Network security Allow Local System to use computer identity for NTLM.
 ms.assetid: c46a658d-b7a4-4139-b7ea-b9268c240053
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
index af0955f3fe..01dea39c48 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
@@ -1,6 +1,6 @@
 ---
 title: Network security Allow PKU2U authentication requests to this computer to use online identities (Windows 10)
-description: Describes the best practices, location, and values for the Network Security Allow PKU2U authentication requests to this computer to use online identities security policy setting.
+description: Best practices and more for the security policy setting, Network Security Allow PKU2U authentication requests to this computer to use online identities.
 ms.assetid: e04a854e-d94d-4306-9fb3-56e9bd7bb926
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md b/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md
index 17bf06d448..32ad4fc2b7 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md
@@ -1,6 +1,6 @@
 ---
 title: Network security Do not store LAN Manager hash value on next password change (Windows 10)
-description: Describes the best practices, location, values, policy management and security considerations for the Network security Do not store LAN Manager hash value on next password change security policy setting.
+description: Best practices, security considerations, and more for the security policy setting, Network security Do not store LAN Manager hash value on next password change.
 ms.assetid: 6452b268-e5ba-4889-9d38-db28f919af51
 ms.reviewer: 
 ms.author: dansimp
@@ -38,8 +38,8 @@ By attacking the SAM file, attackers can potentially gain access to user names a
 
 ### Best practices
 
-1.  Set **Network security: Do not store LAN Manager hash value on next password change** to **Enabled**.
-2.  Require all users to set new passwords the next time they log on to the domain so that LAN Manager hashes are removed.
+ - Set **Network security: Do not store LAN Manager hash value on next password change** to **Enabled**.
+ - Require all users to set new passwords the next time they log on to the domain so that LAN Manager hashes are removed.
 
 ### Location
 
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md b/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md
index de01e4af31..6a02220b10 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md
@@ -1,6 +1,6 @@
 ---
 title: Network security Force logoff when logon hours expire (Windows 10)
-description: Describes the best practices, location, values, policy management and security considerations for the Network security Force logoff when logon hours expire security policy setting.
+description: Best practices, location, values, policy management and security considerations for the policy setting, Network security Force logoff when logon hours expire.
 ms.assetid: 64d5dde4-58e4-4217-b2c4-73bd554ec926
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md b/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md
index 2ec253e350..8cf1d1ef2a 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md
@@ -1,6 +1,6 @@
 ---
 title: Network security LAN Manager authentication level (Windows 10)
-description: Describes the best practices, location, values, policy management and security considerations for the Network security LAN Manager authentication level security policy setting.
+description: Best practices, location, values, policy management and security considerations for the policy setting, Network security LAN Manager authentication level.
 ms.assetid: bbe1a98c-420a-41e7-9d3c-3a2fe0f1843e
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md
index f4f8ccfc54..5a6ed1a602 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md
@@ -1,6 +1,6 @@
 ---
 title: Network security Minimum session security for NTLM SSP based (including secure RPC) clients (Windows 10)
-description: Describes the best practices, location, values, policy management and security considerations for the Network security Minimum session security for NTLM SSP based (including secure RPC) clients security policy setting.
+description: Best practices and more for the security policy setting, Network security Minimum session security for NTLM SSP based (including secure RPC) clients.
 ms.assetid: 89903de8-23d0-4e0f-9bef-c00cb7aebf00
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md
index 4b653cf263..aa05ac30a3 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md
@@ -1,6 +1,6 @@
 ---
 title: Network security Minimum session security for NTLM SSP based (including secure RPC) servers (Windows 10)
-description: Describes the best practices, location, values, policy management and security considerations for the Network security Minimum session security for NTLM SSP based (including secure RPC) servers security policy setting.
+description: Best practices and security considerations for the policy setting, Network security Minimum session security for NTLM SSP based (including secure RPC) servers.
 ms.assetid: c6a60c1b-bc8d-4d02-9481-f847a411b4fc
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md
index 0674395a3e..f45e969f85 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md
@@ -1,6 +1,6 @@
 ---
 title: Network security Restrict NTLM Add remote server exceptions for NTLM authentication (Windows 10)
-description: Describes the best practices, location, values, management aspects, and security considerations for the Network security Restrict NTLM Add remote server exceptions for NTLM authentication security policy setting.
+description: Best practices, security considerations, and more for the policy setting, Network security Restrict NTLM Add remote server exceptions for NTLM authentication.
 ms.assetid: 9b017399-0a54-4580-bfae-614c2beda3a1
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md
index bfc535dbd2..190741c9b6 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md
@@ -1,6 +1,6 @@
 ---
 title: Network security Restrict NTLM Add server exceptions in this domain (Windows 10)
-description: Describes the best practices, location, values, management aspects, and security considerations for the Network security Restrict NTLM Add server exceptions in this domain security policy setting.
+description: Best practices, security considerations, and more for the security policy setting, Network security Restrict NTLM Add server exceptions in this domain.
 ms.assetid: 2f981b68-6aa7-4dd9-b53d-d88551277cc0
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md
index 5fb5f5c0e0..573acd03e5 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md
@@ -1,6 +1,6 @@
 ---
 title: Network security Restrict NTLM Audit incoming NTLM traffic (Windows 10)
-description: Describes the best practices, location, values, management aspects, and security considerations for the Network Security Restrict NTLM Audit incoming NTLM traffic security policy setting.
+description: Best practices, security considerations and more for the security policy setting, Network Security Restrict NTLM Audit incoming NTLM traffic.
 ms.assetid: 37e380c2-22e1-44cd-9993-e12815b845cf
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
index 8c939ae9a5..872e3aaf36 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
@@ -1,6 +1,6 @@
 ---
 title: Network security Restrict NTLM Audit NTLM authentication in this domain (Windows 10)
-description: Describes the best practices, location, values, management aspects, and security considerations for the Network Security Restrict NTLM Audit NTLM authentication in this domain security policy setting.
+description: Best practices, security considerations, and more for the security policy setting, Network Security Restrict NTLM Audit NTLM authentication in this domain.
 ms.assetid: 33183ef9-53b5-4258-8605-73dc46335e6e
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md
index 01de4dd73c..2b0c20bc29 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md
@@ -1,6 +1,6 @@
 ---
 title: Network security Restrict NTLM Incoming NTLM traffic (Windows 10)
-description: Describes the best practices, location, values, management aspects, and security considerations for the Network Security Restrict NTLM Incoming NTLM traffic security policy setting.
+description: Best practices, security considerations, and more for the security policy setting, Network Security Restrict NTLM Incoming NTLM traffic.
 ms.assetid: c0eff7d3-ed59-4004-908a-2205295fefb8
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md
index 0695e1fc82..885ca9c205 100644
--- a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md
+++ b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md
@@ -1,6 +1,6 @@
 ---
 title: Recovery console Allow automatic administrative logon (Windows 10)
-description: Describes the best practices, location, values, policy management and security considerations for the Recovery console Allow automatic administrative logon security policy setting.
+description: Best practices, location, values, policy management and security considerations for the policy setting, Recovery console Allow automatic administrative logon.
 ms.assetid: be2498fc-48f4-43f3-ad09-74664e45e596
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md
index 20d4c87bf7..0fb4445f92 100644
--- a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md
+++ b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md
@@ -1,6 +1,6 @@
 ---
 title: Recovery console Allow floppy copy and access to all drives and folders (Windows 10)
-description: Describes the best practices, location, values, policy management and security considerations for the Recovery console Allow floppy copy and access to all drives and folders security policy setting.
+description: Best practices, security considerations, and more for the policy setting, Recovery console Allow floppy copy and access to all drives and folders.
 ms.assetid: a5b4ac0c-f33d-42b5-a866-72afa7cbd0bd
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md
index db0f82e3ff..47483249d7 100644
--- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md
+++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md
@@ -1,6 +1,6 @@
 ---
 title: SMBv1 Microsoft network client Digitally sign communications (if server agrees) (Windows 10)
-description: For SMBv1 only, describes the best practices, location, values, and security considerations for the Microsoft network client Digitally sign communications (if server agrees) security policy setting.
+description: Best practices, location, values, and security considerations for the policy setting, Microsoft network client Digitally sign communications (if server agrees).
 ms.assetid: e553f700-aae5-425c-8650-f251c90ba5dd
 ms.reviewer: 
 ms.author: dansimp
@@ -51,14 +51,14 @@ There are three other policy settings that relate to packet-signing requirements
 
 ### Best practices
 
-1.  Configure the following security policy settings as follows:
+ - Configure the following security policy settings as follows:
 
     -   Disable [Microsoft network client: Digitally sign communications (always)](smbv1-microsoft-network-client-digitally-sign-communications-always.md).
     -   Disable [Microsoft network server: Digitally sign communications (always)](smbv1-microsoft-network-server-digitally-sign-communications-always.md).
     -   Enable **Microsoft Network Client: Digitally Sign Communications (If Server Agrees)**.
     -   Enable [Microsoft network server: Digitally sign communications (if client agrees)](smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
 
-2.  Alternately, you can set all of these policy settings to Enabled, but enabling them can cause slower performance on client devices and prevent them from communicating with legacy SMB applications and operating systems.
+ - Alternately, you can set all of these policy settings to Enabled, but enabling them can cause slower performance on client devices and prevent them from communicating with legacy SMB applications and operating systems.
 
 ### Location
 
@@ -107,7 +107,8 @@ Configure the settings as follows:
 
 In highly secure environments we recommend that you configure all of these settings to Enabled. However, that configuration may cause slower performance on client devices and prevent communications with earlier SMB applications and operating systems.
 
->**Note:**  An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing.
+> [!NOTE]
+> An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing.
  
 ### Potential impact
 
diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md
index 52f64c04aa..dffc41d41d 100644
--- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md
+++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md
@@ -1,6 +1,6 @@
 ---
 title: SMB v1 Microsoft network server Digitally sign communications (always) (Windows 10)
-description: For SMB v1 only, describes the best practices, location, values, policy management and security considerations for the Microsoft network server Digitally sign communications (always) security policy setting.
+description: Best practices, security considerations, and more for the  security policy setting, Microsoft network server Digitally sign communications (always).
 ms.assetid: 2007b622-7bc2-44e8-9cf1-d34b62117ea8
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md
index 1ed8ae9b5b..45e242b7fc 100644
--- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md
+++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md
@@ -1,6 +1,6 @@
 ---
 title: SMBv1 Microsoft network server Digitally sign communications (if client agrees) (Windows 10)
-description: For SMBv1 only, describes the best practices, location, values, policy management and security considerations for the Microsoft network server Digitally sign communications (if client agrees) security policy setting.
+description: Best practices, security considerations and more for the security policy setting, Microsoft network server Digitally sign communications (if client agrees).
 ms.assetid: c92b2e3d-1dbf-4337-a145-b17a585f4fc1
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md b/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md
index ba27c35ef2..fd0f6851b0 100644
--- a/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md
+++ b/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md
@@ -1,6 +1,6 @@
 ---
 title: System cryptography Force strong key protection for user keys stored on the computer (Windows 10)
-description: Describes the best practices, location, values, policy management and security considerations for the System cryptography Force strong key protection for user keys stored on the computer security policy setting.
+description: Best practices, security considerations, and more for the policy setting, System cryptography Force strong key protection for user keys stored on the computer.
 ms.assetid: 8cbff267-881e-4bf6-920d-b583a5ff7de0
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md b/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md
index c2622812bc..a113f6b5de 100644
--- a/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md
+++ b/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md
@@ -1,6 +1,6 @@
 ---
 title: System objects Strengthen default permissions of internal system objects (e.g. Symbolic Links) (Windows 10)
-description: Describes the best practices, location, values, policy management and security considerations for the System objects Strengthen default permissions of internal system objects (e.g. Symbolic Links) security policy setting.
+description: Best practices and more for the security policy setting, System objects Strengthen default permissions of internal system objects (e.g. Symbolic Links).
 ms.assetid: 3a592097-9cf5-4fd0-a504-7cbfab050bb6
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md b/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md
index 3e33a4112d..d261330b49 100644
--- a/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md
+++ b/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md
@@ -1,6 +1,6 @@
 ---
 title: System settings Use certificate rules on Windows executables for Software Restriction Policies (Windows 10)
-description: Describes the best practices, location, values, policy management and security considerations for the System settings Use certificate rules on Windows executables for Software Restriction Policies security policy setting.
+description: Best practices and more for the security policy setting, System settings Use certificate rules on Windows executables for Software Restriction Policies.
 ms.assetid: 2380d93b-b553-4e56-a0c0-d1ef740d089c
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md b/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md
index 2a1576714a..1fea6a28a0 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md
@@ -1,6 +1,6 @@
 ---
 title: User Account Control Allow UIAccess applications to prompt for elevation without using the secure desktop (Windows 10)
-description: Describes the best practices, location, values, and security considerations for the User Account Control Allow UIAccess applications to prompt for elevation without using the secure desktop security policy setting.
+description: Best practices and more for the policy setting, User Account Control Allow UIAccess applications to prompt for elevation without using the secure desktop.
 ms.assetid: fce20472-3c93-449d-b520-13c4c74a9892
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md
index 9576d05d77..5b6f5b139e 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md
@@ -1,6 +1,6 @@
 ---
 title: User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode (Windows 10)
-description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode security policy setting.
+description: Best practices and more for the security policy setting, User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode.
 ms.assetid: 46a3c3a2-1d2e-4a6f-b5e6-29f9592f535d
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md
index aea0ba3bb8..6846dd303b 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md
@@ -1,6 +1,6 @@
 ---
 title: User Account Control Only elevate executables that are signed and validated (Windows 10)
-description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Only elevate executables that are signed and validated security policy setting.
+description: Best practices, security considerations, and more for the security policy setting, User Account Control Only elevate executables that are signed and validated.
 ms.assetid: 64950a95-6985-4db6-9905-1db18557352d
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md b/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md
index 00ff2a4926..8d3f8b2d1b 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md
@@ -1,6 +1,6 @@
 ---
 title: User Account Control Switch to the secure desktop when prompting for elevation (Windows 10)
-description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Switch to the secure desktop when prompting for elevation security policy setting.
+description: Best practices, security considerations, and more for the policy setting, User Account Control Switch to the secure desktop when prompting for elevation.
 ms.assetid: 77a067db-c70d-4b02-9861-027503311b8b
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md b/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md
index 3ec0475be4..8fb6f6ead6 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md
@@ -1,6 +1,6 @@
 ---
 title: User Account Control Virtualize file and registry write failures to per-user locations (Windows 10)
-description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Virtualize file and registry write failures to per-user locations security policy setting.
+description: Best practices, security considerations and more for the policy setting, User Account Control Virtualize file and registry write failures to per-user locations.
 ms.assetid: a7b47420-cc41-4b1c-b03e-f67a05221261
 ms.reviewer: 
 ms.author: dansimp
diff --git a/windows/security/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md b/windows/security/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md
index 0a5d73d832..017b3050a2 100644
--- a/windows/security/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md
+++ b/windows/security/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md
@@ -1,6 +1,6 @@
 ---
 title: WannaCrypt ransomware worm targets out-of-date systems
-description: In this blog, we provide an early analysis of the end-to-end ransomware attack. Please note this threat is still under investigation. The attack is still active, and there is a possibility that the attacker will attempt to react to our detection response.
+description: This is an early analysis of the WannaCrypt ransomware attack. Microsoft antimalware diagnostic data immediately picked up signs of this campaign in May 2017.
 keywords: wannacry, wannacrypt, wanna, ransomware
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
diff --git a/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md b/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md
index c4c23a9ddd..1cae26190b 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md
@@ -23,11 +23,11 @@ manager: dansimp
 
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-This topic describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using the Windows Defender AV Assessment section in the Update Compliance add-in.
+This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using the Windows Defender AV Assessment section in the Update Compliance add-in.
 
 Before attempting this process, ensure you have read [Troubleshoot Windows Defender Antivirus reporting](troubleshoot-reporting.md), met all require prerequisites, and taken any other suggested troubleshooting steps.
 
-On at least two endpoints that are not reporting or showing up in Update Compliance, obtain the .cab diagnostic file by following this process:
+On at least two devices that are not reporting or showing up in Update Compliance, obtain the .cab diagnostic file by taking the following steps:
 
 1. Open an administrator-level version of the command prompt as follows:
         
@@ -37,19 +37,15 @@ On at least two endpoints that are not reporting or showing up in Update Complia
 
     c. Enter administrator credentials or approve the prompt.
         
-2. Navigate to the Windows Defender directory. By default, this is C:\Program Files\Windows Defender, as in the following example:
+2. Navigate to the Windows Defender directory. By default, this is `C:\Program Files\Windows Defender`.
 
-    ```Dos
-    cd c:\program files\windows\defender
-    ```
-
-3. Enter the following command and press **Enter**
+3. Type the following command, and then press **Enter**
         
     ```Dos
     mpcmdrun -getfiles
     ```
     
-4. A .cab file will be generated that contains various diagnostic logs. The location of the file will be specified in the output in the command prompt, but by default it will be in C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab.
+4. A .cab file will be generated that contains various diagnostic logs. The location of the file will be specified in the output in the command prompt. By default, the location is `C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab`.
 
 5. Copy these .cab files to a location that can be accessed by Microsoft support. An example could be a password-protected OneDrive folder that you can share with us.
 
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md
index 7bee1e3696..a76c0ab71a 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md
@@ -32,11 +32,11 @@ You can manage and configure Windows Defender Antivirus with the following tools
 - Windows Management Instrumentation (WMI)
 - The mpcmdrun.exe utility
 
-The topics in this section provide further information, links, and resources for using these tools to manage and configure Windows Defender Antivirus.
+The articles in this section provide further information, links, and resources for using these tools to manage and configure Windows Defender Antivirus.
 
 ## In this section
 
-Topic | Description
+Article | Description
 ---|---
 [Manage Windows Defender Antivirus with Microsoft Intune and System Center Configuration Manager](use-intune-config-manager-windows-defender-antivirus.md)|Information about using Intune and System Center Configuration Manager to deploy, manage, report, and configure Windows Defender Antivirus
 [Manage Windows Defender Antivirus with Group Policy settings](use-group-policy-windows-defender-antivirus.md)|List of all Group Policy settings located in ADMX templates
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md
index 5d969e79a9..1799b30b71 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md
@@ -12,7 +12,6 @@ ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
 ms.custom: nextgen
-ms.date: 10/25/2018
 ms.reviewer: 
 manager: dansimp
 
@@ -30,11 +29,11 @@ See [Configure device restriction settings in Microsoft Intune](https://docs.mic
 
 
 
-**Use Configuration Manager to configure scanning options:**
+## Use Configuration Manager to configure scanning options:
 
 See [How to create and deploy antimalware policies: Scan settings](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#scan-settings) for details on configuring System Center Configuration Manager (current branch).
 
-**Use Group Policy to configure scanning options**
+## Use Group Policy to configure scanning options
 
 To configure the Group Policy settings described in the following table:
 
@@ -63,15 +62,15 @@ Specify the level of subfolders within an archive folder to scan | Scan > Specif
 >[!NOTE]
 >If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including those on mounted removable devices such as USB drives.
 
-**Use PowerShell to configure scanning options**
+## Use PowerShell to configure scanning options
 
 See [Manage Windows Defender Antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
 
-**Use WMI to configure scanning options**
+## Use WMI to configure scanning options
 
 For using WMI classes, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx).
 
-### Email scanning limitations
+## Email scanning limitations
 
 We recommend using [always-on real-time protection](configure-real-time-protection-windows-defender-antivirus.md) to protect against email-based malware.
 
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md
index c51a7da9ea..fa061b9284 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md
@@ -84,7 +84,7 @@ You can disable this setting to ensure that only globally-defined lists (such as
 4. Double-click **Configure local administrator merge behavior for lists** and set the option to **Disabled**. Click **OK**.
 
 > [!NOTE]
-> If you disable local list merging, it will override controlled folder access settings. It also overrides any protected folders or allowed apps set by the local administrator. For more information about controlled folder access settings, see [Enable controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard).
+> If you disable local list merging, it will override controlled folder access settings. It also overrides any protected folders or allowed apps set by the local administrator. For more information about controlled folder access settings, see [Allow a blocked app in Windows Security](https://support.microsoft.com/help/4046851/windows-10-allow-blocked-app-windows-security).
 
 ## Related topics
 
diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
index 0013143d29..ed7b30ece9 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
@@ -13,7 +13,7 @@ author: denisebmsft
 ms.author: deniseb
 ms.custom: nextgen
 audience: ITPro
-ms.date: 10/02/2018
+ms.date: 01/06/2020
 ms.reviewer: 
 manager: dansimp
 ---
@@ -25,13 +25,13 @@ manager: dansimp
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 - [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge)
 
-Potentially unwanted applications are not considered viruses, malware, or other types of threats, but they might perform actions on endpoints which adversely affect endpoint performance or use. _PUA_ can also refer to an application that has a poor reputation, as assessed by Microsoft Defender ATP, due to certain kinds of undesirable behavior.
+Potentially unwanted applications (PUA) are not considered viruses, malware, or other types of threats, but they might perform actions on endpoints which adversely affect endpoint performance or use. _PUA_ can also refer to an application that has a poor reputation, as assessed by Microsoft Defender ATP, due to certain kinds of undesirable behavior.
 
 For example:
 
-* **Advertising software:** Software that displays advertisements or promotions, including software that inserts advertisements to webpages.
-* **Bundling software:** Software that offers to install other software that is not digitally signed by the same entity. Also, software that offers to install other software that qualify as PUA.
-* **Evasion software:** Software that actively tries to evade detection by security products, including software that behaves differently in the presence of security products.
+* **Advertising software**: Software that displays advertisements or promotions, including software that inserts advertisements to webpages.
+* **Bundling software**: Software that offers to install other software that is not digitally signed by the same entity. Also, software that offers to install other software that qualify as PUA.
+* **Evasion software**: Software that actively tries to evade detection by security products, including software that behaves differently in the presence of security products.
 
 For more examples and a discussion of the criteria we use to label applications for special attention from security features, see [How Microsoft identifies malware and potentially unwanted applications](../intelligence/criteria.md).
 
@@ -45,11 +45,11 @@ The next major version of Microsoft Edge, which is Chromium-based, blocks potent
 
 #### Enable PUA protection in Chromium-based Microsoft Edge
 
-Although potentially unwanted application protection in Microsoft Edge (Chromium-based) is off by default, it can easily be turned on from within the browser.
+Although potentially unwanted application protection in Microsoft Edge (Chromium-based) is turned off by default, it can easily be turned on from within the browser.
 
-1. From the tool bar, select **Settings and more** > **Settings**
-1. Select **Privacy and services**
-1. Under the **Services** section, you can toggle **Potentially unwanted app blocking** on or off
+1. From the tool bar, select **Settings and more** > **Settings**.
+2. Select **Privacy and services**.
+3. Under the **Services** section, you can toggle **Potentially unwanted app blocking** on or off.
 
 > [!TIP]
 > If you are running Microsoft Edge (Chromium-based), you can safely explore the URL-blocking feature of PUA protection by testing it out on one of our Windows Defender SmartScreen [demo pages](https://demo.smartscreen.msft.net/).
@@ -58,7 +58,7 @@ Although potentially unwanted application protection in Microsoft Edge (Chromium
 
 In Chromium-based Edge with PUA protection turned on, Windows Defender SmartScreen will protect you from PUA-associated URLs.
 
-Admins can  [configure](https://docs.microsoft.com/DeployEdge/configure-microsoft-edge) how Microsoft Edge and Windows Defender SmartScreen work together to protect groups of users from PUA-associated URLs. There are several group policy [settings](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreen-settings) explicitly for Windows
+Admins can [configure](https://docs.microsoft.com/DeployEdge/configure-microsoft-edge) how Microsoft Edge and Windows Defender SmartScreen work together to protect groups of users from PUA-associated URLs. There are several group policy [settings](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreen-settings) explicitly for Windows
 Defender SmartScreen available, including [one for blocking PUA](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreenpuaenabled). In addition, admins can
 [configure Windows Defender SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/available-policies?source=docs#configure-windows-defender-smartscreen) as a whole, using group policy settings to turn Windows Defender SmartScreen on or off.
 
@@ -71,11 +71,11 @@ The potentially unwanted application (PUA) protection feature in Windows Defende
 > [!NOTE]
 > This feature is only available in Windows 10.
 
-Windows Defender Antivirus blocks detected PUA files, and any attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantine.
+Windows Defender Antivirus blocks detected PUA files and any attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantine.
 
-When a PUA is detected on an endpoint, Windows Defender Antivirus sends a notification to the user ([unless notifications have been disabled](configure-notifications-windows-defender-antivirus.md)) in the same format as other threat detections. The notification will be prefaced with _PUA:_ to indicate its content.
+When a PUA file is detected on an endpoint, Windows Defender Antivirus sends a notification to the user ([unless notifications have been disabled](configure-notifications-windows-defender-antivirus.md)) in the same format as other threat detections. The notification will be prefaced with _PUA:_ to indicate its content.
 
-The notification will appear in the usual [quarantine list within the Windows Security app](windows-defender-security-center-antivirus.md#detection-history).
+The notification appears in the usual [quarantine list within the Windows Security app](windows-defender-security-center-antivirus.md#detection-history).
 
 #### Configure PUA protection in Windows Defender Antivirus
 
@@ -105,7 +105,7 @@ For Configuration Manager 2012, see [How to Deploy Potentially Unwanted Applicat
 
 ##### Use Group Policy to configure PUA protection
 
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure, and select **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure, and select **Edit**.
 
 2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
 
@@ -119,17 +119,30 @@ For Configuration Manager 2012, see [How to Deploy Potentially Unwanted Applicat
 
 ##### Use PowerShell cmdlets to configure PUA protection
 
-Use the following cmdlet:
+###### To enable PUA protection
 
 ```PowerShell
-Set-MpPreference -PUAProtection
+Set-MpPreference -PUAProtection enable
 ```
-
 Setting the value for this cmdlet to `Enabled` will turn the feature on if it has been disabled.
 
+###### To set PUA protection to audit mode
+
+```PowerShell
+Set-MpPreference -PUAProtection auditmode
+```
 Setting `AuditMode` will detect PUAs without blocking them.
 
-See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
+###### To disable PUA protection
+
+We recommend keeping PUA protection turned on. However, you can turn it off by using the following cmdlet:
+
+```PowerShell
+Set-MpPreference -PUAProtection disable
+```
+Setting the value for this cmdlet to `Disabled` will turn the feature off if it has been enabled.
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
 
 #### View PUA events
 
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/tamperattemptalert.png b/windows/security/threat-protection/windows-defender-antivirus/images/tamperattemptalert.png
new file mode 100644
index 0000000000..82a7cebf32
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/tamperattemptalert.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/tamperprotectionturnedon.png b/windows/security/threat-protection/windows-defender-antivirus/images/tamperprotectionturnedon.png
new file mode 100644
index 0000000000..37604390f6
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/tamperprotectionturnedon.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotect-consumer.png b/windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotect-consumer.png
new file mode 100644
index 0000000000..87b8811411
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotect-consumer.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotect-enterprise.png b/windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotect-enterprise.png
new file mode 100644
index 0000000000..0bb53680a3
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotect-enterprise.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotect-intune.png b/windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotect-intune.png
new file mode 100644
index 0000000000..b0a6b01f23
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotect-intune.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotection.png b/windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotection.png
new file mode 100644
index 0000000000..3d0c58844b
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotection.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
index f76c49cd91..b6e4410cd1 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
-ms.date: 10/18/2019
+ms.date: 01/09/2020
 ms.reviewer: 
 manager: dansimp
 ms.custom: nextgen
@@ -30,7 +30,7 @@ Keeping your antivirus protection up to date is critical. There are two componen
 - *Where* the updates are downloaded from; and 
 - *When* updates are downloaded and applied. 
 
-This article describes the *where* - how to specify where updates should be downloaded from (this is also known as the fallback order). See [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) topic for an overview on how updates work, and how to configure other aspects of updates (such as scheduling updates).
+This article describes how to specify from where updates should be downloaded (this is also known as the fallback order). See [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) topic for an overview on how updates work, and how to configure other aspects of updates (such as scheduling updates).
 
 > [!IMPORTANT]
 > Microsoft Defender Antivirus Security intelligence updates are delivered through Windows Update and starting Monday, October 21, 2019, all security intelligence updates will be SHA-2 signed exclusively. Your devices must be updated to support SHA-2 in order to update your security intelligence. To learn more, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus).  
@@ -40,7 +40,7 @@ This article describes the *where* - how to specify where updates should be down
 
 ## Fallback order
 
-Typically, you configure endpoints to individually download updates from a primary source, followed by other sources in order of priority, based on your network configuration. Updates are obtained from sources in the order you specify. If a source is not available, the next source in the list is used.
+Typically, you configure endpoints to individually download updates from a primary source followed by other sources in order of priority, based on your network configuration. Updates are obtained from sources in the order you specify. If a source is not available, the next source in the list is used.
 
 When updates are published, some logic is applied to minimize the size of the update. In most cases, only the differences between the latest update and the update that is currently installed (this is referred to as the delta) on the device is downloaded and applied. However, the size of the delta depends on two main factors:
 - The age of the last update on the device; and 
@@ -73,16 +73,13 @@ Each source has typical scenarios that depend on how your network is configured,
 |System Center Configuration Manager | You are using System Center Configuration Manager to update your endpoints.|
 |Security intelligence updates for Windows Defender Antivirus and other Microsoft antimalware (formerly referred to as MMPC) |[Make sure your devices are updated to support SHA-2](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus). Microsoft Defender Antivirus Security intelligence updates are delivered through Windows Update, and starting Monday October 21, 2019 security intelligence updates will be SHA-2 signed exclusively. 
Download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-windows-defender-antivirus.md). This option should generally be used only as a final fallback source, and not the primary source. It will only be used if updates cannot be downloaded from Windows Server Update Service or Microsoft Update for [a specified number of days](https://docs.microsoft.com/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date).|
 
-
 You can manage the order in which update sources are used with Group Policy, System Center Configuration Manager, PowerShell cmdlets, and WMI.
 
 > [!IMPORTANT]
 > If you set Windows Server Update Service as a download location, you must approve the updates, regardless of the management tool you use to specify the location. You can set up an automatic approval rule with Windows Server Update Service, which might be useful as updates arrive at least once a day. To learn more, see [synchronize endpoint protection updates in standalone Windows Server Update Service](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus).
 
-
 The procedures in this article first describe how to set the order, and then how to set up the **File share** option if you have enabled it.
 
-
 ## Use Group Policy to manage the update location
 
 1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
@@ -103,7 +100,7 @@ The procedures in this article first describe how to set the order, and then how
 
    4. Double-click the **Define file shares for downloading security intelligence updates** setting and set the option to **Enabled**.
 
-   5. Enter the file share source. If you have multiple sources, enter each source in the order they should be used, separated by a single pipe. Use [standard UNC notation](https://docs.microsoft.com/openspecs/windows_protocols/ms-dtyp/62e862f4-2a51-452e-8eeb-dc4ff5ee33cc) for denoting the path, for example: `\\host-name1\share-name\object-name|\\host-name2\share-name\object-name`.  If you do not enter any paths then this source will be skipped when the VM downloads updates.
+   5. Enter the file share source. If you have multiple sources, enter each source in the order they should be used, separated by a single pipe. Use [standard UNC notation](https://docs.microsoft.com/openspecs/windows_protocols/ms-dtyp/62e862f4-2a51-452e-8eeb-dc4ff5ee33cc) for denoting the path, for example: `\\host-name1\share-name\object-name|\\host-name2\share-name\object-name`.  If you do not enter any paths, then this source will be skipped when the VM downloads updates.
 
    6. Click **OK**. This will set the order of file shares when that source is referenced in the **Define the order of sources...** group policy setting.
 
@@ -124,7 +121,7 @@ Use the following PowerShell cmdlets to set the update order.
 Set-MpPreference -SignatureFallbackOrder {LOCATION|LOCATION|LOCATION|LOCATION}
 Set-MpPreference -SignatureDefinitionUpdateFileSharesSource {\\UNC SHARE PATH|\\UNC SHARE PATH}
 ```
-See the following for more information:
+See the following articles for more information:
 - [Set-MpPreference -SignatureFallbackOrder](https://docs.microsoft.com/powershell/module/defender/set-mppreference)
 - [Set-MpPreference -SignatureDefinitionUpdateFileSharesSource](https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference#-signaturedefinitionupdatefilesharessources)
 - [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md)
@@ -139,13 +136,21 @@ SignatureFallbackOrder
 SignatureDefinitionUpdateFileSharesSource
 ```
 
-See the following for more information:
+See the following articles for more information:
 - [Windows Defender WMIv2 APIs](https://docs.microsoft.com/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal)
 
 ## Use Mobile Device Management (MDM) to manage the update location
 
 See [Policy CSP - Defender/SignatureUpdateFallbackOrder](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-signatureupdatefallbackorder) for details on configuring MDM.
 
+## What if we're using a third-party vendor?
+
+This article describes how to configure and manage updates for Windows Defender Antivirus. However, third-party vendors can be used to perform these tasks. 
+
+For example, suppose that Contoso has hired Fabrikam to manage their security solution, which includes Windows Defender Antivirus. Fabrikam typically uses [Windows Management Instrumentation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus), [PowerShell cmdlets](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus), or [Windows command-line](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus) to deploy patches and updates. 
+
+> [!NOTE]
+> Microsoft does not test third-party solutions for managing Windows Defender Antivirus.
 
 ## Related articles
 
diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
index 817ec8cbb1..21736ff5a6 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
@@ -1,9 +1,9 @@
 ---
-title: Protect security settings with Tamper Protection
+title: Protect security settings with tamper protection
 ms.reviewer: 
 manager: dansimp
-description: Use Tamper Protection to prevent malicious apps from changing important security settings.
-keywords: malware, defender, antivirus, Tamper Protection
+description: Use tamper protection to prevent malicious apps from changing important security settings.
+keywords: malware, defender, antivirus, tamper protection
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
 ms.prod: w10
@@ -17,7 +17,7 @@ ms.author: deniseb
 ms.custom: nextgen
 ---
 
-# Protect security settings with Tamper Protection
+# Protect security settings with tamper protection
 
 **Applies to:**
 
@@ -25,9 +25,9 @@ ms.custom: nextgen
 
 ## Overview
 
-During some kinds of cyber attacks, bad actors try to disable security features, such as anti-virus protection, on your machines. They do this to get easier access to your data, to install malware, or to otherwise exploit your data, identity, and devices. Tamper Protection helps prevent this from occurring. 
+During some kinds of cyber attacks, bad actors try to disable security features, such as anti-virus protection, on your machines. They do this to get easier access to your data, to install malware, or to otherwise exploit your data, identity, and devices. Tamper protection helps prevent this from occurring. 
 
-With Tamper Protection, malicious apps are prevented from taking actions like these:
+With tamper protection, malicious apps are prevented from taking actions like these:
 - Disabling virus and threat protection
 - Disabling real-time protection
 - Turning off behavior monitoring
@@ -35,25 +35,38 @@ With Tamper Protection, malicious apps are prevented from taking actions like th
 - Disabling cloud-delivered protection
 - Removing security intelligence updates
 
-## How it works
+### How it works
 
- Tamper Protection essentially locks Windows Defender Antivirus and prevents your security settings from being changed through apps and methods like these:
+ Tamper protection essentially locks Windows Defender Antivirus and prevents your security settings from being changed through apps and methods like these:
 - Configuring settings in Registry Editor on your Windows machine 
 - Changing settings through PowerShell cmdlets
 - Editing or removing security settings through group policies
 - and so on.
 
-Tamper Protection doesn't prevent you from viewing your security settings. And, Tamper Protection doesn't affect how third-party antivirus apps register with the Windows Security app. If your organization is using Windows 10 Enterprise E5, individual users can't change the Tamper Protection setting; this is managed by your security team.
+Tamper protection doesn't prevent you from viewing your security settings. And, tamper protection doesn't affect how third-party antivirus apps register with the Windows Security app. If your organization is using Windows 10 Enterprise E5, individual users can't change the tamper protection setting; this is managed by your security team.
 
 ### What do you want to do?
 
-[Turn Tamper Protection on (or off) for an individual machine using Windows Security](#turn-tamper-protection-on-or-off-for-an-individual-machine)
+1. Turn tamper protection on 

+    - [For an individual machine, use Windows Security](#turn-tamper-protection-on-or-off-for-an-individual-machine).
+    - [For your organization, use Intune](#turn-tamper-protection-on-or-off-for-your-organization-using-intune).
 
-[Turn Tamper Protection on (or off) for your organization using Intune](#turn-tamper-protection-on-or-off-for-your-organization-using-intune)
+2. [View information about tampering attempts](#view-information-about-tampering-attempts).
 
-## Turn Tamper Protection on (or off) for an individual machine
+3. [Review your security recommendations](#review-your-security-recommendations).
 
-If you are a home user, or you are not subject to settings managed by a security team, you can use the Windows Security app to turn Tamper Protection on or off. You must have appropriate admin permissions on your machine to perform the following task.
+4. [Browse the frequently asked questions](#view-information-about-tampering-attempts).
+
+## Turn tamper protection on (or off) for an individual machine
+
+> [!NOTE]
+> Tamper protection blocks attempts to modify Windows Defender Antivirus settings through the registry.
+> 
+> To help ensure that tamper protection doesn’t interfere with third-party security products or enterprise installation scripts that modify these settings, go to **Windows Security** and update **Security intelligence** to version 1.287.60.0 or later. (See [Security intelligence updates](https://www.microsoft.com/wdsi/definitions).)
+> 
+> Once you’ve made this update, tamper protection will continue to protect your registry settings, and will also log attempts to modify them without returning errors.
+
+If you are a home user, or you are not subject to settings managed by a security team, you can use the Windows Security app to turn tamper protection on or off. You must have appropriate admin permissions on your machine to do this.
 
 1. Click **Start**, and start typing *Defender*. In the search results, select **Windows Security**.
 
@@ -61,73 +74,113 @@ If you are a home user, or you are not subject to settings managed by a security
 
 3. Set **Tamper Protection** to **On** or **Off**.
 
+Here's what you see in the Windows Security app:
+
+![Tamper protection turned on in Windows 10 Home](images/tamperprotectionturnedon.png)
+
+## Turn tamper protection on (or off) for your organization using Intune
+
+If you are part of your organization's security team, and your subscription includes [Intune](https://docs.microsoft.com/intune/fundamentals/what-is-intune), you can turn tamper protection on (or off) for your organization in the Microsoft 365 Device Management portal ([https://aka.ms/intuneportal](https://aka.ms/intuneportal)). 
+
 > [!NOTE]
-> Tamper Protection blocks attempts to modify Windows Defender Antivirus settings through the registry.
-> 
-> To help ensure that Tamper Protection doesn’t interfere with third-party security products or enterprise installation scripts that modify these settings, go to **Windows Security** and update **Security intelligence** to version 1.287.60.0 or later. (See [Security intelligence updates](https://www.microsoft.com/wdsi/definitions).)
-> 
-> Once you’ve made this update, Tamper Protection will continue to protect your registry settings, and will also log attempts to modify them without returning errors.
-
-
-## Turn Tamper Protection on (or off) for your organization using Intune
-
-If you are part of your organization's security team, you can turn Tamper Protection on (or off) for your organization in the Microsoft 365 Device Management portal (Intune). (This feature is rolling out now; if you don't have it yet, you should very soon, assuming your organization has [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md) (Microsoft Defender ATP) and that you meet the prerequisites listed below.) 
+> The ability to manage tamper protection in Intune is rolling out now; if you don't have it yet, you should very soon, assuming your organization has [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md) (Microsoft Defender ATP) and that you meet the prerequisites listed below. 
 
 You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-access.md), such as global admin, security admin, or security operations, to perform the following task. 
 
-1. Make sure your organization meets the following requirements:
+1. Make sure your organization meets all of the following requirements:
 
-    - Your organization must have [Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (this is included in Microsoft 365 E5. See [Microsoft 365 Enterprise overview](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview) for more details.)
-    - Your organization's devices must be managed by [Intune](https://docs.microsoft.com/intune/device-management-capabilities).
-    - Your Windows machines must be running [Windows OS 1903](https://docs.microsoft.com/windows/release-information/status-windows-10-1903) or later.
-    - You must be using Windows security with [security intelligence](https://www.microsoft.com/wdsi/definitions) updated to version 1.287.60.0 (or above)
-    - Your machines must be using anti-malware platform version 4.18.1906.3 (or above) and anti-malware engine version 1.1.15500.X (or above). (See [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md).)
+    - Your organization must have [Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (this is included in [Microsoft 365 E5](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview)).
+    - Your organization uses [Intune to manage devices](https://docs.microsoft.com/intune/fundamentals/what-is-device-management). ([Intune licenses](https://docs.microsoft.com/intune/fundamentals/licenses) are required; this is included in Microsoft 365 E5.)
+    - Your Windows machines must be running Windows OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019) or later. (See [Windows 10 release information](https://docs.microsoft.com/windows/release-information/) for more details about releases.)
+    - You must be using Windows security with [security intelligence](https://www.microsoft.com/wdsi/definitions) updated to version 1.287.60.0 (or above).
+    - Your machines must be using anti-malware platform version 4.18.1906.3 (or above) and anti-malware engine version 1.1.15500.X (or above). ([Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md).)
 
 2. Go to the Microsoft 365 Device Management portal ([https://devicemanagement.microsoft.com](https://devicemanagement.microsoft.com)) and sign in with your work or school account. 
 
 3. Select **Device configuration** > **Profiles**.
 
-4. Create a profile that includes the following settings:
+4. Create a profile as follows:
 
-    - **Platform**: Windows 10 and later
-    - **ProfileType**: Endpoint protection
-    - **Settings** > Windows Defender Security Center > Tamper Protection 
+    - Platform: **Windows 10 and later**
+
+    - Profile type: **Endpoint protection**
+
+    - Category: **Microsoft Defender Security Center**
+
+    - Tamper Protection: **Enabled**
+
+    ![Turn tamper protection on with Intune](images/turnontamperprotect-intune.png)
 
 5. Assign the profile to one or more groups.
 
+Here's what you see in the Windows Security app:
+
+![Turning tamper protection on in Windows 10 Enterprise](images/turnontamperprotect-enterprise.png)
+
+### Are you using Windows OS 1709, 1803, or 1809?
+
+If you are using Windows OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), or [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019), you won't see **Tamper Protection** in the Windows Security app. In this case, you can use PowerShell to determine whether tamper protection is enabled.
+
+#### Use PowerShell to determine whether tamper protection is turned
+
+1. Open the Windows PowerShell app.
+
+2. Use the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps) PowerShell cmdlet.
+
+3. In the list of results, look for `IsTamperProtected`. (A value of *true* means tamper protection is enabled.)
+
+## View information about tampering attempts
+
+Tampering attempts typically indicate bigger cyberattacks. Bad actors try to change security settings as a way to persist and stay undetected. If you're part of your organization's security team, you can view information about such attempts, and then take appropriate actions to mitigate threats. 
+
+When a tampering attempt is detected, an alert is raised in the [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/portal-overview) ([https://securitycenter.windows.com](https://securitycenter.windows.com)). 
+
+![Microsoft Defender Security Center](images/tamperattemptalert.png)
+
+Using [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) and [advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview) capabilities in Microsoft Defender ATP, your security operations team can investigate and address such attempts. 
+
+## Review your security recommendations
+
+Tamper protection integrates with [Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) capabilities. [Security recommendations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) include making sure tamper protection is turned on. For example, you can search on *tamper*, as shown in the following image: 
+
+![Tamper protection results in security recommendations](../images/securityrecs-tamperprotect.jpg)
+
+In the results, you can select **Turn on Tamper Protection** to learn more and turn it on.
+
+![Turn on tamper protection](tamperprotectsecurityrecos.png)
+
+To learn more about Threat & Vulnerability Management, see [Threat & Vulnerability Management in Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights#threat--vulnerability-management-in-microsoft-defender-security-center).
+
 ## Frequently asked questions
 
-### To which Windows OS versions is configuring Tamper Protection is applicable?
+### To which Windows OS versions is configuring tamper protection is applicable?
 
-Windows 1903 May release
+Windows OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019), or later together with [Microsoft Defender Advanced Threat Protection E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp).
 
-### Is configuring Tamper Protection in Intune supported on servers?
+### Is configuring tamper protection in Intune supported on servers?
 
 No
 
-### Will Tamper Protection have any impact on third party antivirus registration?
+### Will tamper protection have any impact on third party antivirus registration?
 
-No, third-party antivirus will continue to register with the Windows Security application.
+No. Third-party antivirus offerings will continue to register with the Windows Security application.
 
-### What happens if Microsoft Defender Antivirus is not active on a device?
+### What happens if Windows Defender Antivirus is not active on a device?
 
-Tamper Protection will not have any impact on such devices.
+Tamper protection will not have any impact on such devices.
 
-### How can I turn Tamper Protection on/off?
+### How can I turn tamper protection on/off?
 
-If you are a home user, see [Turn Tamper Protection on (or off) for an individual machine](#turn-tamper-protection-on-or-off-for-an-individual-machine).
+If you are a home user, see [Turn tamper protection on (or off) for an individual machine](#turn-tamper-protection-on-or-off-for-an-individual-machine).
 
-If you are an organization using [Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp), you should be able to manage Tamper Protection in Intune similar to how you manage other endpoint protection features. See [Turn Tamper Protection on (or off) for your organization using Intune](#turn-tamper-protection-on-or-off-for-your-organization-using-intune).
+If you are an organization using [Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp), you should be able to manage tamper protection in Intune similar to how you manage other endpoint protection features. See [Turn tamper protection on (or off) for your organization using Intune](#turn-tamper-protection-on-or-off-for-your-organization-using-intune).
 
- 
-### How does configuring Tamper Protection in Intune affect how I manage Windows Defender Antivirus through my group policy?
-
-Your regular group policy doesn’t apply to Tamper Protection, and changes to Windows Defender Antivirus settings will be ignored when Tamper Protection is on.
+### How does configuring tamper protection in Intune affect how I manage Windows Defender Antivirus through my group policy?
 
+Your regular group policy doesn’t apply to tamper protection, and changes to Windows Defender Antivirus settings are ignored when tamper protection is on.
 
 >[!NOTE]
->A small delay in Group Policy (GPO) processing may occur if Group Policy settings include values that control Windows Defender Antivirus features protected by Tamper Protection. 
-To avoid any potential delays, it is recommended to remove settings that control Windows Defender Antivirus related behavior from GPO and simply allow Tamper Protection to protect Windows Defender Antivirus settings. 


+>A small delay in Group Policy (GPO) processing may occur if Group Policy settings include values that control Windows Defender Antivirus features protected by tamper protection. To avoid any potential delays, we recommend that you remove settings that control Windows Defender Antivirus related behavior from GPO and simply allow tamper protection to protect Windows Defender Antivirus settings. 


 > Sample Windows Defender Antivirus settings:

 > Turn off Windows Defender Antivirus 

 > Computer Configuration\Administrative Templates\Windows Components\Windows Defender\
@@ -136,32 +189,31 @@ Value DisableAntiSpyware = 0 


 Computer Configuration\Administrative Templates\Windows Components\Windows Defender Antivirus\Real-time Protection\
 Value DisableRealtimeMonitoring = 0
 
+### For Microsoft Defender ATP E5, is configuring tamper protection in Intune targeted to the entire organization only?
 
-### For Microsoft Defender ATP E5, is configuring Tamper Protection in Intune targeted to the entire organization only?
+Configuring tamper protection in Intune can be targeted to your entire organization as well as to specific devices and user groups.
 
-Configuring Tamper Protection in Intune can be targeted to your entire organization as well as to devices and user groups with Intune.
+### Can I configure tamper protection in System Center Configuration Manager?
 
-### Can I configure Tamper Protection in System Center Configuration Manager?
+Currently, managing tamper protection through System Center Configuration Manager is not supported.
 
-Currently we do not have support to manage Tamper Protection through System Center Configuration Manager.
+### I have the Windows E3 enrollment. Can I use configuring tamper protection in Intune?
 
-### I have the Windows E3 enrollment. Can I use configuring Tamper Protection in Intune?
+Currently, configuring tamper protection in Intune is only available for customers who have [Microsoft Defender Advanced Threat Protection E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp).
 
-Currently, configuring Tamper Protection in Intune is only available for customers who have [Microsoft Defender Advanced Threat Protection E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp).
+### What happens if I try to change Microsoft Defender ATP settings in Intune, System Center Configuration Manager, and Windows Management Instrumentation when tamper protection is enabled on a device?
 
-### What happens if I try to change Microsoft Defender ATP settings in Intune, System Center Configuration Manager, and Windows Management Instrumentation when Tamper Protection is enabled on a device?
+You won’t be able to change the features that are protected by tamper protection; such change requests are ignored.
 
-You won’t be able to change the features that are protected by Tamper Protection; those change requests are ignored.
+### I’m an enterprise customer. Can local admins change tamper protection on their devices?
 
-### I’m an enterprise customer. Can local admins change Tamper Protection on their devices?
-
-No. Local admins cannot change or modify Tamper Protection settings.
+No. Local admins cannot change or modify tamper protection settings.
 
 ### What happens if my device is onboarded with Microsoft Defender ATP and then goes into an off-boarded state?
 
-In this case, Tamper Protection status changes, and this feature is no longer applied.
+In this case, tamper protection status changes, and this feature is no longer applied.
 
-### Will there be an alert about Tamper Protection status changing in the Microsoft Defender Security Center?
+### Will there be an alert about tamper protection status changing in the Microsoft Defender Security Center?
 
 Yes. The alert is shown in [https://securitycenter.microsoft.com](https://securitycenter.microsoft.com) under **Alerts**. 
 
@@ -169,16 +221,16 @@ In addition, your security operations team can use hunting queries, such as the
 
 `AlertEvents | where Title == "Tamper Protection bypass"`
 
-### Will there be a group policy setting for Tamper Protection?
+[View information about tampering attempts](#view-information-about-tampering-attempts).
+
+### Will there be a group policy setting for tamper protection?
 
 No.
 
-## Related resources
-
-[Windows 10 Enterprise Security](https://docs.microsoft.com/windows/security/index)
+## Related articles
 
 [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/intune/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)
 
-[Microsoft 365 Enterprise overview (at a glance)](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview#at-a-glance)
+[Get an overview of Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp)
 
-[Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp)
+[Better together: Windows Defender Antivirus and Microsoft Defender Advanced Threat Protection](why-use-microsoft-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/tamperprotectsecurityrecos.png b/windows/security/threat-protection/windows-defender-antivirus/tamperprotectsecurityrecos.png
new file mode 100644
index 0000000000..69485c42e9
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/tamperprotectsecurityrecos.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md
new file mode 100644
index 0000000000..392bc3f8e3
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md
@@ -0,0 +1,58 @@
+---
+title: Why you should use Windows Defender Antivirus together with Microsoft Defender Advanced Threat Protection
+description: For best results, use Windows Defender Antivirus together with your other Microsoft offerings.
+keywords: windows defender, antivirus
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro 
+ms.topic: article 
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
+ms.date: 01/07/2020
+ms.reviewer: 
+manager: dansimp
+---
+
+# Better together: Windows Defender Antivirus and Microsoft Defender Advanced Threat Protection
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Windows Defender Antivirus is the next-generation protection component of [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) (Microsoft Defender ATP). 
+
+Although you can use a non-Microsoft antivirus solution with Microsoft Defender ATP, there are advantages to using Windows Defender Antivirus together with Microsoft Defender ATP. Not only is Windows Defender Antivirus an excellent next-generation antivirus solution, but combined with other Microsoft Defender ATP capabilities, such as [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) and [automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations), you get better protection that's coordinated across products and services. 
+
+## 10 reasons to use Windows Defender Antivirus together with Microsoft Defender ATP
+
+| |Advantage  |Why it matters |
+|--|--|--|
+|1|Antivirus signal sharing |Microsoft applications and services share signals across your enterprise organization, providing a stronger single platform. See [Insights from the MITRE ATT&CK-based evaluation of Windows Defender ATP](https://www.microsoft.com/security/blog/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). |
+|2|Threat analytics and your secure score |Windows Defender Antivirus collects underlying system data used by [threat analytics](../microsoft-defender-atp/threat-analytics.md) and [secure score](../microsoft-defender-atp/overview-secure-score.md). This provides your organization's security team with more meaningful information, such as recommendations and opportunities to improve your organization's security posture. |
+|3|Performance |Microsoft Defender ATP is designed to work with Windows Defender Antivirus, so you get better performance when you use these offerings together. [Evaluate Windows Defender Antivirus](evaluate-windows-defender-antivirus.md) and [Microsoft Defender ATP](../microsoft-defender-atp/evaluate-atp.md).|
+|4|Details about blocked malware |More details and actions for blocked malware are available with Windows Defender Antivirus and Microsoft Defender ATP. [Understand malware & other threats](../intelligence/understanding-malware.md).|
+|5|Network protection |Your organization's security team can protect your network by blocking specific URLs and IP addresses. [Protect your network](../microsoft-defender-atp/network-protection.md).|
+|6|File blocking |Your organization's security team can block specific files. [Stop and quarantine files in your network](../microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network).|
+|7|Auditing events |Auditing event signals are available in [endpoint detection and response capabilities](../microsoft-defender-atp/overview-endpoint-detection-response.md). (These signals are not available with non-Microsoft antivirus solutions.) |
+|8|Geographic data |Compliant with ISO 270001 and data retention, geographic data is provided according to your organization's selected geographic sovereignty. See [Compliance offerings: ISO/IEC 27001:2013 Information Security Management Standards](https://docs.microsoft.com/microsoft-365/compliance/offering-iso-27001). |
+|9|File recovery via OneDrive |If you are using Windows Defender Antivirus together with [Office 365](https://docs.microsoft.com/Office365/Enterprise), and your device is attacked by ransomware, your files are protected and recoverable. [OneDrive Files Restore and Windows Defender take ransomware protection one step further](https://techcommunity.microsoft.com/t5/Microsoft-OneDrive-Blog/OneDrive-Files-Restore-and-Windows-Defender-takes-ransomware/ba-p/188001).|
+|10|Technical support |By using Microsoft Defender ATP together with Windows Defender Antivirus, you have one company to call for technical support. [Troubleshoot service issues](../microsoft-defender-atp/troubleshoot-mdatp.md) and [review event logs and error codes with Windows Defender Antivirus](troubleshoot-windows-defender-antivirus.md). |
+
+
+## Learn more
+
+[Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md)
+
+[Threat & Vulnerability Management](../microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)
+
+
+
+
+
+
diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md
index 4187645c2e..8837f79190 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md
@@ -12,7 +12,6 @@ ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
 ms.custom: nextgen
-ms.date: 09/03/2018
 ms.reviewer: 
 manager: dansimp
 ---
@@ -127,8 +126,8 @@ See the following for more information:
 3. Select **Windows Defender Offline scan** and click **Scan now**.
 
 
-> [!NOTE]
-> In Windows 10, version 1607, the offline scan could be run from under **Windows Settings** > **Update & security** > **Windows Defender** or from the Windows Defender client.
+    > [!NOTE]
+    > In Windows 10, version 1607, the offline scan could be run from under **Windows Settings** > **Update & security** > **Windows Defender** or from the Windows Defender client.
 
 
 ## Review scan results
diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
index 5935c90319..be4f7240f1 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
@@ -12,7 +12,6 @@ ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
 ms.custom: nextgen
-ms.date: 09/03/2018
 ms.reviewer: 
 manager: dansimp
 ---
@@ -47,7 +46,7 @@ See the [Windows Security topic](/windows/threat-protection/windows-defender-sec
 
 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
 
-![Screenshot of the Virus & threat protection settings label in the Windows Security app](images/defender/wdav-protection-settings-wdsc.png)
+    ![Screenshot of the Virus & threat protection settings label in the Windows Security app](images/defender/wdav-protection-settings-wdsc.png)
     
 ## Comparison of settings and functions of the old app and the new app
 
@@ -96,7 +95,7 @@ This section describes how to perform some of the most common tasks when reviewi
 
 3. Click **Virus & threat protection updates**. The currently installed version is displayed along with some information about when it was downloaded. You can check this against the latest version available for manual download, or review the change log for that version.
 
-![Security intelligence version number information](images/defender/wdav-wdsc-defs.png)
+    ![Security intelligence version number information](images/defender/wdav-wdsc-defs.png)
 
 4. Click **Check for updates** to download new protection updates (if there are any).
 
@@ -111,9 +110,9 @@ This section describes how to perform some of the most common tasks when reviewi
 
 4. Toggle the **Real-time protection** switch to **On**.
 
->[!NOTE]
->If you switch **Real-time protection** off, it will automatically turn back on after a short delay. This is to ensure you are protected from malware and threats.  
->If you install another antivirus product, Windows Defender AV will automatically disable itself and will indicate this in the Windows Security app. A setting will appear that will allow you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md).
+    >[!NOTE]
+    >If you switch **Real-time protection** off, it will automatically turn back on after a short delay. This is to ensure you are protected from malware and threats.  
+    >If you install another antivirus product, Windows Defender AV will automatically disable itself and will indicate this in the Windows Security app. A setting will appear that will allow you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md).
 
 
 
@@ -129,18 +128,20 @@ This section describes how to perform some of the most common tasks when reviewi
 4. Under the **Exclusions** setting, click **Add or remove exclusions**. 
 
 5. Click the plus icon to choose the type and set the options for each exclusion. 
-
 
 
 ### Review threat detection history in the Windows Defender Security Center app
-1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
- 
-2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
- 
-3. Click **Threat history**.
- 
-4. Click **See full history** under each of the categories (**Current threats**, **Quarantined threats**, **Allowed threats**).
+
+  1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or 
+  searching the start menu for **Defender**.
  
+  2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
+
+  3. Click **Threat history**
+  
+  4. Click **See full history** under each of the categories (**Current threats**, **Quarantined threats**, 
+  **Allowed threats**).
+
 
 
 ### Set ransomware protection and recovery options
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md
index 7f43b4f3cd..adcfdab2e0 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md
@@ -1,6 +1,6 @@
 ---
 title: Determine your application control objectives (Windows 10)
-description: This topic helps you with the decisions you need to make to determine what applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker.
+description: Determine which applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker.
 ms.assetid: 0e84003e-6095-46fb-8c4e-2065869bb53b
 ms.reviewer: 
 ms.author: dansimp
@@ -77,7 +77,7 @@ Use the following table to develop your own objectives and determine which appli
 
SRP can control the following file types:

 
@@ -85,7 +85,7 @@ Use the following table to develop your own objectives and determine which appli
 
AppLocker can control the following file types: