diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json
index 00a28f07b2..2a308af532 100644
--- a/.openpublishing.publish.config.json
+++ b/.openpublishing.publish.config.json
@@ -97,6 +97,22 @@
       "build_entry_point": "docs",
       "template_folder": "_themes"
     },
+    {
+      "docset_name": "release-information",
+      "build_source_folder": "windows/release-information",
+      "build_output_subfolder": "release-information",
+      "locale": "en-us",
+      "monikers": [],
+      "moniker_ranges": [],
+      "open_to_public_contributors": true,
+      "type_mapping": {
+        "Conceptual": "Content",
+        "ManagedReference": "Content",
+        "RestApi": "Content"
+      },
+      "build_entry_point": "docs",
+      "template_folder": "_themes"
+    },
     {
       "docset_name": "smb",
       "build_source_folder": "smb",
@@ -305,6 +321,22 @@
       "build_entry_point": "docs",
       "template_folder": "_themes"
     },
+    {
+      "docset_name": "windows-known-issues",
+      "build_source_folder": "windows/known-issues",
+      "build_output_subfolder": "windows-known-issues",
+      "locale": "en-us",
+      "monikers": [],
+      "moniker_ranges": [],
+      "open_to_public_contributors": true,
+      "type_mapping": {
+        "Conceptual": "Content",
+        "ManagedReference": "Content",
+        "RestApi": "Content"
+      },
+      "build_entry_point": "docs",
+      "template_folder": "_themes"
+    },
     {
       "docset_name": "windows-manage",
       "build_source_folder": "windows/manage",
@@ -465,4 +497,4 @@
   },
   "need_generate_pdf": false,
   "need_generate_intellisense": false
-}
+}
\ No newline at end of file
diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index ab677cc666..f6b41f4ac4 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -13944,5 +13944,10 @@
 "redirect_url": "/windows/security/threat-protection/windows-defender-atp/threat-analytics",
 "redirect_document_id": true
 },
+{
+"source_path": "windows/security/threat-protection/windows-defender-atp/manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-atp/manage-indicators",
+"redirect_document_id": true
+},
 ]
 }
diff --git a/browsers/edge/microsoft-edge-faq.md b/browsers/edge/microsoft-edge-faq.md
index e3a128b0ac..d862020dcc 100644
--- a/browsers/edge/microsoft-edge-faq.md
+++ b/browsers/edge/microsoft-edge-faq.md
@@ -26,10 +26,10 @@ For more information on how Internet Explorer and Microsoft Edge work together t
 [Enterprise Mode](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11) helps you run many legacy web applications with better backward compatibility. You can configure both Microsoft Edge and Internet Explorer to use the same Enterprise Mode Site List, switching seamlessly between browsers to support both modern and legacy web apps.
 
 ## How do I customize Microsoft Edge and related settings for my organization?
-You can use Group Policy or Microsoft Intune to manage settings related to Microsoft Edge, such as security settings, folder redirection, and preferences. See [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](/group-policies/index.md) for a list of policies currently available for Microsoft Edge and configuration information. Note that the preview release of Chromium-based Microsoft Edge might not include management policies or other enterprise functionality; our focus during the preview is modern browser fundamentals.  
+You can use Group Policy or Microsoft Intune to manage settings related to Microsoft Edge, such as security settings, folder redirection, and preferences. See [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/group-policies/) for a list of policies currently available for Microsoft Edge and configuration information. Note that the preview release of Chromium-based Microsoft Edge might not include management policies or other enterprise functionality; our focus during the preview is modern browser fundamentals.  
 
 ## Is Adobe Flash supported in Microsoft Edge?
-Adobe Flash is currently supported as a built-in feature of Microsoft Edge on PCs running Windows 10. In July 2017, Adobe announced that Flash support will end after 2020. With this change to Adobe support, we’ve started to phase Flash out of  Microsoft Edge by adding the [Configure the Adobe Flash Click-to-Run setting group policy](/available-policies.md#configure-the-adobe-flash-click-to-run-setting) - this lets you control which websites can run Adobe Flash content.
+Adobe Flash is currently supported as a built-in feature of Microsoft Edge on PCs running Windows 10. In July 2017, Adobe announced that Flash support will end after 2020. With this change to Adobe support, we’ve started to phase Flash out of  Microsoft Edge by adding the [Configure the Adobe Flash Click-to-Run setting group policy](https://docs.microsoft.com/microsoft-edge/deploy/available-policies#configure-the-adobe-flash-click-to-run-setting) - this lets you control which websites can run Adobe Flash content.
 
 To learn more about Microsoft’s plan for phasing Flash out of Microsoft Edge and Internet Explorer, see [The End of an Era — Next Steps for Adobe Flash](https://blogs.windows.com/msedgedev/2017/07/25/flash-on-windows-timeline/#3Bcc3QjRw0l7XsZ4.97) (blog article).
 
diff --git a/devices/hololens/hololens-recovery.md b/devices/hololens/hololens-recovery.md
index b619fc1428..e5d185bf40 100644
--- a/devices/hololens/hololens-recovery.md
+++ b/devices/hololens/hololens-recovery.md
@@ -49,7 +49,7 @@ To reset your HoloLens 2, go to **Settings > Update > Reset** and select **Reset
 
 If the device is still having a problem after reset, you can use Advanced Recovery Companion to flash the device with a new image.
 
-1. On your computer, get [Advanced Recovery Companion](need store link) from Microsoft Store.
+1. On your computer, get [Advanced Recovery Companion](https://www.microsoft.com/p/advanced-recovery-companion/9p74z35sfrs8?activetab=pivot:overviewtab) from Microsoft Store.
 2. Connect HoloLens 2 to your computer.
 3. Start Advanced Recovery Companion.
 4. On the **Welcome** page, select your device.
@@ -57,4 +57,4 @@ If the device is still having a problem after reset, you can use Advanced Recove
 6. Software installation will begin. Do not use the device or disconnect the cable during installation. When you see the **Installation finished** page, you can disconnect and use your device.
 
 >[!NOTE]
->[Learn about FFU image file formats.](https://docs.microsoft.com/windows-hardware/manufacture/desktop/wim-vs-ffu-image-file-formats)
\ No newline at end of file
+>[Learn about FFU image file formats.](https://docs.microsoft.com/windows-hardware/manufacture/desktop/wim-vs-ffu-image-file-formats)
diff --git a/devices/surface-hub/TOC.md b/devices/surface-hub/TOC.md
index a264981b50..058ddefab4 100644
--- a/devices/surface-hub/TOC.md
+++ b/devices/surface-hub/TOC.md
@@ -41,6 +41,7 @@
 ### [Miracast on existing wireless network or LAN](miracast-over-infrastructure.md)
 ### [Enable 802.1x wired authentication](enable-8021x-wired-authentication.md)
 ### [Using a room control system](use-room-control-system-with-surface-hub.md)
+### [Implement Quality of Service on Surface Hub](surface-hub-qos.md)
 ### [Using the Surface Hub Recovery Tool](surface-hub-recovery-tool.md)
 ### [Surface Hub SSD replacement](surface-hub-ssd-replacement.md)
 ## [PowerShell for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md)
diff --git a/devices/surface-hub/admin-group-management-for-surface-hub.md b/devices/surface-hub/admin-group-management-for-surface-hub.md
index 5771b3f3c5..05e00d56fe 100644
--- a/devices/surface-hub/admin-group-management-for-surface-hub.md
+++ b/devices/surface-hub/admin-group-management-for-surface-hub.md
@@ -64,8 +64,11 @@ Surface Hubs use Azure AD join to:
 - Grant admin rights to the appropriate users in your Azure AD tenant.
 - Backup the device's BitLocker recovery key by storing it under the account that was used to Azure AD join the device. See [Save your BitLocker key](save-bitlocker-key-surface-hub.md) for details.
 
-> [!IMPORTANT]
-> Surface Hub does not currently support automatic enrollment to Microsoft Intune through Azure AD join. If your organization automatically enrolls Azure AD joined devices into Intune, you must disable this policy for Surface Hub before joining the device to Azure AD.
+### Automatic enrollment via Azure Active Directory join
+
+Surface Hub now supports the ability to automatically enroll in Intune by joining the device to Azure Active Directory. 
+
+For more information, see [Enable Windows 10 automatic enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment).
 
 ### Which should I choose?
 
diff --git a/devices/surface-hub/change-history-surface-hub.md b/devices/surface-hub/change-history-surface-hub.md
index 10ae4ecd42..d105eef44f 100644
--- a/devices/surface-hub/change-history-surface-hub.md
+++ b/devices/surface-hub/change-history-surface-hub.md
@@ -22,6 +22,7 @@ New or changed topic | Description
 [Technical information for 55” Microsoft Surface Hub](surface-hub-technical-55.md) | New; previously available for download and on [Surface Hub Tech Spec](https://support.microsoft.com/help/4483539/surface-hub-tech-spec)
 [Technical information for 84” Microsoft Surface Hub ](surface-hub-technical-84.md) | New; previously available for download and on [Surface Hub Tech Spec](https://support.microsoft.com/help/4483539/surface-hub-tech-spec)
 [Surface Hub SSD replacement](surface-hub-ssd-replacement.md) | New; previously available for download only
+[Implement Quality of Service on Surface Hub](surface-hub-qos.md) | New
 
 ## July 2018
 
diff --git a/devices/surface-hub/images/qos-create.png b/devices/surface-hub/images/qos-create.png
new file mode 100644
index 0000000000..7cd4726ddb
Binary files /dev/null and b/devices/surface-hub/images/qos-create.png differ
diff --git a/devices/surface-hub/images/qos-setting.png b/devices/surface-hub/images/qos-setting.png
new file mode 100644
index 0000000000..d775d9a46f
Binary files /dev/null and b/devices/surface-hub/images/qos-setting.png differ
diff --git a/devices/surface-hub/surface-hub-qos.md b/devices/surface-hub/surface-hub-qos.md
new file mode 100644
index 0000000000..39463f0d49
--- /dev/null
+++ b/devices/surface-hub/surface-hub-qos.md
@@ -0,0 +1,51 @@
+---
+title: Implement Quality of Service on Surface Hub   
+description: Learn how to configure QoS on Surface Hub.
+ms.prod: surface-hub
+ms.sitesec: library
+author: jdeckerms
+ms.author: jdecker
+ms.topic: article
+ms.localizationpriority: medium
+---
+
+# Implement Quality of Service (QoS) on Surface Hub
+
+Quality of Service (QoS) is a combination of network technologies that allows the administrators to optimize the experience of real time audio/video and application sharing communications.
+ 
+Configuring [QoS for Skype for Business](https://docs.microsoft.com/windows/client-management/mdm/networkqospolicy-csp) on the Surface Hub can be done using your [mobile device management (MDM) provider](manage-settings-with-mdm-for-surface-hub.md) or through a [provisioning package](provisioning-packages-for-surface-hub.md). 
+ 
+ 
+This procedure explains how to configure QoS for Surface Hub using Microsoft Intune. 
+
+1. In Intune, [create a custom policy](https://docs.microsoft.com/intune/custom-settings-configure).
+
+    ![Screenshot of custom policy creation dialog in Intune](images/qos-create.png)
+
+2. In **Custom OMA-URI Settings**, select **Add**. For each setting that you add, you will enter a name, description (optional), data type, OMA-URI, and value.
+
+    ![Screenshot of a blank OMA-URI setting dialog box](images/qos-setting.png)
+
+3. Add the following custom OMA-URI settings:
+
+    Name | Data type | OMA-URI<br>./Device/Vendor/MSFT/NetworkQoSPolicy |  Value
+    --- | --- | --- | ---
+    Audio Source Port | String |  /HubAudio/SourcePortMatchCondition  |   Get the values from your Skype administrator
+    Audio DSCP | Integer |  /HubAudio/DSCPAction  |   46
+    Video Source Port | String |  /HubVideo/SourcePortMatchCondition   |  Get the values from your Skype administrator
+    Video DSCP | Integer |  /HubVideo/DSCPAction   |   34
+    Audio Process Name | String |  /HubAudio/AppPathNameMatchCondition  |   Microsoft.PPISkype.Windows.exe
+    Video Process Name | String |  /HubVideo/AppPathNameMatchCondition  |   Microsoft.PPISkype.Windows.exe
+
+    >[!IMPORTANT]
+    >Each **OMA-URI** path begins with `./Device/Vendor/MSFT/NetworkQoSPolicy`. The full path for the audio source port setting, for example, will be `./Device/Vendor/MSFT/NetworkQoSPolicy/HubAudio/SourcePortMatchCondition`.
+
+
+
+
+4. When the policy has been created, [deploy it to the Surface Hub.](manage-settings-with-mdm-for-surface-hub.md#manage-surface-hub-settings-with-mdm)
+
+
+>[!WARNING]
+>Currently, you cannot configure the setting **IPProtocolMatchCondition** in the [NetworkQoSPolicy CSP](https://docs.microsoft.com/windows/client-management/mdm/networkqospolicy-csp). If this setting is configured, the policy will fail to apply.
+ 
diff --git a/store-for-business/distribute-offline-apps.md b/store-for-business/distribute-offline-apps.md
index eefb7fd379..c9b1df28bd 100644
--- a/store-for-business/distribute-offline-apps.md
+++ b/store-for-business/distribute-offline-apps.md
@@ -63,9 +63,12 @@ There are several items to download or create for offline-licensed apps. The app
 **To download an offline-licensed app**
 
 1.  Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com/) or [Microsoft Store for Education](https://educationstore.microsoft.com).
-2.  Click **Manage**, and then choose **Apps & software**.
-3.  Refine results by **License type** to show apps with offline licenses.
-4.  Find the app you want to download, click the ellipses under **Actions**, and then choose **Download for offline use**.
+2.  Click **Manage**.
+3.  Under **Shopping Experience**, set **Show offline apps** to **On**.
+4.  Click **Shop for my group**. Search for the required inbox-app, select it, change the License type to **Offline**, and click  **Get the app**, which will add the app to your inventory.
+5.  Click **Manage**. You now have access to download the appx bundle package metadata and license file.
+6.  Go to **Products & services**, and select **Apps & software**. (The list may be empty, but it will auto-populate after some time.)
+
     - **To download app metadata**: Choose the language for the app metadata, and then click **Download**. Save the downloaded app metadata. This is optional.
     - **To download app package**: Click to expand the package details information, choose the Platform and Architecture combination that you need for your organization, and then click **Download**. Save the downloaded app package. This is required.
     - **To download an app license**: Choose either **Encoded**, or **Unencoded**, and then click **Generate license**. Save the downloaded license. This is required.
diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md
index 8eed696dd9..637e02d729 100644
--- a/windows/application-management/apps-in-windows-10.md
+++ b/windows/application-management/apps-in-windows-10.md
@@ -61,7 +61,7 @@ Here are the provisioned Windows apps in Windows 10 versions 1703, 1709, 1803 an
 | Microsoft.OneConnect                   | [Paid Wi-Fi & Cellular](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe)                            | x    | x    | x    | x    | No                    |
 | Microsoft.People                       | [Microsoft People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe)                                     | x    | x    | x    | x    | No                    |
 | Microsoft.Print3D                      | [Print 3D](ms-windows-store://pdp/?PFN=Microsoft.Print3D_8wekyb3d8bbwe)                                            |      | x    | x    | x    | No                    |
-| Microsoft.SkreenSketch                 | [Snip & Sketch](ms-windows-store://pdp/?PFN=Microsoft.ScreenSketch_8wekyb3d8bbwe)                                  |      |      |      | x    | No                    |
+| Microsoft.ScreenSketch                 | [Snip & Sketch](ms-windows-store://pdp/?PFN=Microsoft.ScreenSketch_8wekyb3d8bbwe)                                  |      |      |      | x    | No                    |
 | Microsoft.SkypeApp                     | [Skype](ms-windows-store://pdp/?PFN=Microsoft.SkypeApp_kzf8qxf38zg5c)                                              | x    | x    | x    | x    | No                    |
 | Microsoft.StorePurchaseApp             | [Store Purchase App](ms-windows-store://pdp/?PFN=Microsoft.StorePurchaseApp_8wekyb3d8bbwe)                         | x    | x    | x    | x    | No                    |
 | Microsoft.VP9VideoExtensions           |                                                                                                                    |      |      |      | x    | No                    |
@@ -181,4 +181,4 @@ Here are the typical installed Windows apps in Windows 10 versions 1709, 1803, a
 |                    | Microsoft.VCLibs.140.00                  | x    | x    | x    | Yes                  |
 |                    | Microsoft.VCLibs.120.00.Universal        | x    |      |      | Yes                  |
 |                    | Microsoft.VCLibs.140.00.UWPDesktop       |      | x    |      | Yes                  |
----
\ No newline at end of file
+---
diff --git a/windows/client-management/mdm/diagnosticlog-csp.md b/windows/client-management/mdm/diagnosticlog-csp.md
index 4b9157ad49..17d1ddd6e7 100644
--- a/windows/client-management/mdm/diagnosticlog-csp.md
+++ b/windows/client-management/mdm/diagnosticlog-csp.md
@@ -338,7 +338,7 @@ Delete a provider
 </SyncML>
 ```
 
-<a href="" id="etwlog-collectors-collectorname-providers-provderguid-tracelevel"></a>**EtwLog/Collectors/*CollectorName*/Providers/*ProvderGUID*/TraceLevel**  
+<a href="" id="etwlog-collectors-collectorname-providers-providerguid-tracelevel"></a>**EtwLog/Collectors/*CollectorName*/Providers/*ProviderGUID*/TraceLevel**  
 Specifies the level of detail included in the trace log.
 
 The data type is an integer.
@@ -407,7 +407,7 @@ Set provider **TraceLevel**
 </SyncML>
 ```
 
-<a href="" id="etwlog-collectors-collectorname-providers-provderguid-keywords"></a>**EtwLog/Collectors/*CollectorName*/Providers/*ProvderGUID*/Keywords**  
+<a href="" id="etwlog-collectors-collectorname-providers-providerguid-keywords"></a>**EtwLog/Collectors/*CollectorName*/Providers/*ProviderGUID*/Keywords**  
 Specifies the provider keywords to be used as MatchAnyKeyword for this provider.
 
 the data type is a string.
@@ -461,7 +461,7 @@ Set provider **Keywords**
 </SyncML>
 ```
 
-<a href="" id="etwlog-collectors-collectorname-providers-provderguid-state"></a>**EtwLog/Collectors/*CollectorName*/Providers/*ProvderGUID*/State**  
+<a href="" id="etwlog-collectors-collectorname-providers-providerguid-state"></a>**EtwLog/Collectors/*CollectorName*/Providers/*ProviderGUID*/State**  
 Specifies if this provider is enabled in the trace session.
 
 The data type is a boolean.
diff --git a/windows/client-management/mdm/networkproxy-csp.md b/windows/client-management/mdm/networkproxy-csp.md
index 563f13334a..6a783571df 100644
--- a/windows/client-management/mdm/networkproxy-csp.md
+++ b/windows/client-management/mdm/networkproxy-csp.md
@@ -76,8 +76,8 @@ The data type is string. Supported operations are Get and Replace. Starting in W
 Specifies whether the proxy server should be used for local (intranet) addresses. 
 Valid values:
 <ul>
-<li>0 (default) - Do not use proxy server for local addresses</li>
-<li>1 - Use proxy server for local addresses</li>
+<li>0 (default) - Use proxy server for local addresses</li>
+<li>1 - Do not use proxy server for local addresses</li>
 </ul>
 
 The data type is int. Supported operations are Get and Replace. Starting in Window 10, version 1803, the Delete operation is also supported.
diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md
index 09b30b65c0..75e19260d4 100644
--- a/windows/client-management/mdm/policy-csp-userrights.md
+++ b/windows/client-management/mdm/policy-csp-userrights.md
@@ -66,6 +66,15 @@ Here are examples of data fields. The encoded 0xF000 is the standard delimiter/s
     ```
     <Data></Data>
     ```
+If you use Intune custom profiles to assign UserRights policies, you must use the CDATA tag (`<![CDATA[...]]>`) to wrap the data fields. You can specify one or more user groups within the CDATA tag by using 0xF000 as the delimiter/separator.
+
+> [!Note]
+> `&#xF000;` is the entity encoding of 0xF000.
+
+For example, the following syntax grants user rights to Authenticated Users and Replicator user groups:
+```
+<![CDATA[Authenticated Users&#xF000;Replicator]]>
+```
 
 <hr/>
 
diff --git a/windows/client-management/mdm/windowssecurityauditing-csp.md b/windows/client-management/mdm/windowssecurityauditing-csp.md
index c7ebdf2171..74aa8f8b40 100644
--- a/windows/client-management/mdm/windowssecurityauditing-csp.md
+++ b/windows/client-management/mdm/windowssecurityauditing-csp.md
@@ -13,7 +13,7 @@ ms.date: 06/26/2017
 # WindowsSecurityAuditing CSP
 
 
-The WindowsSecurityAuditing configuration service provider (CSP) is used to enable logging of security audit events. This CSP was added in Windows 10, version 1511.
+The WindowsSecurityAuditing configuration service provider (CSP) is used to enable logging of security audit events. This CSP was added in Windows 10, version 1511 for Mobile and Mobile Enterprise. Make sure to consult the [Configuration service provider reference](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference) to see if this CSP and others are supported on your Windows installation.
 
 The following diagram shows the WindowsSecurityAuditing configuration service provider in tree format.
 
diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md
index 52fa2a92d0..1bee65476e 100644
--- a/windows/configuration/change-history-for-configure-windows-10.md
+++ b/windows/configuration/change-history-for-configure-windows-10.md
@@ -10,13 +10,19 @@ ms.localizationpriority: medium
 author: jdeckerms
 ms.author: jdecker
 ms.topic: article
-ms.date: 11/07/2018
 ---
 
 # Change history for Configure Windows 10
 
 This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile.
 
+## April 2019
+
+New or changed topic | Description
+--- | ---
+[Use Shell Launcher to create a Windows 10 kiosk](kiosk-shelllauncher.md) | Added information for Shell Launcher v2, coming in the next feature update to Windows 10.
+[Prepare a device for kiosk configuration](kiosk-prepare.md) | Added new recommendations for policies to manage updates.
+
 ## February 2019
 
 New or changed topic | Description
diff --git a/windows/configuration/images/slv2-oma-uri.png b/windows/configuration/images/slv2-oma-uri.png
new file mode 100644
index 0000000000..98ee252b63
Binary files /dev/null and b/windows/configuration/images/slv2-oma-uri.png differ
diff --git a/windows/configuration/kiosk-additional-reference.md b/windows/configuration/kiosk-additional-reference.md
index 72377d11f6..81a9ba0ecf 100644
--- a/windows/configuration/kiosk-additional-reference.md
+++ b/windows/configuration/kiosk-additional-reference.md
@@ -8,7 +8,6 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
 ms.localizationpriority: medium
-ms.date: 09/13/2018
 ms.topic: reference
 ---
 
@@ -30,7 +29,7 @@ Topic | Description
 [Policies enforced on kiosk devices](kiosk-policies.md) | Learn about the policies enforced on a device when you configure it as a kiosk.
 [Assigned access XML reference](kiosk-xml.md) | The XML and XSD for kiosk device configuration.
 [Use AppLocker to create a Windows 10 kiosk](lock-down-windows-10-applocker.md) | Learn how to use AppLocker to configure a kiosk device running Windows 10 Enterprise or Windows 10 Education, version 1703 and earlier, so that users can only run a few specific apps.
-[Use Shell Launcher to create a Windows 10 kiosk](kiosk-shelllauncher.md) |  Using Shell Launcher, you can configure a kiosk device that runs a Windows desktop application as the user interface.
+[Use Shell Launcher to create a Windows 10 kiosk](kiosk-shelllauncher.md) |  Using Shell Launcher, you can configure a kiosk device that runs a Windows application as the user interface.
 [Use MDM Bridge WMI Provider to create a Windows 10 kiosk](kiosk-mdm-bridge.md) | Environments that use Windows Management Instrumentation (WMI) can use the MDM Bridge WMI Provider to configure the MDM_AssignedAccess class.
 [Troubleshoot kiosk mode issues](kiosk-troubleshoot.md) | Tips for troubleshooting multi-app kiosk configuration.
 
diff --git a/windows/configuration/kiosk-methods.md b/windows/configuration/kiosk-methods.md
index 888cbc3049..82aa4dc94f 100644
--- a/windows/configuration/kiosk-methods.md
+++ b/windows/configuration/kiosk-methods.md
@@ -12,6 +12,9 @@ ms.topic: article
 
 # Configure kiosks and digital signs on Windows desktop editions
 
+>[!WARNING]
+>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
 Some desktop devices in an enterprise serve a special purpose, such as a PC in the lobby that customers can use to view your product catalog or a PC displaying visual content as a digital sign. Windows 10 offers two different locked-down experiences for public or specialized use:
 
 |  |  |
@@ -43,6 +46,7 @@ You can use this method | For this edition | For this kiosk account type
 [Assigned access cmdlets](kiosk-single-app.md#powershell)  | Pro, Ent, Edu | Local standard user
 [The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard)  | Pro (version 1709), Ent, Edu | Local standard user, Active Directory, Azure AD 
 [Microsoft Intune or other mobile device management (MDM)](kiosk-single-app.md#mdm) | Pro (version 1709), Ent, Edu | Local standard user, Azure AD
+[Shell Launcher](kiosk-shelllauncher.md) v2 | Ent, Edu | Local standard user, Active Directory, Azure AD
 
 <span id="classic" />
 ## Methods for a single-app kiosk running a Windows desktop application
@@ -50,8 +54,8 @@ You can use this method | For this edition | For this kiosk account type
 You can use this method | For this edition | For this kiosk account type 
 --- | --- | ---
 [The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | Ent, Edu | Local standard user, Active Directory, Azure AD 
-[Shell Launcher](kiosk-shelllauncher.md) | Ent, Edu | Local standard user, Active Directory, Azure AD
 [Microsoft Intune or other mobile device management (MDM)](kiosk-single-app.md#mdm) | Pro (version 1709), Ent, Edu | Local standard user, Azure AD
+[Shell Launcher](kiosk-shelllauncher.md) v1 and v2 | Ent, Edu | Local standard user, Active Directory, Azure AD
 
 <span id="desktop" />
 ## Methods for a multi-app kiosk
diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md
index f484267983..436a96f0a8 100644
--- a/windows/configuration/kiosk-prepare.md
+++ b/windows/configuration/kiosk-prepare.md
@@ -8,7 +8,6 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
 ms.localizationpriority: medium
-ms.date: 01/09/2019
 ms.topic: article
 ---
 
@@ -31,12 +30,14 @@ ms.topic: article
 
 ## Configuration recommendations
 
-For a more secure kiosk experience, we recommend that you make the following configuration changes to the device before you configure it as a kiosk:
+For a more secure kiosk experience, we recommend that you make the following configuration changes to the device before you configure it as a kiosk: 
 
 Recommendation | How to
 --- | ---
-Hide update notifications<br>(New in Windows 10, version 1809)   | Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\Windows Components\\Windows Update\\Display options for update notifications**<br>-or-<br>Use the MDM setting **Update/UpdateNotificationLevel** from the [**Policy/Update** configuration service provider](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel)<br>-or-<br>Add the following registry keys as DWORD (32-bit) type:</br>`HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\SetUpdateNotificationLevel` with a value of `1`, and `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\UpdateNotificationLevel` with a value of `1` to hide all notifications except restart warnings, or value of `2` to hide all notifications, including restart warnings.
-Replace "blue screen" with blank screen for OS errors   | Add the following registry key as DWORD (32-bit) type with a value of `1`:</br></br>`HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\DisplayDisabled`
+Hide update notifications<br>(New in Windows 10, version 1809)   | Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\Windows Components\\Windows Update\\Display options for update notifications**<br>-or-<br>Use the MDM setting **Update/UpdateNotificationLevel** from the [**Policy/Update** configuration service provider](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel)<br>-or-<br>Add the following registry keys as type DWORD (32-bit) in the path of **HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate**:<br>**\SetUpdateNotificationLevel** with a value of `1`, and **\UpdateNotificationLevel** with a value of `1` to hide all notifications except restart warnings, or value of `2` to hide all notifications, including restart warnings.
+Enable and schedule automatic updates | Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates**, and select `option 4 (Auto download and schedule the install)`<br>-or-<br>Use the MDM setting **Update/AllowAutoUpdate** from the [**Policy/Update** configuration service provider](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate), and select `option 3 (Auto install and restart at a specified time)`<br><br>**Note:** Installations can take from between 30 minutes and 2 hours, depending on the device, so you should schedule updates to occur when a block of 3-4 hours is available.<br><br>To schedule the automatic update, configure **Schedule Install Day**, **Schedule Install Time**, and **Schedule Install Week**.
+Enable automatic restart at the scheduled time | Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\Windows Components\\Windows Update\\Always automatically restart at the scheduled time**
+Replace "blue screen" with blank screen for OS errors   | Add the following registry key as DWORD (32-bit) type with a value of `1`:</br></br>**HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\DisplayDisabled**
 Put device in **Tablet mode**. | If you want users to be able to use the touch (on screen) keyboard, go to **Settings** &gt; **System** &gt; **Tablet mode** and choose **On.** Do not turn on this setting if users will not interact with the kiosk, such as for a digital sign.
 Hide **Ease of access** feature on the sign-in screen. |     See [how to disable the Ease of Access button in the registry.](https://docs.microsoft.com/windows-hardware/customize/enterprise/complementary-features-to-custom-logon#welcome-screen)
 Disable the hardware power button. |     Go to **Power Options** &gt; **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**.
@@ -67,7 +68,7 @@ In addition to the settings in the table, you may want to set up **automatic log
     >[!NOTE]  
     >If you are not familiar with Registry Editor, [learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002).
   
-
+ 
 2.  Go to
 
     **HKEY\_LOCAL\_MACHINE\SOFTWARE\\Microsoft\WindowsNT\CurrentVersion\Winlogon**
diff --git a/windows/configuration/kiosk-shelllauncher.md b/windows/configuration/kiosk-shelllauncher.md
index cb4de9b225..308da89102 100644
--- a/windows/configuration/kiosk-shelllauncher.md
+++ b/windows/configuration/kiosk-shelllauncher.md
@@ -1,6 +1,6 @@
 ---
 title: Use Shell Launcher to create a Windows 10 kiosk (Windows 10)
-description: A single-use device such as a digital sign is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education).
+description: Shell Launcher lets you change the default shell that launches when a user signs in to a device.
 ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
 keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"]
 ms.prod: w10
@@ -8,7 +8,6 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
 ms.localizationpriority: medium
-ms.date: 10/01/2018
 ms.topic: article
 ---
 
@@ -16,26 +15,36 @@ ms.topic: article
 
 
 **Applies to**
->App type: Windows desktop application
->
->OS edition: Windows 10 Ent, Edu
->
->Account type: Local standard user or administrator, Active Directory, Azure AD
+- Windows 10 Ent, Edu
 
+>[!WARNING]
+>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 
-Using Shell Launcher, you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on.
+Using Shell Launcher, you can configure a device that runs an application as the user interface, replacing the default shell (explorer.exe). In **Shell Launcher v1**, available in Windows 10, version 1809 and earlier, you can only specify a Windows desktop application as the replacement shell. In **Shell Launcher v2**, available in the next feature update to Windows 10, you can also specify a UWP app as the replacement shell.
 
 >[!NOTE]
->Using the Shell Launcher controls which application the user sees as the shell after sign-in. It does not prevent the user from accessing other desktop applications and system components. 
+>Shell Launcher controls which application the user sees as the shell after sign-in. It does not prevent the user from accessing other desktop applications and system components. 
 >
 >Methods of controlling access to other desktop applications and system components can be used in addition to using the Shell Launcher. These methods include, but are not limited to:
 >- [Group Policy](https://www.microsoft.com/download/details.aspx?id=25250) - example: Prevent access to registry editing tools
 >- [AppLocker](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview) - Application control policies
 >- [Mobile Device Management](https://docs.microsoft.com/windows/client-management/mdm) - Enterprise management of device security policies
->
->You can also configure a kiosk device that runs a Windows desktop application by using the [Provision kiosk devices wizard](kiosk-single-app.md#wizard).
 
- 
+You can apply a custom shell through Shell Launcher [by using PowerShell](#configure-a-custom-shell-using-powershell). In Windows 10, version 1803 and later, you can also [use mobile device management (MDM)](#configure-a-custom-shell-in-mdm) to apply a custom shell through Shell Launcher.
+
+
+## Differences between Shell Launcher v1 and Shell Launcher v2
+
+Shell Launcher v1 replaces `explorer.exe`, the default shell, with `eshell.exe` which can launch a Windows desktop application.
+
+Shell Launcher v2 replaces `explorer.exe` with `customshellhost.exe`. This new executable file can launch a Windows desktop application or a UWP app.
+
+In addition to allowing you to use a UWP app for your replacement shell, Shell Launcher v2 offers additional enhancements:
+- You can use a custom Windows desktop application that can then launch UWP apps, such as **Settings** and **Touch Keyboard**.
+- From a custom UWP shell, you can launch secondary views and run on multiple monitors.
+- The custom shell app runs in full screen, and and can run other apps in full screen on user’s demand.
+
+For sample XML configurations for the different app combinations, see [Samples for Shell Launcher v2](https://github.com/Microsoft/Windows-iotcore-samples/tree/develop/Samples/ShellLauncherV2).
 
 ## Requirements
 
@@ -44,16 +53,15 @@ Using Shell Launcher, you can configure a kiosk device that runs a Windows deskt
 >
 >- Shell Launcher doesn't support a custom shell with an application that launches a different process and exits. For example, you cannot specify **write.exe** in Shell Launcher. Shell Launcher launches a custom shell and monitors the process to identify when the custom shell exits. **Write.exe** creates a 32-bit wordpad.exe process and exits. Because Shell Launcher is not aware of the newly created wordpad.exe process, Shell Launcher will take action based on the exit code of **Write.exe**, such as restarting the custom shell. 
 
--   A domain or local user account.
+-   A domain, Azure Active Directory, or local user account.
 
--   A Windows desktop application that is installed for that account. The app can be your own company application or a common app like Internet Explorer.
+-   A Windows application that is installed for that account. The app can be your own company application or a common app like Internet Explorer.
 
-[See the technical reference for the shell launcher component.](https://go.microsoft.com/fwlink/p/?LinkId=618603)
+[See the technical reference for the shell launcher component.](https://docs.microsoft.com/windows-hardware/customize/enterprise/shell-launcher)
 
+## Enable Shell Launcher feature
 
-## Configure Shell Launcher
-
-To set a Windows desktop application as the shell, you first turn on the Shell Launcher feature, and then you can set your custom shell as the default using PowerShell.
+To set a custom shell, you first turn on the Shell Launcher feature, and then you can set your custom shell as the default using PowerShell or MDM.
 
 **To turn on Shell Launcher in Windows features**
 
@@ -63,7 +71,7 @@ To set a Windows desktop application as the shell, you first turn on the Shell L
 
 2. Select **Shell Launcher** and **OK**.
 
-Alternatively, you can turn on Shell Launcher using Windows Configuration Designer in a provisioning package, using `SMISettings > ShellLauncher`, or the Deployment Image Servicing and Management (DISM.exe) tool.
+Alternatively, you can turn on Shell Launcher using Windows Configuration Designer in a provisioning package, using `SMISettings > ShellLauncher`, or you can use the Deployment Image Servicing and Management (DISM.exe) tool.
 
 **To turn on Shell Launcher using DISM**
 
@@ -74,9 +82,70 @@ Alternatively, you can turn on Shell Launcher using Windows Configuration Design
     Dism /online /Enable-Feature /all /FeatureName:Client-EmbeddedShellLauncher
     ```
 
-**To set your custom shell**
 
-Modify the following PowerShell script as appropriate. The comments in the sample script explain the purpose of each section and tell you where you will want to change the script for your purposes. Save your script with the extension .ps1, open Windows PowerShell as administrator, and run the script on the kiosk device.
+## Configure a custom shell in MDM
+
+You can use XML and a [custom OMA-URI setting](#custom-oma-uri-setting) to configure Shell Launcher in MDM.
+
+### XML for Shell Launcher configuration
+
+The following XML sample works for **Shell Launcher v1**:
+
+```
+<?xml version="1.0" encoding="utf-8"?> 
+<ShellLauncherConfiguration xmlns="http://schemas.microsoft.com/ShellLauncher/2018/Configuration"> 
+  <Profiles> 
+    <Profile ID="{24A7309204F3F-44CC-8375-53F13FE213F7}"> 
+      <Shell Shell="%ProgramFiles%\Internet Explorer\iexplore.exe -k www.bing.com" /> 
+    </Profile> 
+  </Profiles> 
+  <Configs>
+    <!--local account-->
+    <Account Name="ShellLauncherUser"/>
+    <Profile ID="{24A7309204F3F-44CC-8375-53F13FE213F7}"/>
+  </Configs>
+</ShellLauncherConfiguration>
+``` 
+
+For **Shell Launcher v2**, you will use a different schema reference and a different app type for `Shell`, as shown in the following example.
+
+```
+<?xml version="1.0" encoding="utf-8"?> 
+<ShellLauncherConfiguration xmlns="http://schemas.microsoft.com/ShellLauncher/2018/Configuration" 
+xmlns:v2="http://schemas.microsoft.com/ShellLauncher/2019/Configuration"> 
+  <Profiles> 
+    <DefaultProfile> 
+      <Shell Shell="ShellLauncherV2DemoUwp_5d7tap497jwe8!App" v2:AppType="UWP" v2:AllAppsFullScreen="true"> 
+        <DefaultAction Action="RestartShell"/> 
+      </Shell> 
+    </DefaultProfile> 
+  </Profiles> 
+  <Configs/> 
+</ShellLauncherConfiguration>
+``` 
+
+>[!TIP]
+>In the XML for Shell Launcher v2, note the **AllAppsFullScreen** attribute. When set to **True**, Shell Launcher will run every app in full screen, or maximized for desktop apps. When this attribute is set to **False** or not set, only the custom shell app runs in full screen; other apps launched by the user will run in windowed mode.
+
+[Get XML examples for different Shell Launcher v2 configurations.](https://github.com/Microsoft/Windows-iotcore-samples/tree/develop/Samples/ShellLauncherV2)
+
+### Custom OMA-URI setting
+
+In your MDM service, you can create a [custom OMA-URI setting](https://docs.microsoft.com/intune/custom-settings-windows-10) to configure Shell Launcher v1 or v2. (The [XML](#xml-for-shell-launcher-configuration) that you use for your setting will determine whether you apply Shell Launcher v1 or v2.)
+
+The OMA-URI path is `./Device/Vendor/MSFT/AssignedAccess/ShellLauncher`.
+
+For the value, you can select data type `String` and paste the desired configuration file content into the value box. If you wish to upload the xml instead of pasting the content, choose data type `String (XML file)` instead. 
+
+![Screenshot of custom OMA-URI settings](images/slv2-oma-uri.png)
+
+After you configure the profile containing the custom Shell Launcher setting, select **All Devices** or selected groups of devices to apply the profile to. Don't assign the profile to users or user groups.
+
+## Configure a custom shell using PowerShell 
+
+For scripts for Shell Launcher v2, see [Shell Launcher v2 Bridge WMI sample scripts](https://github.com/Microsoft/Windows-iotcore-samples/blob/develop/Samples/ShellLauncherV2/SampleBridgeWmiScripts/README.md).
+
+For Shell Launcher v1, modify the following PowerShell script as appropriate. The comments in the sample script explain the purpose of each section and tell you where you will want to change the script for your purposes. Save your script with the extension .ps1, open Windows PowerShell as administrator, and run the script on the kiosk device.
 
 ```
 # Check if shell launcher license is enabled
diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md
index 439acaa52b..18eee13ef9 100644
--- a/windows/configuration/kiosk-single-app.md
+++ b/windows/configuration/kiosk-single-app.md
@@ -42,6 +42,8 @@ Method | Description
 
 >[!TIP]
 >You can also configure a kiosk account and app for single-app kiosk within [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) by using a [kiosk profile](lock-down-windows-10-to-specific-apps.md#profile).  
+>
+>Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk.
 
 
 
@@ -169,8 +171,6 @@ Set-AssignedAccess -AppName <CustomApp> -UserSID <usersid>
 
 [Learn how to get the AppName](https://msdn.microsoft.com/library/windows/hardware/mt620046%28v=vs.85%29.aspx) (see **Parameters**).
 
-[Learn how to get the SID](https://go.microsoft.com/fwlink/p/?LinkId=615517).
-
 To remove assigned access, using PowerShell, run the following cmdlet.
 
 ```
diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md
index f704538ec1..74acffcf3a 100644
--- a/windows/configuration/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@@ -40,7 +40,8 @@ New features and improvements | In update
 You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provisioning package](#provision).
 
 
-
+>[!TIP]
+>Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk.
 
 <span id="intune"/>
 ## Configure a kiosk in Microsoft Intune
diff --git a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md
index 48fcd8eb4c..c1f447026d 100644
--- a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md
+++ b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md
@@ -53,7 +53,7 @@ If you've followed the steps in the [Enrolling devices in Windows Analytics](win
 
 In Log Analytics, go to **Settings > Connected sources > Windows telemetry** and verify that you are subscribed to the Windows Analytics solutions you intend to use.
 
-Even though devices can take 2-3 days after enrollment to show up due to latency in the system, you can now verify the status of your devices with a few hours of running the deployment script as described in [You can now check on the status of your computers within hours of running the deployment script](https://blogs.technet.microsoft.com/upgradeanalytics/2017/05/12/wheres-my-data/) on the Windows Analytics blog.
+Even though devices can take 2-3 days after enrollment to show up due to latency in the system, you can now verify the status of your devices within a few hours of running the deployment script as described in [You can now check on the status of your computers within hours of running the deployment script](https://techcommunity.microsoft.com/t5/Windows-Analytics-Blog/You-can-now-check-on-the-status-of-your-computers-within-hours/ba-p/187213) on the Tech Community Blog.
 
 >[!NOTE]
 > If you generate the status report and get an error message saying "Sorry! We’re not recognizing your Commercial Id," go to **Settings > Connected sources > Windows telemetry** remove the Upgrade Readiness solution, and then re-add it.
diff --git a/windows/deployment/update/windows-analytics-azure-portal.md b/windows/deployment/update/windows-analytics-azure-portal.md
index 7e923f2c27..bbca1ea487 100644
--- a/windows/deployment/update/windows-analytics-azure-portal.md
+++ b/windows/deployment/update/windows-analytics-azure-portal.md
@@ -29,7 +29,7 @@ Go to the [Azure portal](https://portal.azure.com), select **All services**, and
 
 It's important to understand the difference between Azure Active Directory and an Azure subscription:
 
-**Azure Active Directory** is the directory that Azure uses. Azure Active Directory (AD) is a separate service which sits by itself and is used by all of Azure and also Office 365.
+**Azure Active Directory** is the directory that Azure uses. Azure Active Directory (Azure AD) is a separate service which sits by itself and is used by all of Azure and also Office 365.
  
 An **Azure subscription** is a container for billing, but also acts as a security boundary. Every Azure subscription has a trust relationship with at least one Azure AD instance. This means that a subscription trusts that directory to authenticate users, services, and devices.
 
diff --git a/windows/deployment/update/windows-as-a-service.md b/windows/deployment/update/windows-as-a-service.md
index 0b1327b761..c020f63f0f 100644
--- a/windows/deployment/update/windows-as-a-service.md
+++ b/windows/deployment/update/windows-as-a-service.md
@@ -18,14 +18,15 @@ Find the tools and resources you need to help deploy and support Windows as a se
 
 Find the latest and greatest news on Windows 10 deployment and servicing.
 
-**Working to make Windows updates clear and transparent**
-> [!VIDEO https://www.youtube-nocookie.com/embed/u5P20y39DrA]
+**Discovering the Windows 10 Update history pages**
+> [!VIDEO https://www.youtube-nocookie.com/embed/GADIXBf9R58]
 
 Everyone wins when transparency is a top priority. We want you to know when updates are available, as well as alert you to any potential issues you may encounter during or after you install an update. The Windows update history page is for anyone looking to gain an immediate, precise understanding of particular Windows update issues. 
 
 The latest news:
 <ul compact style="list-style: none"> 
 <li><a href="https://blogs.windows.com/windowsexperience/2019/04/04/improving-the-windows-10-update-experience-with-control-quality-and-transparency">Improving the Windows 10 update experience with control, quality and transparency</a> - April 4, 2019</li>
+<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Call-to-action-review-your-Windows-Update-for-Business-deferral/ba-p/394244">Call to action: review your Windows Update for Business deferral values</a> - April 3, 2019</li>
 <li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-version-1809-designated-for-broad-deployment/ba-p/389540">Windows 10, version 1809 designated for broad deployment</a> - March 28, 2019</li>
 <li><a href="https://blogs.windows.com/windowsexperience/2019/03/06/data-insights-and-listening-to-improve-the-customer-experience">Data, insights and listening to improve the customer experience</a> - March 6, 2019</li>
 <li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Getting-to-know-the-Windows-update-history-pages/ba-p/355079">Getting to know the Windows update history pages</a> - February 21, 2019</li>
diff --git a/windows/deployment/upgrade/log-files.md b/windows/deployment/upgrade/log-files.md
index 289b0b5793..a966f7ad8e 100644
--- a/windows/deployment/upgrade/log-files.md
+++ b/windows/deployment/upgrade/log-files.md
@@ -55,7 +55,7 @@ Event logs: Generic rollbacks (0xC1900101) or unexpected reboots.</td>
 
 ## Log entry structure
 
-A setupact.log or setuperr.log (files are located at C:\Windows) entry includes the following elements:
+A setupact.log or setuperr.log entry (files are located at C:\Windows) includes the following elements:
 
 <ol>
 <LI><B>The date and time</B> - 2016-09-08 09:20:05.
diff --git a/windows/deployment/usmt/usmt-migrate-user-accounts.md b/windows/deployment/usmt/usmt-migrate-user-accounts.md
index 9fb4c1f48f..94224b2a0c 100644
--- a/windows/deployment/usmt/usmt-migrate-user-accounts.md
+++ b/windows/deployment/usmt/usmt-migrate-user-accounts.md
@@ -25,7 +25,7 @@ By default, all users are migrated. The only way to specify which users to inclu
 -   [To migrate two domain accounts (User1 and User2) and move User1 from the Contoso domain to the Fabrikam domain](#bkmk-migratemoveuserone)
 
 ## <a href="" id="bkmk-migrateall"></a>To migrate all user accounts and user settings
-
+Links to detailed explanations of commands are available in the Related Topics section.
 
 1.  Log on to the source computer as an administrator, and specify the following in a **Command-Prompt** window:
 
@@ -49,7 +49,7 @@ By default, all users are migrated. The only way to specify which users to inclu
          
 
 ## <a href="" id="bkmk-migratetwo"></a>To migrate two domain accounts (User1 and User2)
-
+Links to detailed explanations of commands are available in the Related Topics section.
 
 1.  Log on to the source computer as an administrator, and specify:
 
@@ -62,7 +62,7 @@ By default, all users are migrated. The only way to specify which users to inclu
     `loadstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml`
 
 ## <a href="" id="bkmk-migratemoveuserone"></a>To migrate two domain accounts (User1 and User2) and move User1 from the Contoso domain to the Fabrikam domain
-
+Links to detailed explanations of commands are available in the Related Topics section.
 
 1.  Log on to the source computer as an administrator, and type the following at the command-line prompt:
 
diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
index da571eeaf2..5ee34276fb 100644
--- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
+++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
@@ -155,14 +155,18 @@ The following table defines the endpoints for Connected User Experiences and Tel
 
 Windows release | Endpoint
 --- | ---
-Windows 10, versions 1703 and 1709 | Diagnostics data: v10.vortex-win.data.microsoft.com/collect/v1</br></br>Functional: v20.vortex-win.data.microsoft.com/collect/v1</br>Windows Advanced Threat Protection is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com/collect/v1</br>settings-win.data.microsoft.com
-Windows 10, version 1607 | v10.vortex-win.data.microsoft.com</br></br>settings-win.data.microsoft.com
+Windows 10, versions 1703 or later, with the 2018-09 cumulative update installed| Diagnostics data: v10c.vortex-win.data.microsoft.com</br></br>Functional: v20.vortex-win.data.microsoft.com</br>Windows Advanced Threat Protection is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com</br>settings-win.data.microsoft.com
+Windows 10, versions 1803 or later, without the 2018-09 cumulative update installed | Diagnostics data: v10.events.data.microsoft.com</br></br>Functional: v20.vortex-win.data.microsoft.com</br>Windows Advanced Threat Protection is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com</br>settings-win.data.microsoft.com
+Windows 10, version 1709 or earlier | Diagnostics data: v10.vortex-win.data.microsoft.com</br></br>Functional: v20.vortex-win.data.microsoft.com</br>Windows Advanced Threat Protection is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com</br>settings-win.data.microsoft.com
+Windows 7 and Windows 8.1 | vortex-win.data.microsoft.com
 
 The following table defines the endpoints for other diagnostic data services:
 
 | Service | Endpoint |
 | - | - |
 | [Windows Error Reporting](https://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) | watson.telemetry.microsoft.com | 
+| | umwatsonc.events.data.microsoft.com |
+| | kmwatsonc.events.data.microsoft.com |
 | | ceuswatcab01.blob.core.windows.net |
 | | ceuswatcab02.blob.core.windows.net |
 | | eaus2watcab01.blob.core.windows.net |
@@ -170,7 +174,7 @@ The following table defines the endpoints for other diagnostic data services:
 | | weus2watcab01.blob.core.windows.net |
 | | weus2watcab02.blob.core.windows.net |
 | [Online Crash Analysis](https://msdn.microsoft.com/library/windows/desktop/ee416349.aspx) | oca.telemetry.microsoft.com |
-| OneDrive app for Windows 10 | vortex.data.microsoft.com/collect/v1 |
+| OneDrive app for Windows 10 | vortex.data.microsoft.com |
 
 ### Data use and access
 
diff --git a/windows/privacy/windows-diagnostic-data.md b/windows/privacy/windows-diagnostic-data.md
index d3587cfb5a..5939c12ef0 100644
--- a/windows/privacy/windows-diagnostic-data.md
+++ b/windows/privacy/windows-diagnostic-data.md
@@ -507,6 +507,6 @@ Use of the specified data categories to promote a product or service in or on a
 
 Here are the list of data identification qualifiers and the ISO/IEC 19944:2017 reference:
 
-- **<a name="#pseudo">Pseudonymized Data</a>** 8.3.3 Pseudonymized data. Microsoft usage notes are as defined.
-- **<a name="#anon">Anonymized Data</a>** 8.3.5 Anonymized data. Microsoft usage notes are as defined.
-- **<a name="#aggregate">Aggregated Data</a>** 8.3.6 Aggregated data. Microsoft usage notes are as defined.
\ No newline at end of file
+- **<a name="pseudo">Pseudonymized Data</a>** 8.3.3 Pseudonymized data. Microsoft usage notes are as defined.
+- **<a name="anon">Anonymized Data</a>** 8.3.5 Anonymized data. Microsoft usage notes are as defined.
+- **<a name="aggregate">Aggregated Data</a>** 8.3.6 Aggregated data. Microsoft usage notes are as defined.
\ No newline at end of file
diff --git a/windows/release-information/TOC.yml b/windows/release-information/TOC.yml
new file mode 100644
index 0000000000..b5ef71ac32
--- /dev/null
+++ b/windows/release-information/TOC.yml
@@ -0,0 +1,2 @@
+- name: Index
+  href: index.md
\ No newline at end of file
diff --git a/windows/release-information/breadcrumb/toc.yml b/windows/release-information/breadcrumb/toc.yml
new file mode 100644
index 0000000000..61d8fca61e
--- /dev/null
+++ b/windows/release-information/breadcrumb/toc.yml
@@ -0,0 +1,3 @@
+- name: Docs
+  tocHref: /
+  topicHref: /
\ No newline at end of file
diff --git a/windows/release-information/docfx.json b/windows/release-information/docfx.json
new file mode 100644
index 0000000000..6a0fb3e804
--- /dev/null
+++ b/windows/release-information/docfx.json
@@ -0,0 +1,47 @@
+{
+  "build": {
+    "content": [
+      {
+        "files": [
+          "**/*.md",
+          "**/*.yml"
+        ],
+        "exclude": [
+          "**/obj/**",
+          "**/includes/**",
+          "_themes/**",
+          "_themes.pdf/**",
+          "README.md",
+          "LICENSE",
+          "LICENSE-CODE",
+          "ThirdPartyNotices"
+        ]
+      }
+    ],
+    "resource": [
+      {
+        "files": [
+          "**/*.png",
+          "**/*.jpg"
+        ],
+        "exclude": [
+          "**/obj/**",
+          "**/includes/**",
+          "_themes/**",
+          "_themes.pdf/**"
+        ]
+      }
+    ],
+    "overwrite": [],
+    "externalReference": [],
+    "globalMetadata": {
+      "breadcrumb_path": "/release-information/breadcrumb/toc.json",
+      "extendBreadcrumb": true,
+      "feedback_system": "None"
+    },
+    "fileMetadata": {},
+    "template": [],
+    "dest": "release-information",
+    "markdownEngineName": "markdig"
+  }
+}
\ No newline at end of file
diff --git a/windows/release-information/index.md b/windows/release-information/index.md
new file mode 100644
index 0000000000..45697f0cda
--- /dev/null
+++ b/windows/release-information/index.md
@@ -0,0 +1,3 @@
+# Welcome to release-information!
+
+test
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
index 0edce00395..626de0ca3e 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@@ -43,6 +43,14 @@ You can use Group Policy to enable Windows Defender Credential Guard. This will
 
 To enforce processing of the group policy, you can run ```gpupdate /force```.
 
+### Enable Windows Defender Credential Guard by using Intune
+
+1.  From **Home** click **Microsoft Intune**
+2.  Click **Device configuration**
+3.  Click **Profiles** > **Create Profile** > **Endpoint protection** > **Windows Defender Credential Guard**.
+
+> [!NOTE]
+> It will enable VBS and Secure Boot and you can do it with or without UEFI Lock. If you will need to disable Credential Guard remotely, enable it without UEFI lock.
 
 ### Enable Windows Defender Credential Guard by using the registry
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
index 1528aad8e3..aade96adc6 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
@@ -35,9 +35,9 @@ On-premises certificate-based deployments of Windows Hello for Business needs th
 
 ## Enable Windows Hello for Business Group Policy
 
-The Enable Windows Hello for Business Group Policy setting is the configuration needed for Windows to determine if a user should be attempt to enroll for Windows Hello for Business.  A user will only attempt enrollment if this policy setting is configured to enabled.  
+The Group Policy setting determines whether users are allowed, and prompted, to enroll for Windows Hello for Business. It can be configured for computers or users.
 
-You can configure the Enable Windows Hello for Business Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment.  Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence.
+If you configure the Group Policy for computers, all users that sign-in to those computers will be allowed and prompted to enroll for Windows Hello for Business. If you configure the Group Policy for users, only those users will be allowed and prompted to enroll for Windows Hello for Business.
 
 ## Use certificate for on-premises authentication
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
index 936c4a59e4..e795b09887 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
@@ -187,7 +187,7 @@ Joining a device is an extension to registering a device. This means, it provide
 
 [Return to Top](hello-how-it-works-technology.md)
 ## Key Trust
-The key trust model uses the user's Windows Hello for Business identity to authenticate to on-premises Active Directory.  The certificate trust model is supported in hybrid and on-premises deployments and requires Windows Server 2016 domain controllers.
+The key trust model uses the user's Windows Hello for Business identity to authenticate to on-premises Active Directory.  The key trust model is supported in hybrid and on-premises deployments and requires Windows Server 2016 domain controllers.
 
 ### Related topics
 [Certificate Trust](#certificate-trust), [Deployment Type](#deployment-type), [Hybrid Azure AD Joined](#hybrid-azure-ad-joined), [Hybrid Deployment](#hybrid-deployment), [On-premises Deployment](#on-premises-deployment), [Trust Type](#trust-type)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
index 6f443cff4f..5c60844b4e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
@@ -82,7 +82,7 @@ Organizations using older directory synchronization technology, such as DirSync
 <br>
 
 ## Federation ##
-Federating your on-premises Active Directory with Azure Active Directory ensures all identities have access to all resources regardless if they reside in cloud or on-premises.  Windows Hello for Business hybrid certificate trust needs Windows Server 2016 Active Directory Federation Services.  All nodes in the AD FS farm must run the same version of AD FS. Additionally, you need to configure your AD FS farm to support Azure registered devices.
+Windows Hello for Business hybrid certificate trust requires Active Directory being federated with Azure Active Directory and needs Windows Server 2016 Active Directory Federation Services or newer. Windows Hello for Business hybrid certificate trust doesn’t support Managed Azure Active Directory using Pass-through authentication or password hash sync. All nodes in the AD FS farm must run the same version of AD FS. Additionally, you need to configure your AD FS farm to support Azure registered devices.
 
 The AD FS farm used with Windows Hello for Business must be Windows Server 2016 with minimum update of [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889).  If your AD FS farm is not running the AD FS role with updates from Windows Server 2016, then read [Upgrading to AD FS in Windows Server 2016](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016)
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
index 461d86ca82..5350a7e35a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
@@ -59,7 +59,7 @@ The remainder of the provisioning includes Windows Hello for Business requesting
 > Read [Azure AD Connect sync: Scheduler](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler) to view and adjust the **synchronization cycle** for your organization.
 
 > [!NOTE]
-> Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889) provides synchronous certificate enrollment during hybrid certificate trust provisioning.  With this update, users no longer need to wait for Azure AD Connect to sync their  public key on-premises.  Users enroll their certificate during provisioning and can use the certificate for sign-in immediately after completeling the provisioning. 
+> Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889) provides synchronous certificate enrollment during hybrid certificate trust provisioning.  With this update, users no longer need to wait for Azure AD Connect to sync their  public key on-premises.  Users enroll their certificate during provisioning and can use the certificate for sign-in immediately after completeling the provisioning. The update needs to be installed on the federation servers.
   
 After a successful key registration, Windows creates a certificate request using the same key pair to request a certificate.  Windows send the certificate request to the AD FS server for certificate enrollment.
   
diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
index 672ad0f33f..ae8da9280d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
+++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
@@ -50,7 +50,7 @@ The table shows the minimum requirements for each deployment. For key trust in a
 | Windows 10, version 1511 or later| **Hybrid Azure AD Joined:**<br>  *Minimum:* Windows 10, version 1703<br>  *Best experience:* Windows 10, version 1709 or later (supports synchronous certificate enrollment).</br>**Azure AD Joined:**<br>  Windows 10, version 1511 or later| Windows 10, version 1511 or later | Windows 10, version 1511 or later |
 | Windows Server 2016 Schema | Windows Server 2016 Schema | Windows Server 2016 Schema | Windows Server 2016 Schema |
 | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level| Windows Server 2008 R2 Domain/Forest functional level |Windows Server 2008 R2 Domain/Forest functional level |
-| Windows Server 2016 Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | Windows Server 2016 Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | 
+| Windows Server 2016 or later Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | Windows Server 2016 or later Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | 
 | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority |
 | N/A | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) (hybrid Azure AD joined clients),<br> and</br>Windows Server 2012 or later Network Device Enrollment Service (Azure AD joined) | N/A | Windows Server 2012 or later Network Device Enrollment Service |
 | Azure MFA tenant, or</br>AD FS w/Azure MFA adapter, or</br>AD FS w/Azure MFA Server adapter, or</br>AD FS w/3rd Party MFA Adapter| Azure MFA tenant, or</br>AD FS w/Azure MFA adapter, or</br>AD FS w/Azure MFA Server adapter, or</br>AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or</br>AD FS w/Azure MFA adapter, or</br>AD FS w/Azure MFA Server adapter, or</br>AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or</br>AD FS w/Azure MFA adapter, or</br>AD FS w/Azure MFA Server adapter, or</br>AD FS w/3rd Party MFA Adapter |
@@ -67,7 +67,7 @@ The table shows the minimum requirements for each deployment.
 | Windows 10, version 1703 or later | Windows 10, version 1703 or later |
 | Windows Server 2016 Schema | Windows Server 2016 Schema|
 | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level |
-| Windows Server 2016 Domain Controllers | Windows Server 2008 R2 or later Domain Controllers |
+| Windows Server 2016 or later Domain Controllers | Windows Server 2008 R2 or later Domain Controllers |
 | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority |
 | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) |
 | AD FS with Azure MFA Server, or</br>AD FS with 3rd Party MFA Adapter | AD FS with Azure MFA Server, or</br>AD FS with 3rd Party MFA Adapter |
diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md
index d4040d63f5..ccafee06af 100644
--- a/windows/security/identity-protection/remote-credential-guard.md
+++ b/windows/security/identity-protection/remote-credential-guard.md
@@ -89,7 +89,7 @@ To use Windows Defender Remote Credential Guard, the Remote Desktop client and r
 
 The Remote Desktop client device:
 
--  Must be running at least Windows 10, version 1703 to be able to supply credentials.
+-  Must be running at least Windows 10, version 1703 to be able to supply credentials, which is sent to the remote device. This allows users to run as different users without having to send credentials to the remote machine. 
 -  Must be running at least Windows 10, version 1607 or Windows Server 2016 to use the user’s signed-in credentials. This requires the user’s account be able to sign in to both the client device and the remote host.
 -  Must be running the Remote Desktop Classic Windows application. The Remote Desktop Universal Windows Platform application doesn't support Windows Defender Remote Credential Guard.
 -  Must use Kerberos authentication to connect to the remote host. If the client cannot connect to a domain controller, then RDP attempts to fall back to NTLM. Windows Defender Remote Credential Guard does not allow NTLM fallback because this would expose credentials to risk.
@@ -176,4 +176,4 @@ mstsc.exe /remoteGuard
 
 - No credentials are sent to the target device, but the target device still acquires Kerberos Service Tickets on its own.
 
-- The server and client must authenticate using Kerberos.
\ No newline at end of file
+- The server and client must authenticate using Kerberos.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
index f1d02e941e..0b3297ec31 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
@@ -13,7 +13,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 04/02/2019
+ms.date: 04/17/2019
 ---
 
 # BitLocker Group Policy settings
@@ -238,11 +238,11 @@ This policy setting is used to control which unlock options are available for op
  
 **Reference**
 
-If you want to use BitLocker on a computer without a TPM, select the **Allow BitLocker without a compatible TPM** check box. In this mode, a USB drive is required for startup. Key information that is used to encrypt the drive is stored on the USB drive, which creates a USB key. When the USB key is inserted, access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable, you need to use one of the BitLocker recovery options to access the drive.
+If you want to use BitLocker on a computer without a TPM, select **Allow BitLocker without a compatible TPM**. In this mode, a password or USB drive is required for startup. The USB drive stores the startup key that is used to encrypt the drive. When the USB drive is inserted, the startup key is authenticated and the operating system drive is accessible. If the USB drive is lost or unavailable, BitLocker recovery is required to access the drive.
 
-On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use:
+On a computer with a compatible TPM, additional authentication methods can be used at startup to improve protection for encrypted data. When the computer starts, it can use:
 
--   only the TPM for authentication
+-   only the TPM
 -   insertion of a USB flash drive containing the startup key
 -   the entry of a 4-digit to 20-digit personal identification number (PIN)
 -   a combination of the PIN and the USB flash drive
@@ -392,7 +392,7 @@ This policy setting allows you to block direct memory access (DMA) for all hot p
 | **Policy description** | This setting helps prevent attacks that use external PCI-based devices to access BitLocker keys. |
 | **Introduced**         | Windows 10, version 1703 |
 | **Drive type**         | Operating system drives  |
-| **Policy path**        | Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
+| **Policy path**        | Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption|
 | **Conflicts**          | None                     |
 | **When enabled**       | Every time the user locks the screen, DMA will be blocked on hot pluggable PCI ports until the user signs in again. |
 | **When disabled or not configured** | DMA is available on hot pluggable PCI devices if the device is turned on, regardless of whether a user is signed in.|
diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
index e6b09cec2e..86ebe29111 100644
--- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
+++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
@@ -13,7 +13,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 02/28/2019
+ms.date: 04/17/2019
 ---
 
 # Prepare your organization for BitLocker: Planning and policies
@@ -163,9 +163,9 @@ Full drive encryption means that the entire drive will be encrypted, regardless
 
 ## <a href="" id="bkmk-addscons"></a>Active Directory Domain Services considerations
 
-BitLocker integrates with Active Directory Domain Services (AD DS) to provide centralized key management. By default, no recovery information is backed up to Active Directory. Administrators can configure the following Group Policy setting to enable backup of BitLocker recovery information:
+BitLocker integrates with Active Directory Domain Services (AD DS) to provide centralized key management. By default, no recovery information is backed up to Active Directory. Administrators can configure the following Group Policy setting for each drive type to enable backup of BitLocker recovery information:
 
-Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\Turn on BitLocker backup to Active Directory Domain Services
+Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\*drive type*\\Choose how BitLocker protected drives can be recovered.
 
 By default, only Domain Admins have access to BitLocker recovery information, but [access can be delegated to others](https://blogs.technet.microsoft.com/craigf/2011/01/26/delegating-access-in-ad-to-bitlocker-recovery-information/).
 
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
index fc50cfc48c..7728af0c4f 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -11,10 +11,10 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 03/25/2019
+ms.date: 04/17/2019
 ---
 
-# Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune
+# Create a Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune
 
 **Applies to:**
 
@@ -23,8 +23,17 @@ ms.date: 03/25/2019
 
 Microsoft Intune has an easy way to create and deploy a Windows Information Protection (WIP) policy. You can choose which apps to protect, the level of protection, and how to find enterprise data on the network. The devices can be fully managed by Mobile Device Management (MDM), or managed by Mobile Application Management (MAM), where Intune only manages the apps on a user's personal device.
 
->[!NOTE]
->If the same user and device are targeted for both MDM and MAM, the MDM policy will be applied to devices joined to Azure AD. For personal devices that are workplace-joined (that is, added by using **Settings** > **Email & accounts** > **Add a work or school account**). the MAM-only policy will be preferred but it's possible to upgrade the device management to MDM in **Settings**. Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Home edition will revoke WIP-protected data access. MAM supports only one user per device.  
+## Differences between MDM and MAM for WIP
+
+You can create an app protection policy in Intune either with device enrollment for MDM or without device enrollment for MAM. The process to create either policy is similar, but there are important differences: 
+
+- If the same user and device are targeted for both MDM and MAM, the MDM policy will be applied to devices joined to Azure AD. For personal devices that are workplace-joined (that is, added by using **Settings** > **Email & accounts** > **Add a work or school account**), the MAM-only policy will be preferred but it's possible to upgrade the device management to MDM in **Settings**. Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Home edition will revoke WIP-protected data access. 
+- MAM supports only one user per device.  
+- MAM can only manage [enlightened apps](enlightened-microsoft-apps-and-wip.md).
+- MAM has additional **Access** settings for Windows Hello for Business.
+- MAM can [selectively wipe company data](https://docs.microsoft.com/intune/apps-selective-wipe) from a user's personal device.
+- MAM requires an [Azure Active Direcory (Azure AD) Premium license](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses).
+- An Azure AD Premium license is also required for WIP auto-recovery, where a device can re-enroll and re-gain access to protected data. WIP auto-recovery depends on Azure AD registration to back up the encryption keys, which requires device auto-enrollment with MDM.
 
 ## Prerequisites
 
diff --git a/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md b/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md
index bcad37a020..cfcae5b9de 100644
--- a/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md
+++ b/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md
@@ -13,7 +13,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 02/26/2019
+ms.date: 04/15/2019
 ---
 
 # How Windows Information Protection (WIP) protects a file that has a sensitivity label 
@@ -34,8 +34,6 @@ Microsoft information protection technologies include:
 
 - [Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) is built in to Windows 10 and protects local data at rest on endpoint devices, and manages apps to protect local data in use. Data that leaves the endpoint device, such as email attachment, is not protected by WIP. 
 
-- [Office 365 Information Protection](https://docs.microsoft.com/office365/securitycompliance/office-365-info-protection-for-gdpr-overview) is a solution to classify, protect, and monitor personal data in Office 365.
-
 - [Azure Information Protection](https://docs.microsoft.com/azure/information-protection/what-is-information-protection) is a cloud-based solution that can be purchased either standalone or as part of Microsoft 365 Enterprise. It helps an organization classify and protect its documents and emails by applying labels. Azure Information Protection is applied directly to content, and roams with the content as it's moved between locations and cloud services.
 
 - [Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/what-is-cloud-app-security) is a cloud access security broker (CASB) solution that allows you to discover, classify, protect, and monitor user data in first-party and third-party Software-as-a-Service (SaaS) apps used by your organization.
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index f99bc88986..3feed9a1fa 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -345,6 +345,10 @@
 ###### [Threat protection reports](windows-defender-atp/threat-protection-reports-windows-defender-advanced-threat-protection.md)
 ###### [Machine health and compliance reports](windows-defender-atp/machine-reports-windows-defender-advanced-threat-protection.md)
 
+##### Interoperability
+###### [Partner applications](windows-defender-atp/partner-applications.md)
+
+
 ##### Role-based access control
 ###### [Manage portal access using RBAC](windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md)
 ####### [Create and manage roles](windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md)
@@ -389,7 +393,7 @@
 #####Rules
 ###### [Manage suppression rules](windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md)
 ###### [Manage automation allowed/blocked lists](windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
-###### [Manage allowed/blocked lists](windows-defender-atp/manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
+###### [Manage indicators](windows-defender-atp/manage-indicators.md)
 ###### [Manage automation file uploads](windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md)
 ###### [Manage automation folder exclusions](windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md)
   
@@ -1018,10 +1022,17 @@
 ###### [Synchronize directory service data](security-policy-settings/synchronize-directory-service-data.md)
 ###### [Take ownership of files or other objects](security-policy-settings/take-ownership-of-files-or-other-objects.md)
 
+### [Windows security guidance for enterprises](windows-security-configuration-framework/windows-security-compliance.md)
 
-### [Windows security baselines](windows-security-baselines.md)
-#### [Security Compliance Toolkit](security-compliance-toolkit-10.md)
-#### [Get support](get-support-for-security-baselines.md)
+#### [Windows security baselines](windows-security-configuration-framework/windows-security-baselines.md)
+##### [Security Compliance Toolkit](windows-security-configuration-framework/security-compliance-toolkit-10.md)
+##### [Get support](windows-security-configuration-framework/get-support-for-security-baselines.md)
+#### [Windows security configuration framework](windows-security-configuration-framework/windows-security-configuration-framework.md)
+##### [Level 5 enterprise security](windows-security-configuration-framework/level-5-enterprise-security.md)
+##### [Level 4 enterprise high security](windows-security-configuration-framework/level-4-enterprise-high-security.md)
+##### [Level 3 enterprise VIP security](windows-security-configuration-framework/level-3-enterprise-vip-security.md)
+##### [Level 2 enterprise dev/ops workstation](windows-security-configuration-framework/level-2-enterprise-devops-security.md)
+##### [Level 1 enterprise administrator workstation](windows-security-configuration-framework/level-1-enterprise-administrator-security.md)
 
 ### [MBSA removal and alternatives](mbsa-removal-and-guidance.md)
 
diff --git a/windows/security/threat-protection/auditing/event-4716.md b/windows/security/threat-protection/auditing/event-4716.md
index 1bd7c641e8..6187a558da 100644
--- a/windows/security/threat-protection/auditing/event-4716.md
+++ b/windows/security/threat-protection/auditing/event-4716.md
@@ -132,7 +132,7 @@ This event is generated only on domain controllers.
 | 0x8   | TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE                       | If this bit is set, the trust link is a [cross-forest trust](https://msdn.microsoft.com/library/cc223126.aspx#gt_86f3dbf2-338f-462e-8c5b-3c8e05798dbc) [\[MS-KILE\]](https://msdn.microsoft.com/library/cc233855.aspx) between the root domains of two [forests](https://msdn.microsoft.com/library/cc223126.aspx#gt_fd104241-4fb3-457c-b2c4-e0c18bb20b62), both of which are running in a [forest functional level](https://msdn.microsoft.com/library/cc223126.aspx#gt_b3240417-ca43-4901-90ec-fde55b32b3b8) of DS\_BEHAVIOR\_WIN2003 or greater.<br>Only evaluated on Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 operating system.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater.                   |
 | 0x10  | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION                      | If this bit is set, then the trust is to a domain or forest that is not part of the [organization](https://msdn.microsoft.com/library/cc223126.aspx#gt_6fae7775-5232-4206-b452-f298546ab54f). The behavior controlled by this bit is explained in [\[MS-KILE\]](https://msdn.microsoft.com/library/cc233855.aspx) section [3.3.5.7.5](https://msdn.microsoft.com/library/cc233949.aspx) and [\[MS-APDS\]](https://msdn.microsoft.com/library/cc223948.aspx) section [3.1.5](https://msdn.microsoft.com/library/cc223991.aspx).<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater.                                                                                                                                        |
 | 0x20  | TRUST\_ATTRIBUTE\_WITHIN\_FOREST                           | If this bit is set, then the trusted domain is within the same forest.<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
-| 0x40  | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL                      | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are [more stringently filtered](https://docs.microsoft.com/openspecs/windows_protocols/ms-adts/e9a2d23c-c31e-4a6f-88a0-6646fdb51a3c) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/library/cc237917.aspx) section 4.1.2.2.<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.<br>Only evaluated if SID Filtering is used.<br>Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
+| 0x40  | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL                      | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are [more stringently filtered](https://docs.microsoft.com/openspecs/windows_protocols/ms-adts/e9a2d23c-c31e-4a6f-88a0-6646fdb51a3c) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts.<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.<br>Only evaluated if SID Filtering is used.<br>Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
 | 0x80  | TRUST\_ATTRIBUTE\_USES\_RC4\_ENCRYPTION                    | This bit is set on trusts with the [trustType](https://msdn.microsoft.com/library/cc220955.aspx) set to TRUST\_TYPE\_MIT, which are capable of using RC4 keys. Historically, MIT Kerberos distributions supported only DES and 3DES keys ([\[RFC4120\]](https://go.microsoft.com/fwlink/?LinkId=90458), [\[RFC3961\]](https://go.microsoft.com/fwlink/?LinkId=90450)). MIT 1.4.1 adopted the RC4HMAC encryption type common to Windows 2000 [\[MS-KILE\]](https://msdn.microsoft.com/library/cc233855.aspx), so trusted domains deploying later versions of the MIT distribution required this bit. For more information, see "Keys and Trusts", section [6.1.6.9.1](https://msdn.microsoft.com/library/cc223782.aspx).<br>Only evaluated on TRUST\_TYPE\_MIT                                                                                                                                                                                                                                          |
 | 0x200 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION\_NO\_TGT\_DELEGATION | If this bit is set, tickets granted under this trust MUST NOT be trusted for delegation. The behavior controlled by this bit is as specified in [\[MS-KILE\]](https://msdn.microsoft.com/library/cc233855.aspx) section 3.3.5.7.5.<br>Only supported on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
 | 0x400 | TRUST\_ATTRIBUTE\_PIM\_TRUST                               | If this bit and the TATE bit are set, then a cross-forest trust to a domain is to be treated as Privileged Identity Management trust for the purposes of SID Filtering. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/library/cc237917.aspx) section 4.1.2.2.<br>Evaluated only on Windows Server 2016<br>Evaluated only if SID Filtering is used.<br>Evaluated only on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.<br>Can be set only if the forest and the trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WINTHRESHOLD or greater.                                                                                                                                                                                                                                                                                                                                   |
diff --git a/windows/security/threat-protection/images/seccon-framework.png b/windows/security/threat-protection/images/seccon-framework.png
new file mode 100644
index 0000000000..06f66acf99
Binary files /dev/null and b/windows/security/threat-protection/images/seccon-framework.png differ
diff --git a/windows/security/threat-protection/images/security-control-classification.png b/windows/security/threat-protection/images/security-control-classification.png
new file mode 100644
index 0000000000..75467f2098
Binary files /dev/null and b/windows/security/threat-protection/images/security-control-classification.png differ
diff --git a/windows/security/threat-protection/images/security-control-deployment-methodologies.png b/windows/security/threat-protection/images/security-control-deployment-methodologies.png
new file mode 100644
index 0000000000..4f869474e2
Binary files /dev/null and b/windows/security/threat-protection/images/security-control-deployment-methodologies.png differ
diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md
index 44c4ef2a2f..4c4b362d5c 100644
--- a/windows/security/threat-protection/index.md
+++ b/windows/security/threat-protection/index.md
@@ -14,9 +14,13 @@ ms.localizationpriority: medium
 # Threat Protection
 [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Windows Defender ATP protects endpoints from cyber threats; detects advanced attacks and data breaches, automates security incidents and improves security posture.
 
+>[!Note]
+> The Windows Defender Security Center is currently going through rebranding. All references to Windows Defender will be replaced with Microsoft Defender. You will see the updates in the user interface and in the documentation library in next few months.
+
 <center><h2>Windows Defender ATP</center></h2>
 <table>
 <tr>
+<td><a href="#tvm"><center><img src="images/TVM_icon.png"> <br><b>Threat & Vulnerability Management</b></center></a></td>
 <td><a href="#asr"><center><img src="images/ASR_icon.png"> <br><b>Attack surface reduction</b></center></a></td>
 <td><center><a href="#ngp"><img src="images/NGP_icon.png"><br> <b>Next generation protection</b></a></center></td>
 <td><center><a href="#edr"><img src="images/EDR_icon.png"><br> <b>Endpoint detection and response</b></a></center></td>
@@ -25,15 +29,23 @@ ms.localizationpriority: medium
 <td><center><a href="#mte"><img src="images/MTE_icon.png"><br> <b>Microsoft Threat Experts</b></a></center></td>
 </tr>
 <tr>
-<td colspan="6">
+<td colspan="7">
 <a href="#apis"><center><b>Management and APIs</a></b></center></td>
 </tr>
 <tr>
-<td colspan="6"><a href="#mtp"><center><b>Microsoft Threat Protection</a></center></b></td>
+<td colspan="7"><a href="#mtp"><center><b>Microsoft Threat Protection</a></center></b></td>
 </tr>
 </table>
 <br>
 
+<a name="tvm"></a>
+
+**[Threat & Vulnerability Management](windows-defender-atp/next-gen-threat-and-vuln-mgt.md)**<br>
+This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. 
+- [Risk-based Threat & Vulnerability Management](windows-defender-atp/next-gen-threat-and-vuln-mgt.md) 
+- [What's in the dashboard and what it means for my organization](windows-defender-atp/tvm-dashboard-insights.md)
+- [Configuration score](windows-defender-atp/configuration-score.md)
+- [Scenarios](windows-defender-atp/threat-and-vuln-mgt-scenarios.md)
 
 <a name="asr"></a>
 
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md
index 14740a3224..2be015772f 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md
@@ -24,7 +24,7 @@ Describes the best practices, location, values, management, and security conside
 
 ## Reference
 
-Beginning with Windows Server 2012 and Windows 8, Windows detects user-input inactivity of a sign-in (logon) session by using the security policy setting **Interactive logon: Machine inactivity limit**. If the amount of inactive time exceeds the inactivity limit set by this policy, then the user’s session locks by invoking the screen saver. This policy setting allows you to control the locking time by using Group Policy.
+Beginning with Windows Server 2012 and Windows 8, Windows detects user-input inactivity of a sign-in (logon) session by using the security policy setting **Interactive logon: Machine inactivity limit**. If the amount of inactive time exceeds the inactivity limit set by this policy, then the user’s session locks by invoking the screen saver (screen saver should be active on the destination machine). This policy setting allows you to control the locking time by using Group Policy.
 
 ### Possible values
 
@@ -40,6 +40,8 @@ Set the time for elapsed user-input inactivity based on the device’s usage and
 
 Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
 
+Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options (While creating and linking group policy on server)
+
 ### Default values
 
 The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
diff --git a/windows/security/threat-protection/security-policy-settings/profile-system-performance.md b/windows/security/threat-protection/security-policy-settings/profile-system-performance.md
index a7425d8dc2..06d22fc8d2 100644
--- a/windows/security/threat-protection/security-policy-settings/profile-system-performance.md
+++ b/windows/security/threat-protection/security-policy-settings/profile-system-performance.md
@@ -44,7 +44,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Use
 
 ### Default values
 
-By default this setting is Administrators on domain controllers and on stand-alone servers.
+By default, this setting is Administrators and NT SERVICE\WdiServiceHost on domain controllers and on stand-alone servers.
 
 The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page.
 
diff --git a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
index ea2b3fa6af..024554261c 100644
--- a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
+++ b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
@@ -14,7 +14,8 @@ ms.localizationpriority: medium
 # Use Windows Event Forwarding to help with intrusion detection
 
 **Applies to**
--   Windows 10
+-   Windows 10
+-   Windows Server
 
 Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected.
 
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
index 78351fac00..492af0b7b7 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
@@ -24,6 +24,9 @@ You can exclude certain files from Windows Defender Antivirus scans by modifying
 
 Generally, you shouldn't need to apply exclusions. Windows Defender Antivirus includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations.
 
+> [!NOTE]
+> Automatic exclusions apply only to Windows Server 2016 and above. 
+
 >[!TIP]
 >The default antimalware policy we deploy at Microsoft doesn't set any exclusions by default.
 
diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md
index 15865ca9fa..fbe8f28763 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md
@@ -56,14 +56,11 @@ SIP is a built-in macOS security feature that prevents low-level tampering with
 ## Installation and configuration overview
 There are various methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac. 
 In general you'll need to take the following steps:
-  - [Register macOS devices](#register-macos-devices) with Windows Defender ATP
-  - Deploy Microsoft Defender ATP for Mac using any of the following deployment methods and tools:
-  - [Microsoft Intune based deployment](#microsoft-intune-based-deployment)
-  - [JAMF based deployment](#jamf-based-deployment)
-  - [Manual deployment](#manual-deployment)
-
-## Deploy Microsoft Defender ATP for Mac
-Use any of the supported methods to deploy Microsoft Defender ATP for Mac
+  - Ensure you have a Windows Defender ATP subscription and have access to the Windows Defender ATP Portal
+  - Deploy Microsoft Defender ATP for Mac using one of the following deployment methods:
+    * [Microsoft Intune based deployment](#microsoft-intune-based-deployment)
+    * [JAMF based deployment](#jamf-based-deployment)
+    * [Manual deployment](#manual-deployment)
 
 ## Microsoft Intune based deployment
 
@@ -293,7 +290,6 @@ After some time, the machine's User Approved MDM status will change to Yes.
 
 You can enroll additional machines now. Optionally, can do it after system configuration and application packages are provisioned.
 
-
 ### Deployment
 Enrolled client machines periodically poll the JAMF Server and install new configuration profiles and policies as soon as they are detected.
 
@@ -329,7 +325,7 @@ Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: No patch policies were found.
 
 You can also check the onboarding status:
 ```
-mavel-mojave:~ testuser$ /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py
+mavel-mojave:~ testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py
 uuid            : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6
 orgid           : 79109c9d-83bb-4f3e-9152-8d75ee59ae22
 orgid managed   : 79109c9d-83bb-4f3e-9152-8d75ee59ae22
@@ -351,13 +347,13 @@ For example, this script removes Microsoft Defender ATP from the /Applications d
 
 ```
 echo "Is WDAV installed?"
-ls -ld '/Applications/Microsoft Defender.app' 2>/dev/null
+ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null
 
 echo "Uninstalling WDAV..."
-rm -rf '/Applications/Microsoft Defender.app'
+rm -rf '/Applications/Microsoft Defender ATP.app'
 
 echo "Is WDAV still installed?"
-ls -ld '/Applications/Microsoft Defender.app' 2>/dev/null
+ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null
 
 echo "Done!"
 ```
@@ -374,7 +370,7 @@ Configure the appropriate scope in the **Scope** tab to specify the machines tha
 You can check that machines are correctly onboarded by creating a script. For example, the following script checks that enrolled machines are onboarded:
 
 ```
-/Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py | grep -E 'orgid effective : [-a-zA-Z0-9]+'
+sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py | grep -E 'orgid effective : [-a-zA-Z0-9]+'
 ```
 
 This script returns 0 if Microsoft Defender ATP is registered with the Windows Defender ATP service, and another exit code if it is not installed or registered.
@@ -435,7 +431,7 @@ The installation will proceed.
     The client machine is not associated with orgId.  Note that the orgid is blank.
 
     ```
-    mavel-mojave:wdavconfig testuser$ /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py
+    mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py
     uuid  : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6
     orgid :
     ```
@@ -449,7 +445,7 @@ The installation will proceed.
 3.  Verify that the machine is now associated with orgId:
 
     ```
-    mavel-mojave:wdavconfig testuser$ /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py
+    mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py
     uuid  : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6
     orgid : E6875323-A6C0-4C60-87AD-114BBE7439B8
     ```
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md
index 154d463930..b1e10dc63f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md
@@ -61,7 +61,7 @@ AppLocker uses path variables for well-known directories in Windows. Path variab
 | Windows directory or drive | AppLocker path variable | Windows environment variable |
 | - | - | - |
 | Windows | %WINDIR% | %SystemRoot% | 
-| System32 | %SYSTEM32%| %SystemDirectory%| 
+| System32 and sysWOW64 | %SYSTEM32%| %SystemDirectory%| 
 | Windows installation directory | %OSDRIVE%|%SystemDrive%| 
 | Program Files | %PROGRAMFILES%| %ProgramFiles% and %ProgramFiles(x86)%| 
 | Removable media (for example, CD or DVD) | %REMOVABLE%| |
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
index 8522325f19..34fbe7530e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.localizationpriority: medium
 author: jsuther1974
-ms.date: 08/31/2018
+ms.date: 04/09/2019
 ---
 
 # Microsoft recommended block rules
@@ -60,6 +60,8 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
 |Lee Christensen|@tifkin_|
 |Vladas Bulavas | Kaspersky Lab |
 |Lasse Trolle Borup | Langkjaer Cyber Defence |
+|Jimmy Bayne | @bohops |
+|Philip Tsukerman | @PhilipTsukerman |
 
 <br />
 
@@ -76,7 +78,13 @@ These modules cannot be blocked by name or version, and therefore must be blocke
 
 For October 2017, we are announcing an update to system.management.automation.dll in which we are revoking older versions by hash values, instead of version rules.
 
-Microsoft recommends that you block the following Microsoft-signed applications and PowerShell files by merging the following policy into your existing policy to add these deny rules using the Merge-CIPolicy cmdlet:
+Microsoft recommends that you block the following Microsoft-signed applications and PowerShell files by merging the following policy into your existing policy to add these deny rules using the Merge-CIPolicy cmdlet. Beginning with the March 2019 quality update, each version of Windows requires blocking a specific version of the following files:
+
+- msxml3.dll
+- msxml6.dll
+- jscript9.dll
+
+Pick the correct version of each .dll for the Windows release you plan to support, and remove the other versions.
 
 ```xml
 <?xml version="1.0" encoding="utf-8" ?> 
@@ -137,7 +145,35 @@ Microsoft recommends that you block the following Microsoft-signed applications
   <Deny ID="ID_DENY_WMIC" FriendlyName="wmic.exe" FileName="wmic.exe" MinimumFileVersion="65535.65535.65535.65535"/>
   <Deny ID="ID_DENY_MWFC" FriendlyName="Microsoft.Workflow.Compiler.exe" FileName="Microsoft.Workflow.Compiler.exe" MinimumFileVersion="65535.65535.65535.65535" /> 
   <Deny ID="ID_DENY_WFC" FriendlyName="WFC.exe" FileName="wfc.exe" MinimumFileVersion="65535.65535.65535.65535" />   
-  <Deny ID="ID_DENY_KILL" FriendlyName="kill.exe" FileName="kill.exe" MinimumFileVersion="65535.65535.65535.65535" />   
+  <Deny ID="ID_DENY_KILL" FriendlyName="kill.exe" FileName="kill.exe" MinimumFileVersion="65535.65535.65535.65535" />  
+  <! -- msxml3.dll pick correct version based on release you are supporting -->
+  <! -- msxml6.dll pick correct version based on release you are supporting -->     
+  <! -- jscript9.dll pick correct version based on release you are supporting -->
+  <! -- RS1 Windows 1607
+  <Deny  ID="ID_DENY_MSXML3"        FriendlyName="msxml3.dll"         FileName="msxml3.dll" MinimumFileVersion ="8.110.14393.2550"/>
+  <Deny  ID="ID_DENY_MSXML6"        FriendlyName="msxml6.dll"         FileName="msxml6.dll" MinimumFileVersion ="6.30.14393.2550"/>
+  <Deny  ID="ID_DENY_JSCRIPT9"      FriendlyName="jscript9.dll"       FileName="jscript9.dll" MinimumFileVersion ="11.0.14393.2607"/>
+  -->
+  <! -- RS2 Windows 1703
+  <Deny  ID="ID_DENY_MSXML3"        FriendlyName="msxml3.dll"         FileName="msxml3.dll" MinimumFileVersion ="8.110.15063.1386"/>
+  <Deny  ID="ID_DENY_MSXML6"        FriendlyName="msxml6.dll"         FileName="msxml6.dll" MinimumFileVersion ="6.30.15063.1386"/>
+  <Deny  ID="ID_DENY_JSCRIPT9"      FriendlyName="jscript9.dll"       FileName="jscript9.dll" MinimumFileVersion ="11.0.15063.1445"/>
+  -->
+  <! -- RS3 Windows 1709
+  <Deny  ID="ID_DENY_MSXML3"        FriendlyName="msxml3.dll"         FileName="msxml3.dll" MinimumFileVersion ="8.110.16299.725"/>
+  <Deny  ID="ID_DENY_MSXML6"        FriendlyName="msxml6.dll"         FileName="msxml6.dll" MinimumFileVersion ="6.30.16299.725"/>
+  <Deny  ID="ID_DENY_JSCRIPT9"      FriendlyName="jscript9.dll"       FileName="jscript9.dll" MinimumFileVersion ="11.0.16299.785"/>
+  -->
+  <! -- RS4 Windows 1803
+  <Deny  ID="ID_DENY_MSXML3"        FriendlyName="msxml3.dll"         FileName="msxml3.dll" MinimumFileVersion ="8.110.17134.344"/>
+  <Deny  ID="ID_DENY_MSXML6"        FriendlyName="msxml6.dll"         FileName="msxml6.dll" MinimumFileVersion ="6.30.17134.344"/>
+  <Deny  ID="ID_DENY_JSCRIPT9"      FriendlyName="jscript9.dll"       FileName="jscript9.dll" MinimumFileVersion ="11.0.17134.406"/>
+  -->
+  <! -- RS5 Windows 1809
+  <Deny  ID="ID_DENY_MSXML3"        FriendlyName="msxml3.dll"         FileName="msxml3.dll" MinimumFileVersion ="8.110.17763.54"/>
+  <Deny  ID="ID_DENY_MSXML6"        FriendlyName="msxml6.dll"         FileName="msxml6.dll" MinimumFileVersion ="6.30.17763.54"/>
+  <Deny  ID="ID_DENY_JSCRIPT9"      FriendlyName="jscript9.dll"       FileName="jscript9.dll" MinimumFileVersion ="11.0.17763.133"/>
+  -->
   <Deny ID="ID_DENY_D_1" FriendlyName="Powershell 1" Hash="02BE82F63EE962BCD4B8303E60F806F6613759C6"/> 
   <Deny ID="ID_DENY_D_2" FriendlyName="Powershell 2" Hash="13765D9A16CC46B2113766822627F026A68431DF"/> 
   <Deny ID="ID_DENY_D_3" FriendlyName="Powershell 3" Hash="148972F670E18790D62D753E01ED8D22B351A57E45544D88ACE380FEDAF24A40"/> 
@@ -842,8 +878,11 @@ Microsoft recommends that you block the following Microsoft-signed applications
   <FileRuleRef RuleID="ID_DENY_KILL"/> 
   <FileRuleRef RuleID="ID_DENY_WMIC"/>
   <FileRuleRef RuleID="ID_DENY_MWFC" /> 
-  <FileRuleRef RuleID="ID_DENY_WFC" />   
-  <FileRuleRef RuleID="ID_DENY_D_1"/> 
+  <FileRuleRef RuleID="ID_DENY_WFC" /> 
+  <FileRuleRef RuleID="ID_DENY_MSXML3" /> 
+  <FileRuleRef RuleID="ID_DENY_MSXML6" /> 
+  <FileRuleRef RuleID="ID_DENY_JSCRIPT9" />
+  <FileRuleRef RuleID="ID_DENY_D_1"/>
   <FileRuleRef RuleID="ID_DENY_D_2"/> 
   <FileRuleRef RuleID="ID_DENY_D_3"/> 
   <FileRuleRef RuleID="ID_DENY_D_4"/> 
diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md
index e8ea7a0740..3a56abbd31 100644
--- a/windows/security/threat-protection/windows-defender-atp/TOC.md
+++ b/windows/security/threat-protection/windows-defender-atp/TOC.md
@@ -1,6 +1,12 @@
 # [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md)
 
 ## [Overview](overview.md)
+### [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
+#### [What's in the dashboard and what it means for my organization](tvm-dashboard-insights.md)
+#### [Configuration score](configuration-score.md)
+#### [Scenarios](threat-and-vuln-mgt-scenarios.md)
+
+
 ### [Attack surface reduction](overview-attack-surface-reduction.md)
 #### [Hardware-based isolation](overview-hardware-based-isolation.md)
 ##### [Application isolation](../windows-defender-application-guard/wd-app-guard-overview.md)
@@ -32,6 +38,7 @@
 ##### [Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md)
 ##### [Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md)
 ##### [Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md)
+
  
 #### Machines list
 ##### [View and organize the Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md)
@@ -70,10 +77,11 @@
 
 
 ### [Secure score](overview-secure-score-windows-defender-advanced-threat-protection.md)
+
+### [Microsoft Threat Experts](microsoft-threat-experts.md)
+
 ### [Threat analytics](threat-analytics.md)
 
-
-
 ### [Advanced hunting](overview-hunting-windows-defender-advanced-threat-protection.md)
 #### [Query data using Advanced hunting](advanced-hunting-windows-defender-advanced-threat-protection.md)
 ##### [Advanced hunting reference](advanced-hunting-reference-windows-defender-advanced-threat-protection.md)
@@ -81,23 +89,16 @@
 #### [Custom detections](overview-custom-detections.md)
 #####[Create custom detections rules](custom-detection-rules.md)
 
-
 ### [Management and APIs](management-apis.md)
 #### [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
 #### [Windows Defender ATP APIs](apis-intro.md)
 #### [Managed security service provider support](mssp-support-windows-defender-advanced-threat-protection.md)
 
-
 ### [Microsoft Threat Protection](threat-protection-integration.md)
 ####  [Protect users, data, and devices with conditional access](conditional-access-windows-defender-advanced-threat-protection.md)
 #### [Microsoft Cloud App Security in Windows overview](microsoft-cloud-app-security-integration.md)
 #### [Information protection in Windows overview](information-protection-in-windows-overview.md)
 
-
-
-### [Microsoft Threat Experts](microsoft-threat-experts.md)
-
-
 ### [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md)
 
 
@@ -212,6 +213,8 @@
 
 ### [Configure Secure score dashboard security controls](secure-score-dashboard-windows-defender-advanced-threat-protection.md) 
 
+### [Configure and manage Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md)
+
 ### Management and API support
 #### [Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md)
 ##### [Onboard previous versions of Windows](onboard-downlevel-windows-defender-advanced-threat-protection.md)
@@ -335,6 +338,10 @@
 ##### [Threat protection reports](threat-protection-reports-windows-defender-advanced-threat-protection.md)
 ##### [Machine health and compliance reports](machine-reports-windows-defender-advanced-threat-protection.md)
 
+
+#### Interoperability
+##### [Partner applications](partner-applications.md)
+
 #### Role-based access control
 ##### [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection.md)
 ###### [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md)
@@ -343,11 +350,6 @@
 
 #### [Configure managed security service provider (MSSP) support](configure-mssp-support-windows-defender-advanced-threat-protection.md)
 
-
-
-
-### [Configure and manage Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md)
-
 ### Configure Microsoft Threat Protection integration
 #### [Configure conditional access](configure-conditional-access-windows-defender-advanced-threat-protection.md)
 #### [Configure Microsoft Cloud App Security in Windows](microsoft-cloud-app-security-config.md)
@@ -376,7 +378,7 @@
 ####Rules
 ##### [Manage suppression rules](manage-suppression-rules-windows-defender-advanced-threat-protection.md)
 ##### [Manage automation allowed/blocked lists](manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
-##### [Manage allowed/blocked lists](manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
+##### [Manage indicators](manage-indicators.md)
 ##### [Manage automation file uploads](manage-automation-file-uploads-windows-defender-advanced-threat-protection.md)
 ##### [Manage automation folder exclusions](manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md)
  
@@ -385,8 +387,6 @@
 ##### [Offboarding machines](offboard-machines-windows-defender-advanced-threat-protection.md)
  
 #### [Configure Windows Security app time zone settings](time-settings-windows-defender-advanced-threat-protection.md)
- 
-
 
 
 ## [Troubleshoot Windows Defender ATP](troubleshoot-wdatp.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
index df2d4cbab8..dff8fdeb1c 100644
--- a/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
@@ -94,8 +94,7 @@ To receive contextual machine integration in Office 365 Threat Intelligence, you
 This feature is currently on public preview. When you enable this feature, you'll receive targeted attack notifications from Microsoft Threat Experts through your Windows Defender ATP portal's alerts dashboard and via email if you configure it.
 
 >[!NOTE]
->This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on machines running Windows 10 version 1809 or later.
-
+>This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on machines running Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441)), Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464)), Windows 10, version 1809 (OS Build 17763.379 with [KB4489899](https://support.microsoft.com/help/4489899)) or later Windows 10 versions.
 
 
 ## Microsoft Cloud App Security
diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md
index 467af897d1..e4ad2bca0f 100644
--- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md
@@ -42,6 +42,8 @@ To effectively build queries that span multiple tables, you need to understand t
 | AdditionalFields | string | Additional information about the event in JSON array format |
 | AlertId | string | Unique identifier for the alert |
 | AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
+| Category | string | Type of threat indicator or breach activity identified by the alert |
+| ClientVersion | string | Version of the endpoint agent or sensor running on the machine |
 | ComputerName | string | Fully qualified domain name (FQDN) of the machine |
 | ConnectedNetworks | string | Networks that the adapter is connected to. Each JSON array contains the network name, category (public, private or domain), a description, and a flag indicating if it’s connected publicly to the internet. |
 | DefaultGateways | string | Default gateway addresses in JSON array format |
@@ -73,6 +75,8 @@ To effectively build queries that span multiple tables, you need to understand t
 | Ipv4Dhcp | string | IPv4 address of DHCP server |
 | Ipv6Dhcp | string | IPv6 address of DHCP server |
 | IsAzureADJoined | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory |
+| IsAzureInfoProtectionApplied | boolean | Indicates whether the file is encrypted by Azure Information Protection |
+| IsWindowsInfoProtectionApplied | boolean | Indicates whether Windows Information Protection (WIP) policies apply to the file |
 | LocalIP | string | IP address assigned to the local machine used during communication |
 | LocalPort | int | TCP port on the local machine used during communication |
 | LocalIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
@@ -89,6 +93,7 @@ To effectively build queries that span multiple tables, you need to understand t
 | OSArchitecture | string | Architecture of the operating system running on the machine |
 | OSBuild | string | Build version of the operating system running on the machine |
 | OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. |
+| OsVersion | string | Version of the operating system running on the machine |
 | PreviousRegistryKey | string | Original registry key of the registry value before it was modified |
 | PreviousRegistryValueData | string | Original data of the registry value before it was modified |
 | PreviousRegistryValueName | string | Original name of the registry value before it was modified |
@@ -110,8 +115,12 @@ To effectively build queries that span multiple tables, you need to understand t
 | RemotePort | int | TCP port on the remote device that was being connected to |
 | RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to |
 | ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns. |
+| Severity | string | Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert |
+| SensitivityLabel | string | Label applied to an email, file, or other content to classify it for information protection |
+| SensitivitySubLabel | string | Sublabel applied to an email, file, or other content to classify it for information protection; sensitivity sublabels are grouped under sensitivity labels but are treated independently |
 | SHA1 | string | SHA-1 of the file that the recorded action was applied to |
 | SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available. |
+| RegistryMachineTag | string | Machine tag added through the registry |
 | Table | string | Table that contains the details of the event |
 | TunnelingType | string | Tunneling protocol, if the interface is used for this purpose, for example 6to4, Teredo, ISATAP, PPTP, SSTP, and SSH |
 
diff --git a/windows/security/threat-protection/windows-defender-atp/configuration-score.md b/windows/security/threat-protection/windows-defender-atp/configuration-score.md
new file mode 100644
index 0000000000..bb6764a9a3
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/configuration-score.md
@@ -0,0 +1,56 @@
+---
+title: Overview of Configuration score in Microsoft Defender Security Center
+description: Expand your visibility into the overall security configuration posture of your organization
+keywords: configuration score, mdatp configuration score, secure score, security controls, improvement opportunities, security configuration score over time, security posture, baseline
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: conceptual
+ms.date: 04/11/2019
+---
+# Configuration score
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease�information](prerelease.md)]
+
+>[!NOTE]
+>  Secure score is now part of Threat & Vulnerability Management as Configuration score. We’ll keep the secure score page available for a few weeks. View the [Secure score](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection) page.
+
+The Microsoft Defender Advanced Threat Protection Configuration score gives you visibility and control over your organization's security posture based on security best practices.
+
+Your configuration score widget shows the collective security configuration state of your machines across the following categories:
+- Application
+- Operating system
+- Network
+- Accounts
+- Security controls
+
+## How it works
+
+What you'll see in the configuration score widget is the product of meticulous and ongoing vulnerability discovery process aggregated with configuration discovery assessments that continuously:
+- Compare collected configurations to the collected benchmarks to discover misconfigured assets
+- Map configurations to vulnerabilities that can be remediated or partially remediated (risk reduction) by remediating the misconfiguration
+- Collect and maintain best practice configuration benchmarks (vendors, security feeds, internal research teams)
+- Collect and monitor changes of security control configuration state from all assets
+
+From the widget, you'd be able to see which security aspect require attention. You can click the configuration score categories and it will take you to the **Security recommendations** page to see more details and understand the context of the issue. From there, you can take action based on security benchmarks. 
+
+## Improve your configuration score
+The goal is to improve your configuration score by remediating the issues in the security recommendations list. You can filter the view based on:
+- **Related component** - **Accounts**, **Application**, **Network**, **OS**, or **Security controls** 
+- **Remediation type** - **Configuration change** or **Software update**
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) 
+- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Scenarios](threat-and-vuln-mgt-scenarios.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-and-manage-tvm.md b/windows/security/threat-protection/windows-defender-atp/configure-and-manage-tvm.md
new file mode 100644
index 0000000000..81e1e9bed7
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/configure-and-manage-tvm.md
@@ -0,0 +1,44 @@
+---
+title: Configure Threat & Vulnerability Management in Windows Defender ATP
+description: Configure your Threat & Vulnerability Management to allow security administrators and IT administrators to collaborate seamlessly to remediate issues via Microsoft intune and Microsoft System Center Configuration Manager (SCCM) integrations.
+keywords: RBAC, Threat & Vulnerability Management configuration, Threat & Vulnerability Management integrations, Microsft Intune integration with TVM, SCCM integration with TVM  
+search.product: Windows 10
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+---
+# Configure Threat & Vulnerability Management
+**Applies to:**
+- [Windows Defender Advanced Threat Protection Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease�information](prerelease.md)]
+
+This section guides you through the steps you need to take to configure Threat & Vulnerability Management's integration with Microsoft Intune or Microsoft System Center Configuration Manager (SCCM) for a seamless collaboration of issue remediation.
+
+### Before you begin
+>[!IMPORTANT] 
+Threat & Vulnerability Management data currently supports Windows 10 machines. Upgrade to Windows 10 to account for the rest of your devices’ threat and vulnerability exposure data.</br>
+
+Ensure that you have the right RBAC permissions to configure your Threat & Vulnerability Management integration with Microsoft Intune or Microsoft System Center Configuration Manager (SCCM).   
+
+>[!WARNING] 
+>Only Intune and SCCM enrolled devices are supported in this scenario.</br>
+>Use any of the following options to enroll devices in Intune:
+>- IT Admin: For more information on how to enabling auto-enrollment, see [Windows Enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment)
+>- End-user: For more information on how to enroll your Windows 10 device in Intune, see [Enroll your Windows 10 device in Intune](https://docs.microsoft.com/intune-user-help/enroll-your-w10-device-access-work-or-school)
+>- End-user alternative: For more information on joining an Azure AD domain, see [Set up Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/device-management-azuread-joined-devices-setup).
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
+- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Configuration score](configuration-score.md)
+- [Scenarios](threat-and-vuln-mgt-scenarios.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-microsoft-threat-experts.md b/windows/security/threat-protection/windows-defender-atp/configure-microsoft-threat-experts.md
index 8e6edc791b..9f81f669b5 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-microsoft-threat-experts.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-microsoft-threat-experts.md
@@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: dolmont
-author: DulceMV
+author: DulceMontemayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
diff --git a/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
index 67780a3f78..8967eb0a92 100644
--- a/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
@@ -36,12 +36,12 @@ Information collected includes file data (such as file names, sizes, and hashes)
 
 Microsoft stores this data securely in Microsoft Azure and maintains it in accordance with Microsoft privacy practices and [Microsoft Trust Center policies](https://go.microsoft.com/fwlink/?linkid=827578).
 
-Microsoft uses this data to:
+This data enables Windows Defender ATP to:
 - Proactively identify indicators of attack (IOAs) in your organization
 - Generate alerts if a possible attack was detected
 - Provide your security operations with a view into machines, files, and URLs related to threat signals from your network, enabling you to investigate and explore the presence of security threats on the network.
 
-Microsoft does not use your data for advertising or for any other purpose other than providing you the service.
+Microsoft does not use your data for advertising.
 
 ## Data protection and encryption
 The Windows Defender ATP service utilizes state of the art data protection technologies which are based on Microsoft Azure infrastructure. 
diff --git a/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
index f6ed806476..e6933232eb 100644
--- a/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
@@ -49,7 +49,7 @@ If the machine was offboarded it will still appear in machines list. After 7 day
 If the machine is not sending any signals for more than 7 days to any of the Windows Defender ATP channels for any reason including conditions that fall under misconfigured machines classification, a machine can be considered inactive. 
 
 
-Do you expect a machine to be in ‘Active’ status? [Open a support ticket ticket](https://support.microsoft.com/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636206786382823561).
+Do you expect a machine to be in ‘Active’ status? [Open a support ticket](https://support.microsoft.com/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636206786382823561).
 
 ## Misconfigured machines
 Misconfigured machines can further be classified to:
diff --git a/windows/security/threat-protection/windows-defender-atp/get-started.md b/windows/security/threat-protection/windows-defender-atp/get-started.md
index 6086863cb6..96a02d2c87 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-started.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-started.md
@@ -31,6 +31,9 @@ Learn about the minimum requirements and initial steps you need to take to get s
 
 The following capabilities are available across multiple products that make up the Windows Defender ATP platform. 
 
+**Threat & Vulnerability Management**<br>
+Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. This infrastructure correlates endpoint detection and response (EDR) insights with endpoint vulnerabilities real-time, thus reducing organizational vulnerability exposure and increasing threat resilience. 
+
 **Attack surface reduction**<br>
 The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations. 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/images/tvm_alert_icon.png b/windows/security/threat-protection/windows-defender-atp/images/tvm_alert_icon.png
new file mode 100644
index 0000000000..ebd390bd98
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/tvm_alert_icon.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/tvm_bug_icon.png b/windows/security/threat-protection/windows-defender-atp/images/tvm_bug_icon.png
new file mode 100644
index 0000000000..b87ba02a90
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/tvm_bug_icon.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/tvm_config_score.png b/windows/security/threat-protection/windows-defender-atp/images/tvm_config_score.png
new file mode 100644
index 0000000000..36c8c8b48f
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/tvm_config_score.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/tvm_dashboard.png b/windows/security/threat-protection/windows-defender-atp/images/tvm_dashboard.png
new file mode 100644
index 0000000000..d321e0ca67
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/tvm_dashboard.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/tvm_exposed_machines.png b/windows/security/threat-protection/windows-defender-atp/images/tvm_exposed_machines.png
new file mode 100644
index 0000000000..04643d5e8d
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/tvm_exposed_machines.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/tvm_exposure_score.png b/windows/security/threat-protection/windows-defender-atp/images/tvm_exposure_score.png
new file mode 100644
index 0000000000..d535499b79
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/tvm_exposure_score.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/tvm_insight_icon.png b/windows/security/threat-protection/windows-defender-atp/images/tvm_insight_icon.png
new file mode 100644
index 0000000000..f7e982c9c9
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/tvm_insight_icon.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/tvm_machine_page_details.png b/windows/security/threat-protection/windows-defender-atp/images/tvm_machine_page_details.png
new file mode 100644
index 0000000000..6e474ccfa6
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/tvm_machine_page_details.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/tvm_menu.png b/windows/security/threat-protection/windows-defender-atp/images/tvm_menu.png
new file mode 100644
index 0000000000..eaaa01d3c0
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/tvm_menu.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/tvm_remediation_task_created.png b/windows/security/threat-protection/windows-defender-atp/images/tvm_remediation_task_created.png
new file mode 100644
index 0000000000..49850a80e1
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/tvm_remediation_task_created.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/tvm_request_remediation.png b/windows/security/threat-protection/windows-defender-atp/images/tvm_request_remediation.png
new file mode 100644
index 0000000000..2711f9560e
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/tvm_request_remediation.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/tvm_save_csv_file.png b/windows/security/threat-protection/windows-defender-atp/images/tvm_save_csv_file.png
new file mode 100644
index 0000000000..fb099b05f2
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/tvm_save_csv_file.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/tvm_security_controls.png b/windows/security/threat-protection/windows-defender-atp/images/tvm_security_controls.png
new file mode 100644
index 0000000000..3dd9ada0c9
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/tvm_security_controls.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/tvm_security_recommendations.png b/windows/security/threat-protection/windows-defender-atp/images/tvm_security_recommendations.png
new file mode 100644
index 0000000000..89bdbc6495
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/tvm_security_recommendations.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/tvm_security_recommendations_page.png b/windows/security/threat-protection/windows-defender-atp/images/tvm_security_recommendations_page.png
new file mode 100644
index 0000000000..1ae6f4320d
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/tvm_security_recommendations_page.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/tvm_software_page_details.png b/windows/security/threat-protection/windows-defender-atp/images/tvm_software_page_details.png
new file mode 100644
index 0000000000..095eb7424c
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/tvm_software_page_details.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/tvm_vuln_software.png b/windows/security/threat-protection/windows-defender-atp/images/tvm_vuln_software.png
new file mode 100644
index 0000000000..d7e4a4dd08
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/tvm_vuln_software.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md
index 5afed1e6df..78b40b3a95 100644
--- a/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md
@@ -37,12 +37,9 @@ You can define the conditions for when entities are identified as malicious or s
 ## Create an allowed or blocked list
 1. In the navigation pane, select **Settings** > **Automation allowed/blocked list**.  
 
-2. Select the tab of the type of entity you'd like to create an exclusion for. You can choose any of the following entities: 
-   - File hash
-   - Certificate
-   - IP address
-  
-3. Click **Add system exclusion**.
+2. Select the tab of the type of entity you'd like to create an exclusion for. Currently, you can add a rule for certificates. 
+
+3. Select **Add allowed/blocked list rule**.
 
 4. For each attribute specify the exclusion type, details, and their corresponding required values.
     
diff --git a/windows/security/threat-protection/windows-defender-atp/manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-indicators.md
similarity index 100%
rename from windows/security/threat-protection/windows-defender-atp/manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/manage-indicators.md
diff --git a/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-config.md b/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-config.md
index 52627d87be..32faa07505 100644
--- a/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-config.md
+++ b/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-config.md
@@ -15,31 +15,26 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 10/19/2018
-
 ---
 
 # Configure Microsoft Cloud App Security in Windows
 **Applies to:**
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-[!include[Prerelease�information](prerelease.md)]
+[!include[Prerelease information](prerelease.md)]
 
 
 To benefit from Windows Defender Advanced Threat Protection (ATP) cloud app discovery signals, turn on Microsoft Cloud App Security integration.
 
 
 >[!NOTE]
->This feature is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on machines running Windows 10 version 1809 or later.
+>This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on machines running Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441)), Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464)), Windows 10, version 1809 (OS Build 17763.379 with [KB4489899](https://support.microsoft.com/help/4489899)) or later Windows 10 versions.
 
 1. In the navigation pane, select **Preferences setup** > **Advanced features**.
 2. Select **Microsoft Cloud App Security** and switch the toggle to **On**.
 3. Click **Save preferences**.
  
 
-
-![Advanced features](images/atp-mcas-settings.png)
-
 Once activated, Windows Defender ATP will immediately start forwarding discovery signals to Cloud App Security.
 
 ## View the data collected
diff --git a/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts.md b/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts.md
index 380af8ef33..8f85356b3f 100644
--- a/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts.md
+++ b/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts.md
@@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: dolmont
-author: DulceMV
+author: DulceMontemayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
diff --git a/windows/security/threat-protection/windows-defender-atp/next-gen-threat-and-vuln-mgt.md b/windows/security/threat-protection/windows-defender-atp/next-gen-threat-and-vuln-mgt.md
new file mode 100644
index 0000000000..cefa8aada0
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/next-gen-threat-and-vuln-mgt.md
@@ -0,0 +1,67 @@
+---
+title: Next-generation Threat & Vulnerability Management
+description: This new capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
+keywords: threat and vulnerability management, MDATP-TVM, vulnerability management, threat and vulnerability scanning 
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: conceptual
+---
+
+# Threat & Vulnerability Management
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease�information](prerelease.md)]
+
+Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. Threat & Vulnerability Management serves as an infrustructure for reducing organizational exposure, hardening endpoint surface area, and increasing organizational resilience. 
+
+It helps organizations discover vulnerabilities and misconfigurations in real-time, based on sensors, without the need of agents or periodic scans. It prioritizes vulnerabilities based on the threat landscape, detections in your organization, sensitive information on vulnerable devices, and business context.
+
+## Next-generation capabilities 
+Threat & Vulnerability Management is built-in, real-time, cloud-powered, fully integrated with Microsoft endpoint security stack, the Microsoft Intelligent Security Graph, and the application analytics knowledgebase.  
+
+It is the first solution in the industry to automate the remediation process through integration with Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) for patching, configuration changes, or upgrades.
+>[!Note]
+> Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) integration will be available in the coming weeks.
+
+It provides the following solutions to frequently-cited gaps across security operations, security administration, and IT administration workflows and communication. 
+- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities
+- Linked machine vulnerability and security configuration assessment data in the context of exposure discovery
+- Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager 
+
+### Real-time discovery
+ 
+To discover endpoint vulnerabilities and misconfiguration, Threat & Vulnerability Management uses the same agentless built-in Microsoft Defender ATP sensors to reduce cumbersome network scans and IT overhead, and provides:
+- Real-time device inventory. Devices onboarded to Microsoft Defender ATP automatically report and push vulnerability and security configuration data to the dashboard.
+- Visibility into software and vulnerabilities. Optics into the organization’s software inventory, as well as software changes like installations, uninstallations, and patches. Newly discovered vulnerabilities are reported with actionable mitigation recommendations for 1st and 3rd party applications.
+- Application runtime context. Constant visibility into application usage patterns for better prioritization and decision-making. Critical dependencies, such as vulnerable runtime libraries being loaded by other applications, are made visible.
+- Configuration posture. Visibility into organizational security configuration, surfacing issues like disabled antivirus, enabled SMBv1, or misconfigurations that could allow escalation of privileges. Issues are reported in the dashboard with actionable security recommendations.
+ 
+### Intelligence-driven prioritization
+ 
+Threat & Vulnerability Management helps customers prioritize and focus on those weaknesses that pose the most urgent and the highest risk to the organization. Rather than using static prioritization by severity scores, Threat & Vulnerability Management in Microsoft Defender ATP highlights the most critical weaknesses that need attention by fusing its security recommendations with dynamic threat and business context:
+- Exposing emerging attacks in the wild. Through its advanced cyber data and threat analytics platform, Threat & Vulnerability Management dynamically aligns the prioritization of its security recommendations to focus on vulnerabilities that are currently being exploited in the wild and emerging threats that pose the highest risk.
+- Pinpointing active breaches. Microsoft Defender ATP correlates Threat & Vulnerability Management and EDR insights to provide the unique ability to prioritize vulnerabilities that are currently being exploited in an active breach within the organization.
+- Protecting high-value assets. Microsoft Defender ATP’s integration with Azure Information Protection allows Threat & Vulnerability Management to call attention to exposed machines with business-critical applications, confidential data, or high-value users.
+ 
+### Seamless remediation
+ 
+Microsoft Defender ATP’s Threat & Vulnerability Management allows security administrators and IT administrators to collaborate seamlessly to remediate issues.
+- One-click remediation requests to IT. Through Microsoft Defender ATP’s integration with Microsoft Intune and System Center Configuration Manager (SCCM), security administrators can create a remediation task in Microsoft Intune with one click. We plan to expand this capability to other IT security management platforms. 
+- Alternate mitigations. Threat & Vulnerability Management provides insights on additional mitigations, such as configuration changes that can reduce risk associated with software vulnerabilities.
+- Real-time remediation status. Microsoft Defender ATP provides real-time monitoring of the status and progress of remediation activities across the organization.
+
+## Related topics
+- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Configuration score](configuration-score.md)
+- [Scenarios](threat-and-vuln-mgt-scenarios.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/overview.md b/windows/security/threat-protection/windows-defender-atp/overview.md
index f9989d69f7..b105b4987a 100644
--- a/windows/security/threat-protection/windows-defender-atp/overview.md
+++ b/windows/security/threat-protection/windows-defender-atp/overview.md
@@ -33,6 +33,7 @@ Understand the concepts behind the capabilities in Windows Defender ATP so you t
 
 Topic | Description 
 :---|:---
+[Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) | Reduce organizational vulnerability exposure and increase threat resilience while seamlessly connecting workflows across security stakeholders—security administrators, security operations, and IT administrators in remediating threats.
 [Attack surface reduction](overview-attack-surface-reduction.md) | Leverage the attack surface reduction capabilities to protect the perimeter of your organization. 
 [Next generation protection](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) | Learn about the antivirus capabilities in Windows Defender ATP so you can protect desktops, portable computers, and servers.
 [Endpoint detection and response](overview-endpoint-detection-response.md) | Understand how Windows Defender ATP continuously monitors your organization for possible attacks against systems, networks, or users in your organization and the features you can use to mitigate and remediate threats.
diff --git a/windows/security/threat-protection/windows-defender-atp/partner-applications.md b/windows/security/threat-protection/windows-defender-atp/partner-applications.md
new file mode 100644
index 0000000000..24ba042fc8
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/partner-applications.md
@@ -0,0 +1,64 @@
+---
+title: Partner applications in Microsoft Defender ATP   
+description: View supported partner applications to enhance the detection, investigation, and threat intelligence capabilities of the platform
+keywords: partners, applications, third-party, connections, sentinelone, lookout, bitdefender, corrata, morphisec, paloalto, ziften, better mobile
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: conceptual
+---
+
+# Partner applications in Microsoft Defender ATP 
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+
+Microsoft Defender ATP supports third-party applications to help enhance the detection, investigation, and threat intelligence capabilities of the platform.
+
+
+The support for third-party solutions help to further streamline, integrate, and orchestrate defenses from other vendors with Microsoft Defender ATP; enabling security teams to effectively respond better to modern threats.
+
+Microsoft Defender ATP seamlessly integrates with existing security solutions - providing out of the box integration with SIEM, ticketing and IT service management solutions, managed security service providers (MSSP), IoC indicators ingestions and matching, automated device investigation and remediation based on external alerts, and integration with Security orchestration and automation response (SOAR) systems. 
+
+## SIEM integration
+Microsoft Defender ATP supports SIEM integration through a variety of methods � specialized SIEM system interface with out of the box connectors, a generic alert API enabling custom implementations, and an action API enabling alert status management.  For more information, see [Enable SIEM integration](enable-siem-integration-windows-defender-advanced-threat-protection.md).
+
+## Ticketing and IT service management 
+Ticketing solution integration helps to implement manual and automatic response processes. Microsoft Defender ATP can help to create tickets automatically when an alert is generated and resolve the alerts when tickets are closed using the alerts API. 
+
+## Security orchestration and automation response (SOAR) integration 
+Orchestration solutions can help build playbooks and integrate the rich data model and actions that Microsoft Defender ATP APIs expose to orchestrate responses, such as query for device data, trigger machine isolation, block/allow, resolve alert and others. 
+
+## External alert correlation and Automated investigation and remediation  
+Microsoft Defender ATP offers unique automated investigation and remediation capabilities to drive incident response at scale.
+  
+Integrating the automated investigation and response capability with other solutions such as IDS and firewalls help to address alerts and minimize the complexities surrounding network and device signal correlation, effectively streamlining the investigation and threat remediation actions on devices.  
+
+External alerts can be pushed into Microsoft Defender ATP and is presented side-by-side with additional device-based alerts from Microsoft Defender ATP. This view provides a full context of the alert - with the real process and the full story of attack.  
+
+## Indicators matching
+You can use threat-intelligence from providers and aggregators to maintain and use indicators of compromise (IOCs).
+
+Microsoft Defender ATP allows you to integrate with such solutions and act on IoCs by correlating its rich telemetry and creating alerts when there's a match; leveraging prevention and automated response capabilities to block execution and take remediation actions when there�s a match.
+
+Microsoft Defender ATP currently supports IOC matching and remediation for file and network indicators. Blocking is supported for file indicators.  
+
+## Support for non-Windows platforms
+Microsoft Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in the portal and better protect your organization's network. This experience leverages on a third-party security products� sensor data giving you a unified experience.
+
+
+
+
+
+
+
diff --git a/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md
index 352394a662..9128e2354d 100644
--- a/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md
@@ -108,10 +108,12 @@ Icon | Description
 ![Running icon](images\running.png) | Automated investigation - running
 ![Remediated icon](images\remediated.png) | Automated investigation - remediated 
 ![Partially investigated icon](images\partially_remediated.png) | Automated investigation - partially remediated
-
+![Threat insights icon](images\tvm_bug_icon.png) | Threat & Vulnerability Management - threat insights
+![Possible active alert icon](images\tvm_alert_icon.png) | Threat & Vulnerability Management - possible active alert 
+![Recommendation insights icon](images\tvm_insight_icon.png) | Threat & Vulnerability Management - recommendation insights
 
 ## Related topics
 - [Understand the Windows Defender Advanced Threat Protection portal](use-windows-defender-advanced-threat-protection.md)
 - [View the Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md)
 - [View the Secure Score dashboard and improve your secure score](secure-score-dashboard-windows-defender-advanced-threat-protection.md)
-- [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
\ No newline at end of file
+- [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/windows-defender-atp/threat-and-vuln-mgt-scenarios.md
new file mode 100644
index 0000000000..1e60255cf2
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/threat-and-vuln-mgt-scenarios.md
@@ -0,0 +1,107 @@
+---
+title: Threat & Vulnerability Management scenarios
+description: Learn how to use Threat & Vulnerability Management in the context of scenarios that Security Administrators encounter when collaborating with IT Administrators and SecOps while protecting their organization from cybersecurity threats.    
+keywords: mdatp-tvm scenarios, mdatp, tvm, tvm scenarios, reduce threat & vulnerability exposure, reduce threat and vulnerability, improve security configuration, increase configuration score, increase threat & vulnerability configuration score, configuration score, exposure score, security controls 
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+---
+
+# Threat & Vulnerability Management scenarios
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease�information](prerelease.md)]
+
+## Before you begin
+Ensure that your machines:
+- Are onboarded to Microsoft Defender Advanced Threat Protection
+- Running with Windows 10 1709 (Fall Creators Update) or later
+- Have the following mandatory updates installed:
+- (1) RS3 customers | [KB4493441](https://support.microsoft.com/en-us/help/4493441/windows-10-update-kb4493441)
+- (2) RS4 customers | [KB4493464](https://support.microsoft.com/en-us/help/4493464)
+- Have at least one security recommendation that can be viewed in the machine page
+- Are tagged or marked as co-managed
+
+
+## Reduce your threat and vulnerability exposure
+Threat & Vulnerability Management introduces a new exposure score metric which visually represents how exposed your machines are to imminent threats.
+
+The exposure score is continuously calculated on each device in the organization and influenced by the following factors:
+- Weaknesses, such as vulnerabilities and misconfigurations discovered on the device
+- External and internal threats such as public exploit code and security alerts
+- Likelihood of the device getting breached given its current security posture
+- Value of the device to the organization given its role and content
+
+The exposure score is broken down into the following levels:
+- 0 to 29: low exposure score
+- 30 to 69: medium exposure score
+- 70 to 100: high exposure score
+
+You can reduce the exposure score by remediating issues based on prioritized security recommendations. Each software has weaknesses that are transformed into recommendations and prioritized based on risk to the organization.
+
+To lower down your threat and vulnerability exposure:
+
+1. Review the **Top security recommendations** from your **Threat & Vulnerability Management dashboard**, and select the first item on the list. This opens the **Security recommendation** page.  
+  
+   >>![top security recommendations](images/tvm_security_recommendations.png)
+
+   >[!NOTE]
+   > There are two types of recommendations: 
+   > - <i>Security update</i> which refers to recommendations that require a package installation
+   > - <i>Configuration</i> change which refers to recommendations that require a registry or GPO modification
+   > Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight ![threat insight](images/tvm_bug_icon.png) icon.  
+   
+2. In the **Security recommendations** page, you will see the description of what needs to be done and why. It shows the vulnerability details, such as the associated exploits affecting what machines and its business impact. Click **Open software page** option from the flyout menu.  ![details in security recommendations page](images/tvm_security_recommendations_page.png)
+
+3. Click **Installed machines** and select the affected machine from the list to open the flyout page with the relevant machine details, exposure and risk levels, alert and incident activities. ![details in software page ](images/tvm_software_page_details.png)
+
+4. Click **Open machine page** to connect to the machine and apply the selected recommendation.  ![details in machine page](images/tvm_machine_page_details.png)
+
+5. Allow a few hours for the changes to propagate in the system.
+    
+6. Review the machine **Security recommendation** tab again. The recommendation you've chosen to remediate won't be listed there anymore, and the exposure score should decrease.
+
+## Improve your security configuration
+>[!NOTE]
+> Secure score is now part of Threat & Vulnerability Management as [configuration score](configuration-score.md). We’ll keep the secure score page available for a few weeks. View the [secure score](https://securitycenter.windows.com/securescore) page. 
+
+Remediating issues in the security recommendations list will improve your configuration. As you do so, your configuration score improves, which means building your organization's resilience against cybersecurity threats and vulnerabilities stronger.
+
+1. From the Configuration score widget, select **Security controls**. This opens the **Security recommendations** page showing the list of issues related to security controls.
+
+   >>![configuration score widget](images/tvm_config_score.png)
+
+2. Select the first item on the list. This opens the flyout menu with the description of the security controls issue, a short description of the potential risk, insights, configuration ID, exposed machines, and business impact. Click **Remediation options**. 
+   ![security controls related security recommendations](images/tvm_security_controls.png)
+
+3. Read the description to understand the context of the issue and what to do next. Select a due date, add notes, and select **Export all remediation activity data to CSV** so you can attach it to the email that you can send to your IT Administrator for follow-up.
+
+   >>![request remediation](images/tvm_request_remediation.png). 
+
+   >You will see a confirmation message that the remediation task has been created.
+   >![remediation task creation confirmation](images/tvm_remediation_task_created.png)
+
+4. Save your CSV file.
+   ![save csv file](images/tvm_save_csv_file.png)
+
+5. Send a follow up email to your IT Administrator and allow the time that you have alloted for the remediation to propagate in the system.
+
+6. Review the machine **Configuration score** widget again. The number of the security controls issues will decrease. When you click **Security controls** to go back to the **Security recommendations** page, the item that you have addressed will not be be listed there anymore, and your configuration score should increase.
+
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
+- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Configuration score](configuration-score.md)
+
diff --git a/windows/security/threat-protection/windows-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/windows-defender-atp/tvm-dashboard-insights.md
new file mode 100644
index 0000000000..af2aff1186
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/tvm-dashboard-insights.md
@@ -0,0 +1,76 @@
+---
+title: What's in the dashboard and what it means for my organization's security posture
+description: What's in the Threat & Vulnerability Management dashboard and how it can help SecOps and Security Administrators arrive at informed decisions in addressing cybersecurity threat vulnerabilities and building their organization's security resilience. 
+keywords: mdatp-tvm, mdatp-tvm dashboard, threat & vulnerability management, risk-based threat & vulnerability management, security configuration, configuration score, exposure score    
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: eADQiWindows 10XVcnh
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: conceptual
+---
+# Threat & Vulnerability Management dashboard overview
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease�information](prerelease.md)]
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) 
+
+Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including:
+- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities
+- Invaluable machine vulnerability context during incident investigations
+- Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager (SCCM)  
+  
+   >[!NOTE]
+   > Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) integration will be available in the coming weeks.  
+
+You can use the Threat & Vulnerability Management capability in [Microsoft Defender Security Center](https://securitycenter.windows.com/) to:
+- View exposure and configuration scores side-by-side with top security recommendations, software vulnerability, remediation activities, and exposed machines
+- Correlate EDR insights with endpoint vulnerabilities and process them 
+- Select remediation options, triage and track the remediation tasks
+
+## Threat & Vulnerability Management in Microsoft Defender Security Center
+When you open the portal, you’ll see the main areas of the capability:
+
+ ![Microsoft Defender Advanced Threat Protection portal](images/tvm_dashboard.png)
+ 
+ ![Threat & Vulnerability Management menu](images/tvm_menu.png)
+
+- (1) Menu in the navigation pane
+- (2) Threat & Vulnerability Management icon
+- (3) Threat & Vulnerability Management dashboard
+
+You can navigate through the portal using the menu options available in all sections. Refer to the following table for a description of each section.
+
+Area | Description
+:---|:---
+(1) Menu | Select menu to expand the navigation pane and see the names of the Threat & Vulnerability Management capabilities.
+(2) Threat & Vulnerability Management navigation pane | Use the navigation pane to move across the **Threat and Vulnerability Management Dashboard**, **Security recommendations**, **Remediation**, and **Software inventory**. 
+**Dashboards**	| Get a high-level view of the organization exposure score, MDATP configuration score, top remediation activities, top security recommendations, top vulnerable software, and top exposed machines data.
+**Security recommendations** | See the list of security recommendations, their related components, insights, number or exposed devices, impact, and request for remediation. You can click each item on the list and it will open a flyout pane where you will see vulnerability details, and have the option to open the software page, and see the remediation options.
+**Remediation** | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV. 
+**Software inventory** | See the list of applications, versions, weaknesses, whether there’s an exploit found on the application, prevalence in the organization, how many were installed, how many exposed devices are there, and the numerical value of the impact. You can select each item in the list and opt to open the software page which shows the vulnerabilities and misconfigurations associated and its machine and version distribution details.
+(3) Threat & Vulnerability Management dashboard | Access the **Exposure score**, **Configuration score**, **Exposure distribution**, **Top security recommendations**, **Top vulnerable software**, **Top remediation activities**, **Top exposed machines**, and **Threat campaigns**.
+**Organization Exposure score**	| See the current state of your organization’s device exposure to threats and vulnerabilities. Several factors affect your organization’s exposure score: weaknesses discovered in your devices, likelihood of your devices to be breached, value of the devices to your organization, and relevant alerts discovered with your devices. The goal is to lower down your organization’s exposure score to be more secure. To reduce the score, you need to remediate the related security configuration issues listed in the security recommendations. 
+**MDATP Configuration score** | See the security posture of your organization’s operating system, applications, network, accounts and security controls. The goal is to increase your configuration score by remediating the related security configuration issues. You can click the bars and it will take you to the **Security recommendation** page for details.
+**Machine exposure distribution** | See how many machines are exposed based on their exposure level. You can click the sections in the doughnut chart and it will take you to the **Machines list** page where you'll see the affected machine names, exposure level side by side with risk level, among other details such as domain, OS platform, its health state, when it was last seen, and its tags. 
+**Top security recommendations** | See the collated security recommendations which are sorted and prioritized based on your organization’s risk exposure and the urgency that it requires. Useful icons also quickly calls your attention on possible active alerts ![possible active alert](images/tvm_alert_icon.png), associated public exploits ![threat insight](images/tvm_bug_icon.png), and recommendation insights ![recommendation insight](images/tvm_insight_icon.png). You can drill down on the security recommendation to see the potential risks, list of exposed machines, and read the insights. Thus, providing you with an informed decision to either proceed with a remediation request. Click **Show more** to see the rest of the security recommendations in the list.
+**Top vulnerable software** | Get real-time visibility into the organizational software inventory, with stack-ranked list of vulnerable software installed on your network’s devices and how they impact on your organizational exposure score. Click each item for details or **Show more** to see the rest of the vulnerable application list in the **Software inventory** page.
+**Top remediation activities** | Track the remediation activities generated from the security recommendations. You can click each item on the list to see the details in the **Remediation** page or click **Show more** to see the rest of the remediation activities.
+**Top exposed machines** | See the exposed machine names and their exposure level. You can click each machine name from the list and it will take you to the machine page where you can view the alerts, risks, incidents, security recommendations, installed software, discovered vulnerabilities associated with the exposed machines. You can also do other EDR-related tasks in it, such as: manage tags, initiate automated investigations, initiate a live response session, collect an investigation package, run antivirus scan, restrict app execution, and isolate machine. You can also click **Show more** to see the rest of the exposed machines list.
+
+See [Microsoft Defender ATP icons](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection#windows-defender-atp-icons) for more information on the icons used throughout the portal.
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
+- [Configuration score](configuration-score.md)
+- [Scenarios](threat-and-vuln-mgt-scenarios.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/whats-new-in-windows-defender-atp.md b/windows/security/threat-protection/windows-defender-atp/whats-new-in-windows-defender-atp.md
index b73e7bc8b1..f9ac32f49d 100644
--- a/windows/security/threat-protection/windows-defender-atp/whats-new-in-windows-defender-atp.md
+++ b/windows/security/threat-protection/windows-defender-atp/whats-new-in-windows-defender-atp.md
@@ -23,9 +23,17 @@ ms.topic: conceptual
 
 Here are the new features in the latest release of Windows Defender ATP as well as security features in Windows 10 and Windows Server.
 
+## April 2019
+### In preview
+The following capabilities  are included in the April 2019 preview release. 
+
+- [Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/next-gen-threat-and-vuln-mgt) <BR> A new built-in capability that uses a risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. 
+
+- [Interoperability](https://docs.microsoft.com/windows/security/threat-protection/partner-applications) <BR> Microsoft Defender ATP supports third-party applications to help enhance the detection, investigation, and threat intelligence capabilities of the platform.
+
 ## March 2019
 ### In preview
-The following capability are included in the February 2019 preview release. 
+The following capability are included in the March 2019 preview release. 
 
 - [Machine health and compliance report](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/machine-reports-windows-defender-advanced-threat-protection) <BR> The machine health and compliance report provides high-level information about the devices in your organization. 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
index 43bb2202f5..14c491a3cf 100644
--- a/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
@@ -2,7 +2,7 @@
 title: Windows Defender Advanced Threat Protection
 description: Windows Defender Advanced Threat Protection is an enterprise security platform that helps secops to prevent, detect, investigate, and respond to possible cybersecurity threats related to advanced persistent threats.
 keywords: introduction to Windows Defender Advanced Threat Protection, introduction to Windows Defender ATP, cybersecurity, advanced persistent threat, enterprise security, machine behavioral sensor, cloud security, analytics, threat intelligence, attack surface reduction, next generation protection, automated investigation and remediation, microsoft threat experts, secure score, advanced hunting, microsoft threat protection
-search.product: eADQiWindows 10XVcnh
+search.product: Windows 10
 search.appverid: met150
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -47,9 +47,8 @@ Windows Defender ATP uses the following combination of technology built into Win
 <center><h2>Windows Defender ATP</center></h2>
 <table>
 <tr>
-<td>
-<a href="#asr">
-<center><img src="images/ASR_icon.png"><br><b>Attack surface reduction</b></center></a></td>
+<td><a href="#tvm"><center><img src="images/TVM_icon.png"> <br><b>Threat & Vulnerability Management</b></center></a></td>
+<td><a href="#asr"><center><img src="images/ASR_icon.png"><br><b>Attack surface reduction</b></center></a></td>
 <td><center><a href="#ngp"><img src="images/ngp_icon.png"><br> <b>Next generation protection</b></a></center></td>
 <td><center><a href="#edr"><img src="images/edr_icon.png"><br> <b>Endpoint detection and response</b></a></center></td>
 <td><center><a href="#ai"><img src="images/AR_icon.png"><br> <b>Automated investigation and remediation</b></a></center></td>
@@ -57,23 +56,27 @@ Windows Defender ATP uses the following combination of technology built into Win
 <td><center><a href="#mte"><img src="images/MTE_icon.png"><br> <b>Microsoft Threat Experts</b></a></center></td>
 </tr>
 <tr>
-<td colspan="6">
+<td colspan="7">
 <a href="#apis"><center><b>Management and APIs</a></b></center></td>
 </tr>
 <tr>
-<td colspan="6"><a href="#mtp"><center><b>Microsoft Threat Protection</a></center></b></td>
+<td colspan="7"><a href="#mtp"><center><b>Microsoft Threat Protection</a></center></b></td>
 </tr>
 </table>
 <br>
 
 
-<a name="asr"></a>
-
-
 >[!TIP]
 >- Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
 >- Windows Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
 
+<a name="tvm"></a>
+
+**[Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)**<br>
+This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. 
+
+<a name="asr"></a>
+
 **[Attack surface reduction](overview-attack-surface-reduction.md)**<br>
 The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations. 
 
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
index e16b905b59..5bfe2c6ba4 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
@@ -63,22 +63,22 @@ Event ID | Description
 
 The following sections describe each of the 15 attack surface reduction rules. This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy or PowerShell. If you use System Center Configuration Manager or Microsoft Intune, you do not need the GUIDs:
 
-Rule name | GUID
--|-
-Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
-Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
-Block Office applications from creating executable content  | 3B576869-A4EC-4529-8536-B80A7769E899
-Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
-Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D
-Block execution of potentially obfuscated scripts  | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
-Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
-Block executable files from running unless they meet a prevalence, age, or trusted list criterion | 01443614-cd74-433a-b99e-2ecdc07bfc25
-Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35
-Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
-Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
-Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
-Block Office communication application from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
-Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
+Rule name | GUID | File & folder exclusions
+-|-|-
+Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 | Supported
+Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A | Supported
+Block Office applications from creating executable content  | 3B576869-A4EC-4529-8536-B80A7769E899 | Supported
+Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 | Supported
+Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D | Not supported
+Block execution of potentially obfuscated scripts  | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC | Supported
+Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B | Supported
+Block executable files from running unless they meet a prevalence, age, or trusted list criterion | 01443614-cd74-433a-b99e-2ecdc07bfc25 | Supported
+Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35 | Supported
+Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 | Supported
+Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c | Not supported
+Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 | Supported
+Block Office communication application from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 | Supported
+Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c | Supported
 
 Each rule description indicates which apps or file types the rule applies to. In general, the rules for Office apps apply to only Word, Excel, PowerPoint, and OneNote, or they apply to Outlook. Except where specified, attack surface reduction rules don't apply to any other Office apps.
 
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
index c49eae7912..bde9222c86 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
@@ -100,6 +100,9 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi
 >The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*. 
 >CFG will be enabled for *miles.exe*.
 
+>[!NOTE]
+>If you have found any issues in this article, you can report it directly to a Windows Server/Windows Client partner or use the Microsoft technical support numbers for your country.
+
 ### Configure system-level mitigations with the Windows Security app
 
 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
index c5d238cf59..73bc1915d3 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
@@ -17,7 +17,7 @@ ms.author: v-anbic
 
 [Attack surface reduction rules](attack-surface-reduction-exploit-guard.md) help prevent actions and apps that malware often uses to infect computers. You can set attack surface reduction rules for computers running Windows 10 or Windows Server 2019. 
 
-To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in Windows Defender Advanced Threat Protection (Windows Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjuction with ASR rules.
+To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in Windows Defender Advanced Threat Protection (Windows Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjunction with ASR rules.
 
 ## Exclude files and folders from ASR rules
 
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
index 667c554a43..958cc3e6d8 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
@@ -49,10 +49,11 @@ You can also use Group Policy, Intune, MDM, or System Center Configuration Manag
 
 The following controlled folder access events appear in Windows Event Viewer.
 
-Event ID | Description
-5007     | Event when settings are changed
-1124     | Audited controlled folder access event
-1123     | Blocked controlled folder access event
+| Event ID | Description |
+| --- | --- |
+| 5007     | Event when settings are changed |
+| 1124     | Audited controlled folder access event |
+| 1123     | Blocked controlled folder access event |
 
 ## Customize protected folders and apps
 
@@ -63,4 +64,4 @@ See [Protect important folders with controlled folder access](controlled-folders
 ## Related topics
 - [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
 - [Evaluate Windows Defender ATP](evaluate-windows-defender-exploit-guard.md)
-- [Use audit mode](audit-windows-defender-exploit-guard.md)
\ No newline at end of file
+- [Use audit mode](audit-windows-defender-exploit-guard.md)
diff --git a/windows/security/threat-protection/windows-firewall/TOC.md b/windows/security/threat-protection/windows-firewall/TOC.md
index 19f2d4873f..e3271818c1 100644
--- a/windows/security/threat-protection/windows-firewall/TOC.md
+++ b/windows/security/threat-protection/windows-firewall/TOC.md
@@ -95,6 +95,7 @@
 #### [Create an Outbound Program or Service Rule](create-an-outbound-program-or-service-rule.md)
 #### [Create Inbound Rules to Support RPC](create-inbound-rules-to-support-rpc.md)
 #### [Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md)
+#### [Create Windows Firewall rules in Intune](create-windows-firewall-rules-in-intune.md)
 #### [Enable Predefined Inbound Rules](enable-predefined-inbound-rules.md)
 #### [Enable Predefined Outbound Rules](enable-predefined-outbound-rules.md)
 #### [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)
diff --git a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
new file mode 100644
index 0000000000..59c112d9c6
--- /dev/null
+++ b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
@@ -0,0 +1,140 @@
+---
+title: Create Windows Firewall rules in Intune (Windows 10)
+description: Explains how to create Windows Firewall rules in Intune
+ms.assetid: 47057d90-b053-48a3-b881-4f2458d3e431
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+author: tewchen
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 04/11/2019
+---
+
+# Create Windows Firewall rules in Intune
+
+**Applies to**
+-   Windows 10
+
+>[!IMPORTANT]
+>This information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+To get started, open Device Configuration in Intune, then create a new profile. 
+Choose Windows 10 as the platform, and Endpoint Protection as the profile type. 
+Select Windows Defender Firewall. 
+Add a firewall rule to this new Endpoint Protection profile using the Add button at the bottom of the blade. 
+
+![Windows Defender Firewall in Intune](images/windows-firewall-intune.png)
+
+>[!IMPORTANT]
+>A single Endpoint Protection profile may contain up to a maximum of 150 firewall rules. If a client device requires more than 150 rules, then multiple profiles must be assigned to it.
+
+## Firewall rule components
+
+Following table has description for each field.
+
+
+| Property | Type | Description |
+|----------|------|-------------|
+| DisplayName | String | The display name of the rule. Does not need to be unique. |
+| Description | String | The description of the rule. |
+| PackageFamilyName | String | The package family name of a Microsoft Store application that's affected by the firewall rule. |
+| FilePath | String | The full file path of an app that's affected by the firewall rule. |
+| FullyQualifiedBinaryName | String | The fully qualified binary name. |
+| ServiceName | String | The name used in cases when a service, not an application, is sending or receiving traffic. |
+| Protocol | Nullable Integer - default value is null which maps to All | 0-255 number representing the [IP protocol](https://www.wikipedia.org/wiki/List_of_IP_protocol_numbers) (TCP = 6, UDP = 17).  If not specified, the default is All. |
+| LocalPortRanges | String array | List of local port ranges. For example, "100-120", "200", "300-320". If not specified, the default is All. |
+| RemotePortRanges | String array | List of remote port ranges. For example, "100-120", "200", "300-320". If not specified, the default is All. |
+| LocalAddressRanges | String array | List of local addresses covered by the rule. Valid tokens include:<br>- "\*" indicates any local address. If present, this must be the only token included.<br>- A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.<br>- A valid IPv6 address.<br>- An IPv4 address range in the format of "start address - end address" with no spaces included.<br>- An IPv6 address range in the format of "start address - end address" with no spaces included.<br>Default is any address. |
+| RemoteAddressRanges | String array | List of tokens specifying the remote addresses covered by the rule.Tokens are case insensitive. Valid tokens include:<br>- "\*" indicates any remote address. If present, this must be the only token included.<br>- "Defaultgateway"<br>- "DHCP"<br>- "DNS"<br>- "WINS"<br>- "Intranet"<br>- "RmtIntranet"<br>- "Internet"<br>- "Ply2Renders"<br>- "LocalSubnet" indicates any local address on the local subnet. This token is not case-sensitive.<br>- A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.<br>- A valid IPv6 address.<br>- An IPv4 address range in the format of "start address - end address" with no spaces included.<br>- An IPv6 address range in the format of "start address - end address" with no spaces included.<br>Default is any address. |
+| ProfileTypes | WindowsFirewallNetworkProfileTypes | Specifies the profiles to which the rule belongs. If not specified, the default is All. |
+| Action| StateManagementSetting | The action the rule enforces. If not specified, the default is Allowed. |
+| TrafficDirection | WindowsFirewallRuleTrafficDirectionType | The traffic direction that the rule is enabled for. If not specified, the default is Out. |
+| InterfaceTypes | WindowsFirewallRuleInterfaceTypes | The interface types of the rule. |
+| EdgeTraversal | StateManagementSetting | Indicates whether edge traversal is enabled or disabled for this rule.<br>The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address.<br>New rules have the EdgeTraversal property disabled by default. |
+| LocalUserAuthorizations | String | Specifies the list of authorized local users for the app container. This is a string in Security Descriptor Definition Language (SDDL) format. |
+
+
+## Application
+Control connections for an app or program. 
+Apps and programs can be specified either file path, package family name, or Windows service short name. 
+
+The file path of an app is its location on the client device. 
+For example, C:\Windows\System\Notepad.exe. 
+[Learn more](https://aka.ms/intunefirewallfilepathrule) 
+
+Package family names can be retrieved by running the Get-AppxPackage command from PowerShell. 
+[Learn more](https://aka.ms/intunefirewallPackageNameFromPowerShell) 
+
+Windows service short names are used in cases when a service, not an application, is sending or receiving traffic. 
+Default ia All. 
+
+[Learn more](https://aka.ms/intunefirewallServiceNameRule)
+
+## Protocol
+Select the protocol for this port rule. Transport layer protocols—TCP and UDP—allow you to specify ports or port ranges. For custom protocols, enter a number between 0 and 255 representing the IP protocol. 
+
+Default is Any. 
+
+[Learn more](https://aka.ms/intunefirewallprotocolrule)
+
+## Local ports
+Comma separated list of ranges. For example, *100-120,200,300-320*. Default is All. 
+
+[Learn more](https://aka.ms/intunefirewalllocalportrule)
+
+## Remote ports
+Comma separated list of ranges. For example, *100-120,200,300-320*. Default is All. 
+
+[Learn more](https://aka.ms/intunefirewallremoteportrule)
+
+## Local addresses
+Comma separated list of local addresses covered by the rule. Valid tokens include:
+- \* indicates any local address. If present, this must be the only token included. 
+- A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask nor a network prefix is specified, the subnet mask default is  255.255.255.255. 
+- A valid IPv6 address. 
+- An IPv4 address range in the format of "start address - end address" with no spaces included. 
+- An IPv6 address range in the format of "start address - end address" with no spaces included. Default is Any address. 
+
+[Learn more](https://aka.ms/intunefirewalllocaladdressrule)
+
+## Remote addresses
+List of comma separated tokens specifying the remote addresses covered by the rule. Tokens are case insensitive. Valid tokens include:
+- \* indicates any remote address. If present, this must be the only token included. 
+- Defaultgateway 
+- DHCP 
+- DNS 
+- WINS 
+- Intranet (supported on Windows versions 1809+) 
+- RmtIntranet (supported on Windows versions 1809+) 
+- Internet (supported on Windows versions 1809+) 
+- Ply2Renders (supported on Windows versions 1809+) 
+- LocalSubnet indicates any local address on the local subnet. 
+- A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255. 
+- A valid IPv6 address. 
+- An IPv4 address range in the format of "start address - end address" with no spaces included. 
+- An IPv6 address range in the format of "start address - end address" with no spaces included. 
+
+Default is Any address. 
+
+[Learn more](https://aka.ms/intunefirewallremotaddressrule)
+
+## Edge traversal (coming soon)
+Indicates whether edge traversal is enabled or disabled for this rule. The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address. New rules have the EdgeTraversal property disabled by default. 
+
+[Learn more](https://aka.ms/intunefirewalledgetraversal)
+
+## Authorized users
+Specifies the list of authorized local users for this rule. A list of authorized users cannot be specified if the rule being authored is targeting a Windows service. Default is all users. 
+
+[Learn more](https://aka.ms/intunefirewallauthorizedusers)
+
+## Configuring firewall rules programmatically
+
+Coming soon.
+
+
diff --git a/windows/security/threat-protection/windows-firewall/images/windows-firewall-intune.png b/windows/security/threat-protection/windows-firewall/images/windows-firewall-intune.png
new file mode 100644
index 0000000000..796a030a6e
Binary files /dev/null and b/windows/security/threat-protection/windows-firewall/images/windows-firewall-intune.png differ
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/TOC.md b/windows/security/threat-protection/windows-security-configuration-framework/TOC.md
new file mode 100644
index 0000000000..8ea1c320ba
--- /dev/null
+++ b/windows/security/threat-protection/windows-security-configuration-framework/TOC.md
@@ -0,0 +1,11 @@
+# [Windows security guidance for enterprises](windows-security-compliance.md)
+
+## [Windows security baselines](windows-security-baselines.md)
+### [Security Compliance Toolkit](security-compliance-toolkit-10.md)
+### [Get support](get-support-for-security-baselines.md)
+## [Windows security configuration framework](windows-security-configuration-framework.md)
+### [Level 5 enterprise security](level-5-enterprise-security.md)
+### [Level 4 enterprise high security](level-4-enterprise-high-security.md)
+### [Level 3 enterprise VIP security](level-3-enterprise-vip-security.md)
+### [Level 2 enterprise dev/ops workstation](level-2-enterprise-devops-security.md)
+### [Level 1 enterprise administrator workstation](level-1-enterprise-administrator-security.md)
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
new file mode 100644
index 0000000000..bdbc4a1115
--- /dev/null
+++ b/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
@@ -0,0 +1,101 @@
+---
+title: Get support
+description: This article, and the articles it links to, answers frequently asked question on how to get support for Windows baselines, the Security Compliance Toolkit (SCT), and related topics in your organization
+keywords: virtualization, security, malware
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.author: sagaudre
+author: justinha
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 06/25/2018
+---
+
+# Get Support
+
+**What is the Microsoft Security Compliance Manager (SCM)?**
+
+The Security Compliance Manager (SCM) is now retired and is no longer supported. The reason is that SCM was an incredibly complex and large program that needed to be updated for every Windows release. It has been replaced by the Security Compliance Toolkit (SCT). To provide a better service for our customers, we have moved to SCT with which we can publish baselines through the Microsoft Download Center in a lightweight .zip file that contains GPO backups, GPO reports, Excel spreadsheets, WMI filters, and scripts to apply the settings to local policy.
+
+More information about this change can be found on the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2017/06/15/security-compliance-manager-scm-retired-new-tools-and-procedures/).
+
+**Where can I get an older version of a Windows baseline?**
+
+Any version of Windows baseline before Windows 10 1703 can still be downloaded using SCM. Any future versions of Windows baseline will be available through SCT. See the version matrix in this article to see if your version of Windows baseline is available on SCT.
+
+-   [SCM 4.0 Download](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
+-   [SCM Frequently Asked Questions (FAQ)](https://social.technet.microsoft.com/wiki/contents/articles/1836.microsoft-security-compliance-manager-scm-frequently-asked-questions-faq.aspx)
+-   [SCM Release Notes](https://social.technet.microsoft.com/wiki/contents/articles/1864.microsoft-security-compliance-manager-scm-release-notes.aspx)
+-   [SCM baseline download help](https://social.technet.microsoft.com/wiki/contents/articles/1865.microsoft-security-compliance-manager-scm-baseline-download-help.aspx)
+
+**What file formats are supported by the new SCT?**
+
+The toolkit supports formats created by the Windows GPO backup feature (.pol, .inf, and .csv). Policy Analyzer saves its data in XML files with a .PolicyRules file extension. LGPO also supports its own LGPO text file format as a text-based analog for the binary registry.pol file format. See the LGPO documentation for more information. Keep in mind that SCM’s .cab files are no longer supported.
+
+**Does SCT support Desired State Configuration (DSC) file format?**
+
+Not yet. PowerShell-based DSC is rapidly gaining popularity, and more DSC tools are coming online to convert GPOs and DSC and to validate system configuration. We are currently developing a tool to provide customers with these features.
+
+**Does SCT support the creation of System Center Configuration Manager (SCCM) DCM packs?**
+
+No. A potential alternative is Desired State Configuration (DSC), a feature of the [Windows Management Framework](https://www.microsoft.com/download/details.aspx?id=40855). A tool that supports conversion of GPO backups to DSC format can be found [here](https://github.com/Microsoft/BaselineManagement).
+
+**Does SCT support the creation of Security Content Automation Protocol (SCAP)-format policies?**
+
+No. SCM supported only SCAP 1.0, which was not updated as SCAP evolved. The new toolkit likewise does not include SCAP support.
+
+<br />
+
+## Version Matrix
+
+**Client Versions**
+
+| Name | Build | Baseline Release Date | Security Tools |
+|---|---|---|---|
+|Windows 10 | [1709 (RS3)](https://blogs.technet.microsoft.com/secguide/2017/09/27/security-baseline-for-windows-10-fall-creators-update-v1709-draft/) <p> [1703 (RS2)](https://blogs.technet.microsoft.com/secguide/2017/08/30/security-baseline-for-windows-10-creators-update-v1703-final/) <p>[1607 (RS1)](https://blogs.technet.microsoft.com/secguide/2016/10/17/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016/) <p>[1511 (TH2)](https://blogs.technet.microsoft.com/secguide/2016/01/22/security-baseline-for-windows-10-v1511-threshold-2-final/) <p>[1507 (TH1)](https://blogs.technet.microsoft.com/secguide/2016/01/22/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update/)| October 2017 <p>August 2017 <p>October 2016 <p>January 2016<p> January 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+Windows 8.1 |[9600 (April Update)](https://blogs.technet.microsoft.com/secguide/2014/08/13/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final/)| October 2013| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
+Windows 8 |[9200](https://technet.microsoft.com/library/jj916413.aspx) |October 2012| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)|
+Windows 7 |[7601 (SP1)](https://technet.microsoft.com/library/ee712767.aspx)| October 2009| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
+| Vista |[6002 (SP2)](https://technet.microsoft.com/library/dd450978.aspx)| January 2007| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
+| Windows XP |[2600 (SP3)](https://technet.microsoft.com/library/cc163061.aspx)| October 2001| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)|
+
+<br />
+
+**Server Versions**
+
+| Name | Build | Baseline Release Date | Security Tools |
+|---|---|---|---|
+|Windows Server 2016 | [SecGuide](https://blogs.technet.microsoft.com/secguide/2016/10/17/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016/) |October 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+|Windows Server 2012 R2|[SecGuide](https://blogs.technet.microsoft.com/secguide/2016/10/17/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016/)|August 2014 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319)|
+|Windows Server 2012|[Technet](https://technet.microsoft.com/library/jj898542.aspx) |2012| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
+Windows Server 2008 R2 |[SP1](https://technet.microsoft.com/library/gg236605.aspx)|2009 | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
+| Windows Server 2008 |[SP2](https://technet.microsoft.com/library/cc514539.aspx)| 2008 | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
+|Windows Server 2003 R2|[Technet](https://technet.microsoft.com/library/cc163140.aspx)| 2003 | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)|
+|Windows Server 2003|[Technet](https://technet.microsoft.com/library/cc163140.aspx)|2003|[SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)|
+
+<br />
+
+**Microsoft Products**
+
+| Name | Details | Security Tools |
+|---|---|---|
+Internet Explorer 11 | [SecGuide](https://blogs.technet.microsoft.com/secguide/2014/08/13/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final/)|[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319)|[SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)|
+|Internet Explorer 10|[Technet](https://technet.microsoft.com/library/jj898540.aspx)|[SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
+|Internet Explorer 9|[Technet](https://technet.microsoft.com/library/hh539027.aspx)|[SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
+|Internet Explorer 8|[Technet](https://technet.microsoft.com/library/ee712766.aspx)|[SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
+|Exchange Server 2010|[Technet](https://technet.microsoft.com/library/hh913521.aspx)| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
+|Exchange Server 2007|[Technet](https://technet.microsoft.com/library/hh913520.aspx)| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
+|Microsoft Office 2010|[Technet](https://technet.microsoft.com/library/gg288965.aspx)| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
+|Microsoft Office 2007 SP2|[Technet](https://technet.microsoft.com/library/cc500475.aspx)| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
+
+<br />
+
+> [!NOTE]
+> Browser baselines are built-in to new OS versions starting with Windows 10
+
+## See also
+
+[Windows security baselines](windows-security-baselines.md)
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/images/seccon-framework.png b/windows/security/threat-protection/windows-security-configuration-framework/images/seccon-framework.png
new file mode 100644
index 0000000000..06f66acf99
Binary files /dev/null and b/windows/security/threat-protection/windows-security-configuration-framework/images/seccon-framework.png differ
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/images/security-control-classification.png b/windows/security/threat-protection/windows-security-configuration-framework/images/security-control-classification.png
new file mode 100644
index 0000000000..75467f2098
Binary files /dev/null and b/windows/security/threat-protection/windows-security-configuration-framework/images/security-control-classification.png differ
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/images/security-control-deployment-methodologies.png b/windows/security/threat-protection/windows-security-configuration-framework/images/security-control-deployment-methodologies.png
new file mode 100644
index 0000000000..4f869474e2
Binary files /dev/null and b/windows/security/threat-protection/windows-security-configuration-framework/images/security-control-deployment-methodologies.png differ
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-1-enterprise-administrator-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-1-enterprise-administrator-security.md
new file mode 100644
index 0000000000..bc0e695034
--- /dev/null
+++ b/windows/security/threat-protection/windows-security-configuration-framework/level-1-enterprise-administrator-security.md
@@ -0,0 +1,25 @@
+---
+title: Level 1 enterprise administrator workstation security
+description: Describes the policies, controls, and organizational behaviors for Windows security configuration framework level 1 enterprise administrator security configuration.
+keywords: virtualization, security, malware
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.author: appcompatguy
+author: appcompatguy
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 04/05/2018
+---
+
+# Level 1 enterprise administrator workstation security configuration
+
+**Applies to**  
+
+-   Windows 10
+
+
+Administrators (particularly of identity or security systems) present the highest risk to the organization−through data theft, data alteration, or service disruption. 
+A level 1 configuration should include all the configurations from levels 5, 4, 3, and 2 and additional controls. We are planning recommendations for the additional controls now, so check back soon for level 1 enterprise administrator security configuration guidance!
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-2-enterprise-devops-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-2-enterprise-devops-security.md
new file mode 100644
index 0000000000..3de02c1510
--- /dev/null
+++ b/windows/security/threat-protection/windows-security-configuration-framework/level-2-enterprise-devops-security.md
@@ -0,0 +1,27 @@
+---
+title: Level 2 enterprise dev/ops security workstation configuration
+description: Describes the policies, controls, and organizational behaviors for Windows security configuration framework level 2 enterprise dev/ops security configuration.
+keywords: virtualization, security, malware
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.author: appcompatguy
+author: appcompatguy
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 04/05/2018
+---
+
+# Level 2 enterprise dev/ops workstation security configuration
+ 
+**Applies to**  
+
+-   Windows 10
+
+We recommend this configuration for developers and testers, who are an attractive target both for supply chain attacks and access to servers and systems containing high value data or where critical business functions could be disrupted. A level 2 configuration should include all the configurations from levels 5, 4, and 3 and additional controls. We are planning recommendations for the additional controls now, so check back soon for level 2 enterprise dev/ops security configuration guidance!
+
+
+
+
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-3-enterprise-VIP-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-3-enterprise-VIP-security.md
new file mode 100644
index 0000000000..9c8c264402
--- /dev/null
+++ b/windows/security/threat-protection/windows-security-configuration-framework/level-3-enterprise-VIP-security.md
@@ -0,0 +1,141 @@
+---
+title: Level 3 enterprise VIP security configuration
+description: Describes the policies, controls, and organizational behaviors for Windows security configuration framework level 3 enterprise VIP security configuration.
+keywords: virtualization, security, malware
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.author: appcompatguy
+author: appcompatguy
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 04/05/2018
+---
+
+# Level 3 enterprise VIP security configuration
+
+**Applies to**  
+
+-   Windows 10
+
+Level 3 is the security configuration recommended as a standard for organizations with large and sophisticated security organizations, or for specific users and groups who will be uniquely targeted by adversaries. Such organizations are typically targeted by well-funded and sophisticated adversaries, and as such merit the additional constraints and controls described here.
+A level 3 configuration should include all the configurations from level 5 and level 4 and add the following security policies, controls, and organizational behaviors.
+
+## Policies
+
+The policies enforced in level 3 implement strict security configuration and controls. They can have a potentially significant impact to users or to applications, enforcing a level of security commensurate with the risks facing targeted organizations. Microsoft recommends disciplined testing and deployment using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates).
+
+### Security Template Policies
+
+| Feature  | Policy Setting  | Policy Value  | Description  |
+|----------|-----------------|---------------|--------------|
+| [Account Lockout](https://blogs.technet.microsoft.com/secguide/2014/08/13/configuring-account-lockout/)  | Account lockout duration  | 15  | The number of minutes a locked-out account remains locked out before automatically becoming unlocked. |
+| [Account Lockout](https://blogs.technet.microsoft.com/secguide/2014/08/13/configuring-account-lockout/)  | Account lockout threshold  | 10  | The number of failed logon attempts that causes a user account to be locked out.  |
+| [Account Lockout](https://blogs.technet.microsoft.com/secguide/2014/08/13/configuring-account-lockout/)  | Reset account lockout counter after  | 15  | The number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts.   |
+| Password Policy  | Maximum password age  | 60  | The number of days that a password can be used before the system requires the user to change it.  |
+| Password Policy  | Minimum password age  | 1  | The number of days that a password must be used before a user can change it.  |
+| Security Options | Accounts: Administrator account status  | Disabled  | This security setting determines whether the local Administrator account is enabled or disabled.  |
+| Security Options | Accounts: Limit local account use of blank passwords to console logon only  | Enabled  | This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard.  |
+| Security Options | Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings | Enabled  | Windows Vista and later versions of Windows allow audit policy to be managed in a more precise way using audit policy subcategories. Setting audit policy at the category level will override the new subcategory audit policy feature. Group Policy only allows audit policy to be set at the category level, and existing Group Policy may override the subcategory settings of new machines as they are joined to the domain or upgraded. To allow audit policy to be managed using subcategories without requiring a change to Group Policy, there is a new registry value in Windows Vista and later versions, SCENoApplyLegacyAuditPolicy, which prevents the application of category-level audit policy from Group Policy and from the Local Security Policy administrative tool.  |
+| Security Options | Domain member: Digitally encrypt or sign secure channel data (always)  | Enabled  | This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. This setting determines whether all secure channel traffic initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. If this policy is enabled, then the secure channel will not be established unless either signing or encryption of all secure channel traffic is negotiated. If this policy is disabled, then encryption and signing of all secure channel traffic is negotiated with the Domain Controller in which case the level of signing and encryption depends on the version of the Domain Controller and the settings of the following two policies:<br>- Domain member: Digitally encrypt secure channel data (when possible)<br>- Domain member: Digitally sign secure channel data (when possible)  |
+| Security Options | Domain member: Digitally encrypt secure channel data (when possible)  | Enabled  | This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates. If enabled, the domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise, only logon information transmitted over the secure channel will be encrypted. If this setting is disabled, then the domain member will not attempt to negotiate secure channel encryption.  |
+| Security Options | Domain member: Digitally sign secure channel data (when possible)  | Enabled  | This security setting determines whether a domain member attempts to negotiate signing for all secure channel traffic that it initiates. If enabled, the domain member will request signing of all secure channel traffic. If the Domain Controller supports signing of all secure channel traffic, then all secure channel traffic will be signed, which ensures that it cannot be tampered with in transit.  |
+| Security Options | Interactive logon: Smart card removal behavior  | Lock Workstation  | This security setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. If you click **Lock Workstation** in the **Properties** for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart cards with them, and still maintain protected sessions. For this setting to work beginning with Windows Vista, the Smart Card Removal Policy service must be started.  |
+| Security Options | Microsoft network client: Digitally sign communications (always)  | Enabled  | This security setting determines whether packet signing is required by the SMB client component.  |
+| Security Options | Microsoft network server: Digitally sign communications (always)  | Enabled  | This security setting determines whether packet signing is required by the SMB server component.  |
+| Security Options | Network access: Do not allow anonymous enumeration of SAM accounts  | Enabled  | This security setting determines what additional permissions will be granted for anonymous connections to the computer. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. This security option allows additional restrictions to be placed on anonymous connections as follows: Enabled: Do not allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources.  |
+| Security Options | Network access: Do not allow anonymous enumeration of SAM accounts and shares  | Enabled  | This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. If you do not want to allow anonymous enumeration of SAM accounts and shares, then enable this policy.  |
+| Security Options | Network access: Restrict anonymous access to Named Pipes and Shares  | Enabled  | When enabled, this security setting restricts anonymous access to shares and pipes to the settings for:<br>- Network access: Named pipes that can be accessed anonymously<br>- Network access: Shares that can be accessed anonymously  |
+| Security Options | Network security: Allow PKU2U authentication requests to this computer to use online identities.  | Disabled  | This policy will be turned off by default on domain joined machines. This would prevent online identities from authenticating to the domain joined machine.  |
+| Security Options | Network security: LDAP client signing requirements  | Negotiate signing  | This security setting determines the level of data signing that is requested on behalf of clients issuing LDAP BIND requests, as follows: Negotiate signing: If Transport Layer Security/Secure Sockets Layer (TLS\\SSL) has not been started, the LDAP BIND request is initiated with the LDAP data signing option set in addition to the options specified by the caller. If TLS\\SSL has been started, the LDAP BIND request is initiated with the options that are specified by the caller.  |
+| Security Options | System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)  | Enabled  | This security setting determines the strength of the default discretionary access control list (DACL) for objects. Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted. If this policy is enabled, the default DACL is stronger, allowing users who are not administrators to read shared objects but not allowing these users to modify shared objects that they did not create.  |
+| Security Options | User Account Control: Behavior of the elevation prompt for standard users  | Automatically deny elevation requests | This policy setting controls the behavior of the elevation prompt for standard users. Automatically deny elevation requests: When an operation requires elevation of privilege, an access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.  |
+
+### Computer Policies
+
+| Feature  | Policy Setting  | Policy Value  | Description  |
+|----------|-----------------|---------------|--------------|
+| Control Panel / Personalization  | Prevent enabling lock screen camera  | Enabled  | Disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen. By default, users can enable invocation of an available camera on the lock screen. If you enable this setting, users will no longer be able to enable or disable lock screen camera access in PC Settings and the camera cannot be invoked on the lock screen.  |
+| Control Panel / Personalization  | Prevent enabling lock screen slide show  | Enabled  | Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen. By default, users can enable a slide show that will run after they lock the machine. if you enable this setting, users will no longer be able to modify slide show settings in PC Settings and no slide show will ever start.  |
+| Windows Defender SmartScreen / Explorer  | Configure App Install Control  | Allow apps from Store only  | App Install Control is a feature of Windows Defender SmartScreen that helps protect PCs by allowing users to install apps only from the Store. SmartScreen must be enabled for this feature to work properly.  |
+| System / Device Installation / Device Installation Restrictions  | Prevent installation of devices that match any of these device IDs  | Enabled  | This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. if you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in a list that you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.  |
+| System / Device Installation / Device Installation Restrictions  | Prevent installation of devices using drivers that match these device setup classes | Enabled  | This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. if you enable this policy setting, Windows is prevented from installing or updating device drivers whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings.  |
+| System / Internet Communication Management / Internet Communication settings | Turn off downloading of print drivers over HTTP  | Enabled  | This policy setting specifies whether to allow this client to download print driver packages over HTTP. To set up HTTP printing non-inbox drivers need to be downloaded over HTTP. Note: This policy setting does not prevent the client from printing to printers on the Intranet or the Internet over HTTP. It only prohibits downloading drivers that are not already installed locally. if you enable this policy setting, print drivers cannot be downloaded over HTTP. If you disable or do not configure this policy setting, users can download print drivers over HTTP.  |
+| System / Internet Communication Management / Internet Communication settings | Turn off printing over HTTP  | Enabled  | This policy setting specifies whether to allow printing over HTTP from this client. Printing over HTTP allows a client to print to printers on the intranet as well as the Internet. Note: This policy setting affects the client side of Internet printing only. It does not prevent this computer from acting as an Internet Printing server and making its shared printers available via HTTP. if you enable this policy setting, it prevents this client from printing to Internet printers over HTTP. If you disable or do not configure this policy setting, users can choose to print to Internet printers over HTTP. Also see the "Web-based printing" policy setting in Computer Configuration/Administrative Templates/Printers.  |
+| System / Logon  | Enumerate local users on domain-joined computers  | Disabled  | This policy setting allows local users to be enumerated on domain-joined computers. if you enable this policy setting, Logon UI will enumerate all local users on domain-joined computers. If you disable or do not configure this policy setting, the Logon UI will not enumerate local users on domain-joined computers.  |
+| System / Power Management / Sleep Settings  | Allow standby states (S1-S3) when sleeping (on battery)  | Disabled  | This policy setting manages whether Windows can use standby states when putting the computer in a sleep state. If you enable or do not configure this policy setting Windows uses standby states to put the computer in a sleep state. If you disable this policy setting standby states (S1-S3) are not allowed.  |
+| System / Power Management / Sleep Settings  | Allow standby states (S1-S3) when sleeping (plugged in)  | Disabled  | This policy setting manages whether Windows can use standby states when putting the computer in a sleep state. If you enable or do not configure this policy setting Windows uses standby states to put the computer in a sleep state. If you disable this policy setting standby states (S1-S3) are not allowed.  |
+| Windows Components / BitLocker Drive Encryption / Operating System Drives  | Configure minimum PIN length for startup  | Enabled: 7  | This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits. if you enable this policy setting, you can require a minimum number of digits to be used when setting the startup PIN. If you disable or do not configure this policy setting, users can configure a startup PIN of any length between 4 and 20 digits. By default, the value is 6 digits. NOTE: If minimum PIN length is set below 6 digits Windows will attempt to update the TPM 2.0 lockout period to be greater than the default when a PIN is changed. If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset.  |
+| Windows Components / BitLocker Drive Encryption / Removable Data Drives  | Deny write access to removable drives not protected by BitLocker  | Enabled  | This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive. If you enable this policy setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access. If the "Deny write access to devices configured in another organization" option is selected, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed, it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" policy setting. If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access. Note: This policy setting can be overridden by the policy settings under User Configuration\\Administrative Templates\\System\\Removable Storage Access. If the "Removable Disks: Deny write access" policy setting is enabled, this policy setting will be ignored. |
+| Windows Components / Cloud Content  | Turn off Microsoft consumer experiences  | Enabled  | This policy setting turns off experiences that help consumers make the most of their devices and Microsoft account. if you enable this policy setting, users will no longer see personalized recommendations from Microsoft and notifications about their Microsoft account. If you disable or do not configure this policy setting, users may see suggestions from Microsoft and notifications about their Microsoft account. Note: This setting only applies to Enterprise and Education SKUs.  |
+| Windows Components / Credential User Interface  | Enumerate administrator accounts on elevation  | Disabled  | This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default, administrator accounts are not displayed when the user attempts to elevate a running application. if you enable this policy setting, all local administrator accounts on the PC will be displayed so the user can choose one and enter the correct password. If you disable this policy setting users will always be required to type a user name and password to elevate.  |
+| Windows Components / Microsoft Edge  | Configure Password Manager  | Disabled  | This policy setting lets you decide whether employees can save their passwords locally using Password Manager. By default, Password Manager is turned on. if you enable this setting, employees can use Password Manager to save their passwords locally. If you disable this setting employees can't use Password Manager to save their passwords locally. If you don't configure this setting employees can choose whether to use Password Manager to save their passwords locally.  |
+| Windows Components / Remote Desktop Services / Remote Desktop  | Do not allow drive redirection  | Enabled  | This policy setting specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redirection). By default, an RD Session Host server maps client drives automatically upon connection. Mapped drives appear in the session folder tree in File Explorer or Computer in the format \<driveletter\> on \<computername\>. You can use this policy setting to override this behavior. if you enable this policy setting, client drive redirection is not allowed in Remote Desktop Services sessions and Clipboard file copy redirection is not allowed on computers running Windows Server 2003 Windows 8 and Windows XP. If you disable this policy setting client drive redirection is always allowed. In addition, Clipboard file copy redirection is always allowed if Clipboard redirection is allowed. If you do not configure this policy setting client drive redirection and Clipboard file copy redirection are not specified at the Group Policy level.  |
+| Windows Components / RSS Feeds  | Prevent downloading of enclosures  | Enabled  | This policy setting prevents the user from having enclosures (file attachments) downloaded from a feed to the user's computer. if you enable this policy setting, the user cannot set the Feed Sync Engine to download an enclosure through the Feed property page. A developer cannot change the download setting through the Feed APIs. If you disable or do not configure this policy setting, the user can set the Feed Sync Engine to download an enclosure through the Feed property page. A developer can change the download setting through the Feed APIs.  |
+| Windows Components / Search  | Allow indexing of encrypted files  | Disabled  | This policy setting allows encrypted items to be indexed. if you enable this policy setting, indexing will attempt to decrypt and index the content (access restrictions will still apply). If you disable this policy setting the search service components (including non-Microsoft components) are expected not to index encrypted items or encrypted stores. This policy setting is not configured by default. If you do not configure this policy setting the local setting configured through Control Panel will be used. By default, the Control Panel setting is set to not index encrypted content. When this setting is enabled or disabled the index is rebuilt completely. Full volume encryption (such as BitLocker Drive Encryption or a non-Microsoft solution) must be used for the location of the index to maintain security for encrypted files.  |
+| Windows Components / Windows Ink Workspace  | Allow Windows Ink Workspace  | On, but disallow access above lock | Allow Windows Ink Workspace  |
+
+### IE Computer Policies
+
+| Feature  | Policy Setting  | Policy Value  | Description  |
+|-------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Windows Components / Internet Explorer  | Prevent per-user installation of ActiveX controls  | Enabled  | This policy setting allows you to prevent the installation of ActiveX controls on a per-user basis. If you enable this policy setting, ActiveX controls cannot be installed on a per-user basis.  |
+| Windows Components / Internet Explorer  | Security Zones: Do not allow users to add/delete sites  | Enabled  | Prevents users from adding or removing sites from security zones. A security zone is a group of Web sites with the same security level. If you enable this policy, the site management settings for security zones are disabled.  |
+| Windows Components / Internet Explorer  | Security Zones: Do not allow users to change policies  | Enabled  | Prevents users from changing security zone settings. A security zone is a group of Web sites with the same security level. If you enable this policy, the Custom Level button and security-level slider on the Security tab in the Internet Options dialog box are disabled.  |
+| Windows Components / Internet Explorer  | Security Zones: Use only machine settings  | Enabled  | Applies security zone information to all users of the same computer. A security zone is a group of Web sites with the same security level. If you enable this policy, changes that the user makes to a security zone will apply to all users of that computer.  |
+| Windows Components / Internet Explorer  | Turn off Crash Detection  | Enabled  | This policy setting allows you to manage the crash detection feature of add-on Management. If you enable this policy setting, a crash in Internet Explorer will exhibit behavior found in Windows XP Professional Service Pack 1 and earlier, namely, to invoke Windows Error Reporting. All policy settings for Windows Error Reporting continue to apply.  |
+| Windows Components / Internet Explorer  | Turn off the Security Settings Check feature  | Disabled  | This policy setting turns off the Security Settings Check feature, which checks Internet Explorer security settings to determine when the settings put Internet Explorer at risk.  |
+| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page  | Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled  | Enabled  | This policy setting prevents ActiveX controls from running in Protected Mode when Enhanced Protected Mode is enabled. When a user has an ActiveX control installed that is not compatible with Enhanced Protected Mode and a website attempts to load the control, Internet Explorer notifies the user and gives the option to run the website in regular Protected Mode. This policy setting disables this notification and forces all websites to run in Enhanced Protected Mode. |
+| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page  | Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows | Enabled  | This policy setting determines whether Internet Explorer 11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows.  |
+| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page  | Turn on Enhanced Protected Mode  | Enabled  | Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running at least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system.  |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page  | Intranet Sites: Include all network paths (UNCs)  | Disabled  | This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone.  |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow drag and drop or copy and paste files  | Enabled: Disable | This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone.  |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow loading of XAML files  | Enabled: Disable | This policy setting allows you to manage the loading of Extensible Application Markup Language (XAML) files. XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that take advantage of the Windows Presentation Foundation.  |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow only approved domains to use ActiveX controls without prompt  | Enabled: Enable  | This policy setting controls whether the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control.  |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow only approved domains to use the TDC ActiveX control  | Enabled: Enable  | This policy setting controls whether the user can run the TDC ActiveX control on websites.  |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow scripting of Internet Explorer WebBrowser controls  | Enabled: Disable | This policy setting determines whether a page can control embedded WebBrowser controls via script.  |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow script-initiated windows without size or position constraints  | Enabled: Disable | This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and status bars.  |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow scriptlets  | Enabled: Disable | This policy setting allows you to manage whether the user can run scriptlets.  |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow updates to status bar via script  | Enabled: Disable | This policy setting allows you to manage whether script can update the status bar within the zone.  |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow VBScript to run in Internet Explorer  | Enabled: Disable | This policy setting allows you to manage whether VBScript can be run on pages from the specified zone in Internet Explorer.  |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Download signed ActiveX controls  | Enabled: Disable | This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone.  |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Include local path when user is uploading files to a server  | Enabled: Disable | This policy setting controls whether local path information is sent when the user is uploading a file via an HTML form. If the local path information is sent, some information may be unintentionally revealed to the server. For instance, files sent from the user's desktop may contain the user name as a part of the path.  |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Navigate windows and frames across different domains  | Enabled: Disable | This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.  |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Web sites in less privileged Web content zones can navigate into this zone  | Enabled: Disable | This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.  |
+
+### IE User Policies
+
+| Feature  | Policy Setting  | Policy Value | Description  |
+|----------|-----------------|--------------|--------------|
+| Windows Components / Internet Explorer | Turn on the auto-complete feature for user names and passwords on forms | Disabled  | This AutoComplete feature can remember and suggest User names and passwords on Forms. If you disable this setting the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms is turned off. The user also cannot opt to be prompted to save passwords. |
+
+## Controls
+
+The controls enforced in level 3 implement complex security configuration and controls. 
+They are likely to have a higher impact to users or to applications,
+enforcing a level of security commensurate with the risks facing the most targeted organizations. 
+Microsoft recommends using the Audit/Enforce methodology for controls with audit mode, and [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates) for those that do
+not.
+
+| Feature Set  | Feature  | Description  |
+|--------------|----------|--------------|
+| Exploit protection  | Enable exploit protection | Exploit protection helps protect devices from malware that use exploits to spread and infect to other devices. It consists of several mitigations that can be applied at the individual app level.  |
+| Windows Defender Application Control (WDAC) *or* AppLocker | Configure devices to use application whitelisting using one of the following approaches:<br>[AaronLocker](https://blogs.msdn.microsoft.com/aaron_margosis/2018/10/11/aaronlocker-update-v0-91-and-see-aaronlocker-in-action-on-channel-9/) (admin writeable areas) when software distribution is not always centralized<br>*or*<br>[Managed installer](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer) when all software is pushed through software distribution<br>*or*<br>[Explicit control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy) when the software on a device is static and tightly controlled  | Application control is a crucial line of defense for protecting enterprises given today’s threat landscape, and it has an inherent advantage over traditional antivirus solutions. Specifically, application control moves away from the traditional application trust model where all applications are assumed trustworthy by default to one where applications must earn trust in order to run. Application Control can help mitigate these types of security threats by restricting the applications that users can run and the code that runs in the System Core (kernel). WDAC policies also block unsigned scripts and MSIs, and Windows PowerShell runs in [Constrained Language Mode](https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/). |
+
+## Behaviors
+
+The behaviors recommended in level 3 represent the most sophisticated security
+configuration. Removing admin rights can be difficult, but it is essential to
+achieve a level of security commensurate with the risks facing the most targeted
+organizations.
+
+| Feature Set  | Feature  | Description  |
+|--------------|----------|--------------|
+| Remove Admin Rights | Remove as many users as possible from the local Administrators group, targeting 0. Microsoft recommends removing admin rights role by role. Some roles are more challenging, including:<br>- Developers, who often install rapidly iterating software which is difficult to package using current software distribution systems<br>- Scientists/ Doctors, who often must install and operate specialized hardware devices<br>- Remote locations with slow web links, where administration is delegated<br>It is typically easier to address these roles later in the process.<br>Microsoft recommends identifying the dependencies on admin rights and systematically addressing them:<br>- Legitimate use of admin rights: crowdsourced admin, where a new process is needed to complete that workflow<br>- Illegitimate use of admin rights: app compat dependency, where app remediation is the best path. The [Desktop App Assure](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-is-Desktop-App-Assure/ba-p/270232) program can assist with these app issues | Running as non-admin limits your exposure. When you are an admin, every program you run has unlimited access to your computer. If malicious code finds its way to one of those programs, it also gains unlimited access. When an exploit runs with admin privileges, its ability to compromise your system is much greater, its ability to do so without detection is much greater, and its ability to attack others on your network is greater than it would be with only User privileges. If you’re running as admin, an exploit can:<br>- install kernel-mode rootkits and/or keyloggers<br>- install and start services<br>- install ActiveX controls, including IE and shell add-ins<br>- access data belonging to other users<br>- cause code to run whenever anybody else logs on (including capturing passwords entered into the Ctrl-Alt-Del logon dialog)<br>- replace OS and other program files with trojan horses<br>- disable/uninstall anti-virus<br>- cover its tracks in the event log<br>- render your machine unbootable |
+
+
+
+
+
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-4-enterprise-high-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-4-enterprise-high-security.md
new file mode 100644
index 0000000000..2986d0f69e
--- /dev/null
+++ b/windows/security/threat-protection/windows-security-configuration-framework/level-4-enterprise-high-security.md
@@ -0,0 +1,209 @@
+---
+title: Level 4 enterprise high security configuration
+description: Describes the policies, controls, and organizational behaviors for Windows security configuration framework level 4 enterprise security configuration.
+keywords: virtualization, security, malware
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.author: appcompatguy
+author: appcompatguy
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 04/05/2018
+---
+
+# Level 4 enterprise high security configuration
+
+**Applies to**  
+
+-   Windows 10
+
+Level 4 is the security configuration recommended as a standard for devices where users access more sensitive information. These devices are a natural target in enterprises today. While targeting high levels of security, these recommendations do not assume a large staff of highly skilled security practitioners, and therefore should be accessible to most enterprise organizations.
+A level 4 configuration should include all the configurations from level 5 and add the following security policies, controls, and organizational behaviors.
+
+## Policies
+
+The policies enforced in level 4 implement more controls and a more sophisticated security
+configuration than level 5. While they may have a slightly higher impact to
+users or to applications, they enforce a level of security more commensurate
+with the risks facing users with access to sensitive information. Microsoft
+recommends using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates) for these security configurations and
+controls, with a moderate timeline that is anticipated to be slightly longer
+than the process in level 5.
+
+### Security Template Policies
+
+| Feature                | Policy Setting                                                                                  | Policy Value                                                   | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
+|------------------------|-------------------------------------------------------------------------------------------------|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Security Options       | Microsoft network client: Send unencrypted password to third party                              | Disabled                                                       | If this security setting is enabled, the Server Message Block (SMB) redirector can send plaintext passwords to non-Microsoft SMB servers that do not support password encryption during authentication. Sending unencrypted passwords is a security risk.                                                                                                                                                                                                                                                                   |
+| Security Options       | Network access: Allow anonymous SID/Name translation                                            | Disabled                                                       | This security setting determines if an anonymous user can request security identifier (SID) attributes for another user. If this policy is enabled, a user with knowledge of an administrator's SID could contact a computer that has this policy enabled and use the SID to get the administrator's name.                                                                                                                                                                                                                  |
+| Security Options       | Network access: Restrict clients allowed to make remote calls to SAM                            | Enabled: Administrators (allowed)                              | This policy setting allows you to restrict remote RPC connections to SAM. If not selected, the default security descriptor will be used.                                                                                                                                                                                                                                                                                                                                                                                    |
+| Security Options       | Network security: Allow LocalSystem NULL session fallback                                       | Disabled                                                       | Allow NTLM to fall back to NULL session when used with LocalSystem                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
+| Security Options       | Network security: Do not store LAN Manager hash value on next password change                   | Enabled                                                        | This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database the passwords can be compromised if the security database is attacked.                                                                                                                    |
+| Security Options       | Network security: LAN Manager authentication level                                              | Send NTLMv2 response only. Refuse LM & NTLM                    | This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows: Send NTLMv2 response only\\refuse LM & NTLM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (accept only NTLMv2 authentication). |
+| Security Options       | Network security: Minimum session security for NTLM SSP based (including secure RPC) clients    | Require NTLMv2 session security and Require 128-bit encryption | This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value.                                                                                                                                                                                                                                                                                                           |
+| Security Options       | Network security: Minimum session security for NTLM SSP based (including secure RPC) servers    | Require NTLMv2 session security and Require 128-bit encryption | This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value.                                                                                                                                                                                                                                                                                                           |
+| Security Options       | User Account Control: Only elevate UIAccess applications that are installed in secure locations | Enabled                                                        | This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - …\\Program Files\\, including subfolders - …\\Windows\\system32\\ - …\\Program Files (x86)\\, including subfolders for 64-bit versions of Windows                                                                                                                                |
+| User Rights Assignment | Access this computer from the network                                                           | Administrators; Remote Desktop Users                           | This user right determines which users and groups can connect to the computer over the network. Remote Desktop Services are not affected by this user right.                                                                                                                                                                                                                                                                                                                                                                |
+| User Rights Assignment | Enable computer and user accounts to be trusted for delegation                                  | No One (blank)                                                 | This security setting determines which users can set the Trusted for Delegation setting on a user or computer object.                                                                                                                                                                                                                                                                                                                                                                                                       |
+| User Rights Assignment | Impersonate a client after authentication                                                       | Administrators, SERVICE, Local Service, Network Service        | Assigning this privilege to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels.                                                        |
+| User Rights Assignment | Lock pages in memory                                                                            | No One (blank)                                                 | This security setting determines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random-access memory (RAM).                                                                                                                                                                                                      |
+| User Rights Assignment | Perform volume maintenance tasks                                                                | Administrators                                                 | This security setting determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation.                                                                                                                                                                                                                                                                                                                                                                                              |
+| User Rights Assignment | Profile single process                                                                          | Administrators                                                 | This security setting determines which users can use performance monitoring tools to monitor the performance of non-system processes.                                                                                                                                                                                                                                                                                                                                                                                       |
+
+### Computer Policies
+
+| Feature                                                                               | Policy Setting                                                                                                                          | Policy Value                                                                                       | Description                                                                                                                                                                                                                                                                                                                                                                                             |
+|---------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Network / Network Connections                                                         | Prohibit use of Internet Connection Sharing on your DNS domain network                                                                  | Enabled                                                                                            | Determines whether administrators can enable and configure the Internet Connection Sharing (ICS) feature of an Internet connection and if the ICS service can run on the computer.                                                                                                                                                                                                                      |
+| Network / Network Provider                                                            | Hardened UNC Paths                                                                                                                      | Enabled: \\\\\*\\SYSVOL and \\\\\*\\NETLOGON RequireMutualAuthentication = 1, RequireIntegrity = 1 | This policy setting configures secure access to UNC paths. If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling additional security requirements.                                                                                                                                                                                                          |
+| Network / Windows Connection Manager                                                  | Prohibit connection to non-domain networks when connected to domain authenticated network                                               | Enabled                                                                                            | This policy setting prevents computers from connecting to both a domain-based network and a non-domain-based network at the same time.                                                                                                                                                                                                                                                                  |
+| Network / WLAN Service / WLAN Settings                                                | Allow Windows to automatically connect to suggested open hotspots to networks shared by contacts and to hotspots offering paid services | Disabled                                                                                           | This policy setting determines whether users can enable the following WLAN settings: "Connect to suggested open hotspots," "Connect to networks shared by my contacts," and "Enable paid services".                                                                                                                                                                                                     |
+| System / Credentials Delegation                                                       | Remote host allows delegation of non-exportable credentials                                                                             | Enabled                                                                                            | When using credential delegation, devices provide an exportable version of credentials to the remote host. This exposes users to the risk of credential theft from attackers on the remote host. If you enable this policy setting, the host supports Restricted Admin or Remote Credential Guard mode.                                                                                                 |
+| System / Device Guard                                                                 | Turn on Virtualization Based Security                                                                                                   | Enabled: Virtualization-Based Protection of Code Integrity – Enabled with UEFI Lock                | This setting enables virtualization-based protection of Kernel Mode Code Integrity. When this is enabled, kernel mode memory protections are enforced, and the Code Integrity validation path is protected by the Virtualization Based Security feature.                                                                                                                                                |
+| System / Internet Communication Management / Internet Communication                   | Turn off Internet download for Web publishing and online ordering wizards                                                               | Enabled                                                                                            | This policy setting specifies whether Windows should download a list of providers for the web publishing and online ordering wizards. These wizards allow users to select from a list of companies that provide services such as online storage and photographic printing. By default, Windows displays providers downloaded from a Windows website in addition to providers specified in the registry. |
+| System / Logon                                                                        | Turn on convenience PIN sign-in                                                                                                         | Disabled                                                                                           | This policy setting allows you to control whether a domain user can sign in using a convenience PIN.                                                                                                                                                                                                                                                                                                    |
+| System / Remote Assistance                                                            | Configure Solicited Remote Assistance                                                                                                   | Disabled                                                                                           | This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer.                                                                                                                                                                                                                                                                                           |
+| Windows Components / File Explorer                                                    | Turn off Data Execution Prevention for Explorer                                                                                         | Disabled                                                                                           | Disabling data execution prevention can allow certain legacy plug-in applications to function without terminating Explorer.                                                                                                                                                                                                                                                                             |
+| Windows Components / File Explorer                                                    | Turn off heap termination on corruption                                                                                                 | Disabled                                                                                           | Disabling heap termination on corruption can allow certain legacy plug-in applications to function without terminating Explorer immediately, although Explorer may still terminate unexpectedly later.                                                                                                                                                                                                  |
+| Windows Components / Remote Desktop Services / Remote Desktop Connection Client       | Do not allow passwords to be saved                                                                                                      | Enabled                                                                                            | Controls whether passwords can be saved on this computer from Remote Desktop Connection.                                                                                                                                                                                                                                                                                                                |
+| Windows Components / Remote Desktop Services / Remote Desktop Session Host / Security | Always prompt for password upon connection                                                                                              | Enabled                                                                                            | This policy setting specifies whether Remote Desktop Services always prompts the client for a password upon connection. You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client.                                                                                      |
+| Windows Components / Remote Desktop Services / Remote Desktop Session Host / Security | Require secure RPC communication                                                                                                        | Enabled                                                                                            | Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication.                                                                                                                                                                                                                                                            |
+| Windows Components / Remote Desktop Services / Remote Desktop Session Host / Security | Set client connection encryption level                                                                                                  | Enabled: High Level                                                                                | Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption.  |
+| Windows Components / Windows Security / App and browser protection                    | Prevent users from modifying settings                                                                                                   | Enabled                                                                                            | Prevent users from making changes to the Exploit protection settings area in Windows Security.                                                                                                                                                                                                                                                                                                          |
+| Windows Components / Windows Game Recording and Broadcasting                          | Enables or disables Windows Game Recording and Broadcasting                                                                             | Disabled                                                                                           | This setting enables or disables the Windows Game Recording and Broadcasting features. If you disable this setting, Windows Game Recording will not be allowed.                                                                                                                                                                                                                                         |
+| Windows Components / Windows PowerShell                                               | Turn on PowerShell Script Block Logging                                                                                                 | Enabled                                                                                            | This policy setting enables logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log.                                                                                                                                                                                                                                                                           |
+| Windows Components / Windows Remote Management (WinRM) / WinRM Client                 | Allow Basic authentication                                                                                                              | Disabled                                                                                           | This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication.                                                                                                                                                                                                                                                                                |
+| Windows Components / Windows Remote Management (WinRM) / WinRM Client                 | Disallow Digest authentication                                                                                                          | Enabled                                                                                            | This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Digest authentication.                                                                                                                                                                                                                                                                               |
+| Windows Components / Windows Remote Management (WinRM) / WinRM Service                | Allow Basic authentication                                                                                                              | Disabled                                                                                           | This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client.                                                                                                                                                                                                                                                       |
+| Windows Components / Windows Remote Management (WinRM) / WinRM Service                | Disallow WinRM from storing RunAs credentials                                                                                           | Enabled                                                                                            | This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will not allow RunAs credentials to be stored for any plug-ins.                                                                                                                                                                                                                                          |
+
+### Windows Defender Antivirus Policies
+
+| Feature                                         | Policy Setting                                            | Policy Value   | Description                                                                                                                                                                                                        |
+|-------------------------------------------------|-----------------------------------------------------------|----------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Windows Components / Windows Defender Antivirus | Configure Detection for Potentially Unwanted Applications | Enabled: Block | Enable or disable detection for potentially unwanted applications. You can choose to block, audit, or allow when potentially unwanted software is being downloaded or attempts to install itself on your computer. |
+
+### IE Computer Policies
+
+| Feature                                                                                                             | Policy Setting                                                                                               | Policy Value                               | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
+|---------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------|--------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Windows Components / Internet Explorer                                                                              | Prevent bypassing SmartScreen Filter warnings                                                                | Enabled                                    | This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter prevents the user from browsing to or downloading from sites that are known to host malicious content. SmartScreen Filter also prevents the execution of files that are known to be malicious.                                                                                                                                                                                                                                                                                                                                       |
+| Windows Components / Internet Explorer                                                                              | Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet | Enabled                                    | This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter warns the user about executable files that Internet Explorer users do not commonly download from the Internet.                                                                                                                                                                                                                                                                                                                                                                                                                       |
+| Windows Components / Internet Explorer                                                                              | Specify use of ActiveX Installer Service for installation of ActiveX controls                                | Enabled                                    | This policy setting allows you to specify how ActiveX controls are installed. If you enable this policy setting, ActiveX controls are installed only if the ActiveX Installer Service is present and has been configured to allow the installation of ActiveX controls.                                                                                                                                                                                                                                                                                                                                                                              |
+| Windows Components / Internet Explorer / Internet Control Panel                                                     | Prevent ignoring certificate errors                                                                          | Enabled                                    | This policy setting prevents the user from ignoring Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate errors that interrupt browsing (such as "expired", "revoked", or "name mismatch" errors) in Internet Explorer.                                                                                                                                                                                                                                                                                                                                                                                                               |
+| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page                                     | Allow software to run or install even if the signature is invalid                                            | Disabled                                   | This policy setting allows you to manage whether software, such as ActiveX controls and file downloads, can be installed or run by the user even though the signature is invalid. An invalid signature might indicate that someone has tampered with the file.                                                                                                                                                                                                                                                                                                                                                                                       |
+| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page                                     | Check for signatures on downloaded programs                                                                  | Enabled                                    | This policy setting allows you to manage whether Internet Explorer checks for digital signatures (which identifies the publisher of signed software and verifies it hasn't been modified or tampered with) on user computers before downloading executable programs.                                                                                                                                                                                                                                                                                                                                                                                 |
+| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page                                     | Turn off encryption support                                                                                  | Enabled: Use                               | This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.2, Secure Sockets Layer (SSL) 2.0, or SSL 3.0 in the browser. TLS and SSL are protocols that help protect communication between the browser and the target server. When the browser attempts to set up a protected communication with the target server, the browser and server negotiate which protocol and version to use. The browser and server attempt to match each other’s list of supported protocols and versions, and they select the most preferred match.                                                                      |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page                                     | Turn on certificate address mismatch warning                                                                 | Enabled                                    | This policy setting allows you to turn on the certificate address mismatch security warning. When this policy setting is turned on, the user is warned when visiting Secure HTTP (HTTPS) websites that present certificates issued for a different website address. This warning helps prevent spoofing attacks.                                                                                                                                                                                                                                                                                                                                     |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone                     | Access data sources across domains                                                                           | Enabled: Disable                           | This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone                     | Allow cut copy or paste operations from the clipboard via script                                             | Enabled: Disable                           | This policy setting allows you to manage whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone                     | Automatic prompting for file downloads                                                                       | Enabled: Disable                           | This policy setting determines whether users will be prompted for non-user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.                                                                                                                                                                                                                                                                                                                                                                                                                                              |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone                     | Download unsigned ActiveX controls                                                                           | Enabled: Disable                           | This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone.                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone                     | Enable dragging of content from different domains across windows                                             | Enabled: Disable                           | This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in different windows.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone                     | Enable dragging of content from different domains within a window                                            | Enabled: Disable                           | This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in the same window.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone                     | Initialize and script ActiveX controls not marked as safe                                                    | Enabled: Disable                           | This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.                                                                                                                                                                     |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone                     | Java permissions                                                                                             | Enabled: Disable Java                      | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running.                                                                                                                                                                                                                                                                                                                                                                                     |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone                     | Launching applications and files in an IFRAME                                                                | Enabled: Disable                           | This policy setting allows you to manage whether applications may be run, and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone                     | Logon options                                                                                                | Enabled: Prompt for user name and password | This policy setting allows you to manage settings for logon options. Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session.                                                                                                                                                                                                                                                                                                                                                                                                       |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone                     | Run .NET Framework-reliant components not signed with Authenticode                                           | Enabled: Disable                           | This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.                                                                                                                                                                                                                                                                                                                                                                     |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone                     | Run .NET Framework-reliant components signed with Authenticode                                               | Enabled: Disable                           | This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.                                                                                                                                                                                                                                                                                                                                                                         |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone                     | Show security warning for potentially unsafe files                                                           | Enabled: Prompt                            | This policy setting controls whether the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example).                                                                                                                                                                                                                                                                                                                                                                                                            |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone                     | Userdata persistence                                                                                         | Enabled: Disable                           | This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.                                                                                                                                                                                                                                                                                                                                    |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Intranet Zone                     | Initialize and script ActiveX controls not marked as safe                                                    | Enabled: Disable                           | This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.                                                                                                                                                                     |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Local Machine Zone                | Java permissions                                                                                             | Enabled: Disable Java                      | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running.                                                                                                                                                                                                                                                                                                                                                                                     |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Intranet Zone         | Java permissions                                                                                             | Enabled: Disable Java                      | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running.                                                                                                                                                                                                                                                                                                                                                                                     |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Local Machine Zone    | Java permissions                                                                                             | Enabled: Disable Java                      | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running.                                                                                                                                                                                                                                                                                                                                                                                     |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Restricted Sites Zone | Java permissions                                                                                             | Enabled: Disable Java                      | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running.                                                                                                                                                                                                                                                                                                                                                                                     |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone             | Access data sources across domains                                                                           | Enabled: Disable                           | This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone             | Allow active scripting                                                                                       | Enabled: Disable                           | This policy setting allows you to manage whether script code on pages in the zone is run.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone             | Allow binary and script behaviors                                                                            | Enabled: Disable                           | This policy setting allows you to manage dynamic binary and script behaviors: components that encapsulate specific functionality for HTML elements to which they were attached.                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone             | Allow cut copy or paste operations from the clipboard via script                                             | Enabled: Disable                           | This policy setting allows you to manage whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone             | Allow drag and drop or copy and paste files                                                                  | Enabled: Disable                           | This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone             | Allow file downloads                                                                                         | Enabled: Disable                           | This policy setting allows you to manage whether file downloads are permitted from the zone. This option is determined by the zone of the page with the link causing the download, not the zone from which the file is delivered.                                                                                                                                                                                                                                                                                                                                                                                                                    |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone             | Allow loading of XAML files                                                                                  | Enabled: Disable                           | This policy setting allows you to manage the loading of Extensible Application Markup Language (XAML) files. XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that take advantage of the Windows Presentation Foundation.                                                                                                                                                                                                                                                                                                                                                               |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone             | Allow META REFRESH                                                                                           | Enabled: Disable                           | This policy setting allows you to manage whether a user's browser can be redirected to another Web page if the author of the Web page uses the Meta Refresh setting (tag) to redirect browsers to another Web page.                                                                                                                                                                                                                                                                                                                                                                                                                                  |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone             | Download signed ActiveX controls                                                                             | Enabled: Disable                           | This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone             | Allow only approved domains to use ActiveX controls without prompt                                           | Enabled: Enable                            | This policy setting controls whether the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone             | Allow only approved domains to use the TDC ActiveX control                                                   | Enabled: Enable                            | This policy setting controls whether the user can run the TDC ActiveX control on websites.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone             | Allow scripting of Internet Explorer WebBrowser controls                                                     | Enabled: Disable                           | This policy setting determines whether a page can control embedded WebBrowser controls via script.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone             | Allow script-initiated windows without size or position constraints                                          | Enabled: Disable                           | This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and status bars.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone             | Allow scriptlets                                                                                             | Enabled: Disable                           | This policy setting allows you to manage whether the user can run scriptlets.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone             | Allow updates to status bar via script                                                                       | Enabled: Disable                           | This policy setting allows you to manage whether script can update the status bar within the zone.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone             | Allow VBScript to run in Internet Explorer                                                                   | Enabled: Disable                           | This policy setting allows you to manage whether VBScript can be run on pages from the specified zone in Internet Explorer.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone             | Automatic prompting for file downloads                                                                       | Enabled: Disable                           | This policy setting determines whether users will be prompted for non-user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.                                                                                                                                                                                                                                                                                                                                                                                                                                              |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone             | Download unsigned ActiveX controls                                                                           | Enabled: Disable                           | This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone.                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone             | Enable dragging of content from different domains across windows                                             | Enabled: Disable                           | This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in different windows.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone             | Enable dragging of content from different domains within a window                                            | Enabled: Disable                           | This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in the same window.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone             | Include local path when user is uploading files to a server                                                  | Enabled: Disable                           | This policy setting controls whether local path information is sent when the user is uploading a file via an HTML form. If the local path information is sent, some information may be unintentionally revealed to the server. For instance, files sent from the user's desktop may contain the user name as a part of the path.                                                                                                                                                                                                                                                                                                                     |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone             | Initialize and script ActiveX controls not marked as safe                                                    | Enabled: Disable                           | This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.                                                                                                                                                                     |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone             | Java permissions                                                                                             | Enabled: Disable Java                      | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running.                                                                                                                                                                                                                                                                                                                                                                                     |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone             | Launching applications and files in an IFRAME                                                                | Enabled: Disable                           | This policy setting allows you to manage whether applications may be run, and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone             | Logon options                                                                                                | Enabled: Anonymous logon                   | This policy setting allows you to manage settings for logon options. Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol.                                                                                                                                                                                                                                                                                                                                                                                                                                              |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone             | Navigate windows and frames across different domains                                                         | Enabled: Disable                           | This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone             | Run .NET Framework-reliant components not signed with Authenticode                                           | Enabled: Disable                           | This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.                                                                                                                                                                                                                                                                                                                                                                     |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone             | Run .NET Framework-reliant components signed with Authenticode                                               | Enabled: Disable                           | This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.                                                                                                                                                                                                                                                                                                                                                                         |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone             | Run ActiveX controls and plugins                                                                             | Enabled: Disable                           | This policy setting allows you to manage whether ActiveX controls and plug-ins can be run on pages from the specified zone.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone             | Script ActiveX controls marked safe for scripting                                                            | Enabled: Disable                           | This policy setting allows you to manage whether an ActiveX control marked safe for scripting can interact with a script.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone             | Scripting of Java applets                                                                                    | Enabled: Disable                           | This policy setting allows you to manage whether applets are exposed to scripts within the zone.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone             | Show security warning for potentially unsafe files                                                           | Enabled: Disable                           | This policy setting controls whether the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example). If you disable this policy setting, these files do not open.                                                                                                                                                                                                                                                                                                                                               |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone             | Userdata persistence                                                                                         | Enabled: Disable                           | This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.                                                                                                                                                                                                                                                                                                                                    |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone             | Web sites in less privileged Web content zones can navigate into this zone                                   | Enabled: Disable                           | This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Trusted Sites Zone                | Initialize and script ActiveX controls not marked as safe                                                    | Enabled: Disable                           | This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.                                                                                                                                                                     |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Trusted Sites Zone                | Java permissions                                                                                             | Enabled: High Safety                       | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. High Safety enables applets to run in their sandbox.                                                                                                                                                                                                                                                                                                                                                                                  |
+| Windows Components / Internet Explorer / Security Features / Add-on Management                                      | Remove "Run this time" button for outdated ActiveX controls in Internet Explorer                             | Enabled                                    | This policy setting allows you to stop users from seeing the "Run this time" button and from running specific outdated ActiveX controls in Internet Explorer.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
+| Windows Components / Internet Explorer / Security Features / Add-on Management                                      | Turn off blocking of outdated ActiveX controls for Internet Explorer                                         | Disabled                                   | This policy setting determines whether Internet Explorer blocks specific outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
+| Windows Components / Internet Explorer / Security Features / Consistent Mime Handling                               | Internet Explorer Processes                                                                                  | Enabled                                    | Internet Explorer uses Multipurpose Internet Mail Extensions (MIME) data to determine file handling procedures for files received through a Web server. This policy setting determines whether Internet Explorer requires that all file-type information provided by Web servers be consistent. For example, if the MIME type of a file is text/plain but the MIME sniff indicates that the file is really an executable file, Internet Explorer renames the file by saving it in the Internet Explorer cache and changing its extension. If you enable this policy setting, Internet Explorer requires consistent MIME data for all received files. |
+| Windows Components / Internet Explorer / Security Features / Mime Sniffing Safety Feature                           | Internet Explorer Processes                                                                                  | Enabled                                    | This policy setting determines whether Internet Explorer MIME sniffing will prevent promotion of a file of one type to a more dangerous file type. If you enable this policy setting, MIME sniffing will never promote a file of one type to a more dangerous file type.                                                                                                                                                                                                                                                                                                                                                                             |
+| Windows Components / Internet Explorer / Security Features / MK Protocol Security Restriction                       | Internet Explorer Processes                                                                                  | Enabled                                    | The MK Protocol Security Restriction policy setting reduces attack surface area by preventing the MK protocol. Resources hosted on the MK protocol will fail. If you enable this policy setting, the MK Protocol is prevented for File Explorer and Internet Explorer, and resources hosted on the MK protocol will fail.                                                                                                                                                                                                                                                                                                                            |
+| Windows Components / Internet Explorer / Security Features / Notification Bar                                       | Internet Explorer Processes                                                                                  | Enabled                                    | This policy setting allows you to manage whether the Notification bar is displayed for Internet Explorer processes when file or code installs are restricted. By default, the Notification bar is displayed for Internet Explorer processes. If you enable this policy setting, the Notification bar will be displayed for Internet Explorer Processes.                                                                                                                                                                                                                                                                                              |
+| Windows Components / Internet Explorer / Security Features / Protection from Zone Elevation                         | Internet Explorer Processes                                                                                  | Enabled                                    | Internet Explorer places restrictions on each Web page it opens. The restrictions are dependent upon the location of the Web page (Internet, Intranet, Local Machine zone, etc.). Web pages on the local computer have the fewest security restrictions and reside in the Local Machine zone, making the Local Machine security zone a prime target for malicious users. Zone Elevation also disables JavaScript navigation if there is no security context. If you enable this policy setting, any zone can be protected from zone elevation by Internet Explorer processes.                                                                        |
+| Windows Components / Internet Explorer / Security Features / Restrict ActiveX Install                               | Internet Explorer Processes                                                                                  | Enabled                                    | This policy setting enables blocking of ActiveX control installation prompts for Internet Explorer processes. If you enable this policy setting, prompting for ActiveX control installations will be blocked for Internet Explorer processes.                                                                                                                                                                                                                                                                                                                                                                                                        |
+| Windows Components / Internet Explorer / Security Features / Restrict File Download                                 | Internet Explorer Processes                                                                                  | Enabled                                    | This policy setting enables blocking of file download prompts that are not user initiated. If you enable this policy setting, file download prompts that are not user initiated will be blocked for Internet Explorer processes.                                                                                                                                                                                                                                                                                                                                                                                                                     |
+| Windows Components / Internet Explorer / Security Features / Scripted Window Security Restrictions                  | Internet Explorer Processes                                                                                  | Enabled                                    | Internet Explorer allows scripts to programmatically open, resize, and reposition windows of various types. The Window Restrictions security feature restricts popup windows and prohibits scripts from displaying windows in which the title and status bars are not visible to the user or obfuscate other Windows' title and status bars. If you enable this policy setting, popup windows and other restrictions apply for File Explorer and Internet Explorer processes.                                                                                                                                                                        |
+
+### Custom Policies
+
+| Feature           | Policy Setting                  | Policy Value            | Description            |
+|-------------------|---------------------------------|-------------------------|------------------------|
+| MS Security Guide | Configure SMB v1 server         | Disabled                | Disable or enable server-side processing of the SMBv1 protocol  |
+| MS Security Guide | Configure SMB v1 client driver  | Enabled: Disable driver | Configure the startup mode for the kernel mode driver that implements client-side SMBv1 processing (MrxSmb10). This setting includes a dropdown that is activated when the Enabled radio button is selected and that controls the “Start” registry value in HKLM\\SYSTEM\\CurrentControlSet\\Services\\MrxSmb10.  |
+| MS Security Guide | Enabled Structured Exception Handling Overwrite Protection (SEHOP)| Enabled   | This feature is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. This protection mechanism is provided at run-time. Therefore, it helps protect applications regardless of whether they have been compiled with the latest improvements, such as the /SAFESEH option. We recommend that Windows users who are running any of the above operating systems enable this feature to improve the security profile of their systems. |
+| MS Security Guide | WDigest Authentication    | Disabled    | When the WDigest Authentication protocol is enabled, plain text passwords are stored in the Local Security Authority Subsystem Service (LSASS) exposing them to theft. WDigest is disabled by default in Windows 10. This setting ensures this is enforced.  |
+| MS Security Guide | Block Flash activation in Office documents   | Enabled   | Prevents the Adobe Flash ActiveX control from being loaded by Office applications.  |
+| MSS (Legacy)      | MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (Protects against packet spoofing)         | Highest Protection, source routing is completely disabled | Allowing source routed network traffic allows attackers to obscure their identity and location.     |
+| MSS (Legacy)      | MSS: (DisableIPSourceRouting) IP source routing protection level (Protects against packet spoofing)              | Highest Protection, source routing is completely disabled | Allowing source routed network traffic allows attackers to obscure their identity and location.       |
+| MSS (Legacy)      | MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes                                 | Disabled      | Allowing ICMP redirect of routes can lead to traffic not being routed properly. When disabled, this forces ICMP to be routed via shortest path first.    |
+| MSS (Legacy)      | MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers | Enabled   | Prevents a denial-of-service (DoS) attack against a WINS server. The DoS consists of sending a NetBIOS Name Release Request to the server for each entry in the server's cache, causing a response delay in the normal operation of the server's WINS resolution capability.        |
+
+## Controls
+
+The controls enforced in level 4 implement more controls and a more sophisticated security
+configuration than level 5. While they may have a slightly higher impact to
+users or to applications, they enforce a level of security more commensurate
+with the risks facing users with access to sensitive information. Microsoft
+recommends using the Audit/Enforce methodology for controls with an Audit mode,
+and [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates) for those that do not, with a moderate timeline that
+is anticipated to be slightly longer than the process in level 5.
+
+| Feature Set                                                 | Feature                                               | Description    |
+|-------------------------------------------------------------|-------------------------------------------------------|----------------|
+| [Exploit protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard) | Enforce memory protection for OS-level controls: <br>- Control flow guard (CFG)<br>- Data Execution Protection (DEP)<br>- Mandatory ASLR<br>- Bottom-Up ASLR<br>- High-entropy ASLR<br>- Validate Exception Chains (SEHOP)<br>- Validate heap integrity     | Exploit protection helps protect devices from malware that use exploits to spread and infect to other devices. It consists of several mitigations that can be applied at either the operating system level, or at the individual app level. There is a risk to application compatibility, as some applications may rely on blocked behavior (e.g. dynamically generating code without marking memory as executable). Microsoft recommends gradually deploying this configuration using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates).        |        
+| [Attack Surface Reduction (ASR)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)| Configure and enforce [Attack Surface Reduction rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules)| Attack surface reduction controls help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. There is a risk to application compatibility, as some applications may rely on blocked behavior (e.g. an Office application spawning a child process). Each control has an Audit mode, and as such, Microsoft recommends the Audit / Enforce Methodology (repeated here):<br>1) Audit – enable the controls in audit mode, and gather audit data in a centralized location<br>2) Review – review the audit data to assess potential impact (both positive and negative) and configure any exemptions from the security control you need to configure<br>3) Enforce – Deploy the configuration of any exemptions and convert the control to enforce mode |
+| [Network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard) | Configure and enforce Network Protection              | Network protection helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. It expands the scope of Windows Defender SmartScreen to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname). There is a risk to application compatibility, as a result of false positives in flagged sites. Microsoft recommends deploying using the Audit / Enforce Methodology. |
+
+## Behaviors
+
+The behaviors recommended in level 4 implement a more sophisticated security process. While they may require a more sophisticated organization, they enforce
+a level of security more commensurate with the risks facing users with access to
+sensitive information.
+
+| Feature Set| Feature  | Description  |
+|------------|----------|--------------|
+| Antivirus  | Configure Protection Updates to failover to retrieval from Microsoft | Sources for Windows Defender Antivirus Protection Updates can be provided in an ordered list. If you are using internal distribution, such as SCCM or WSUS, configure Microsoft Update lower in the list as a failover.  |
+| OS Security Updates | Deploy Windows Quality Updates within 4 days | As the time between release of a patch and an exploit based on the reverse engineering of that patch continues to shrink, engineering a process that provides the ability to validate and deploy quality updates addressing known security vulnerabilities is a critical aspect of security hygiene.|
+| Helpdesk| 1:1 Administration| A simple and common model for helpdesk support is to add the Helpdesk group as a permanent member of the Local Administrators group of every device. If any device is compromised and helpdesk can connect to it, then these credentials can be used to obtain privilege on any / all other devices. Design and implement a strategy to provide helpdesk support without providing 1:all admin access – constraining the value of these Helpdesk credentials |
+
+
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-5-enterprise-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-5-enterprise-security.md
new file mode 100644
index 0000000000..5b7819551f
--- /dev/null
+++ b/windows/security/threat-protection/windows-security-configuration-framework/level-5-enterprise-security.md
@@ -0,0 +1,244 @@
+---
+title: Level 5 enterprise security configuration
+description: Describes the policies, controls, and organizational behaviors for Windows security configuration framework level 5 enterprise security configuration.
+keywords: virtualization, security, malware
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.author: appcompatguy
+author: appcompatguy
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 04/05/2018
+---
+
+# Level 5 enterprise security configuration 
+
+**Applies to**  
+
+-   Windows 10
+
+Level 5 is the minimum security configuration for an enterprise device.
+Microsoft recommends the following configuration for level 5 devices.
+
+## Policies
+
+The policies in level 5 enforce a reasonable security level while minimizing the impact to users or to applications. 
+Microsoft recommends using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates) for these security configurations and controls, noting that the timeline can generally be short given the limited potential impact of the security controls.
+
+### Security Template Policies
+
+| Feature                 | Policy Setting                                                                                   | Policy Value                                            | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
+|-------------------------|--------------------------------------------------------------------------------------------------|---------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Password Policy         | Enforce password history                                                                         | 24                                                      | The number of unique new passwords that must be associated with a user account before an old password can be reused.                                                                                                                                                                                                                                                                                                                                                                                                                  |
+| Password Policy         | Minimum password length                                                                          | 14                                                      | The least number of characters that a password for a user account may contain.                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
+| Password Policy         | Password must meet complexity requirements                                                       | Enabled                                                 | Determines whether passwords must meet complexity requirements:<br>1) Not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Neither check is case sensitive.<br>The samAccountName is checked in its entirety only to determine whether it is part of the password. If the samAccountName is less than three characters long, this check is skipped. The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed to not be included in the password. Tokens that are less than three characters are ignored, and substrings of the tokens are not checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Hagens". Because the second token is only one character long, it is ignored. Therefore, this user could not have a password that included either "erin" or "hagens" as a substring anywhere in the password.<br>2) Contain characters from three of the following categories:<br>- Uppercase letters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)<br>- Lowercase letters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)<br>-  Base 10 digits (0 through 9)<br>-Non-alphanumeric characters (special characters):<br>(~!@#$%^&*_-+=`\|\\(){}[]:;"'<>,.?/)<br>Currency symbols such as the Euro or British Pound are not counted as special characters for this policy setting.<br>- Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages.  |
+| Password Policy         | Store passwords using reversible encryption                                                      | Disabled                                                | Determines whether the operating system stores passwords using reversible encryption.                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
+| Security Options        | Accounts: Guest account status                                                                   | Disabled                                                | Determines if the Guest account is enabled or disabled.                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
+| Security Options        | Domain member: Disable machine account password changes                                          | Disabled                                                | Determines whether a domain member periodically changes its computer account password.                                                                                                                                                                                                                                                                                                                                                                                                                                                |
+| Security Options        | Domain member: Maximum machine account password age                                              | 30                                                      | Determines how often a domain member will attempt to change its computer account password                                                                                                                                                                                                                                                                                                                                                                                                                                             |
+| Security Options        | Domain member: require strong (Windows 2000 or later) session key                                | Enabled                                                 | Determines whether 128-bit key strength is required for encrypted secure channel data                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
+| Security Options        | Interactive logon: Machine inactivity limit                                                      | 900                                                     | The number of seconds of inactivity before the session is locked                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
+| Security Options        | User Account Control: Admin approval mode for the built-in administrator                         | Enabled                                                 | The built-in Administrator account uses Admin Approval Mode - any operation that requires elevation of privilege will prompt to user to approve that operation                                                                                                                                                                                                                                                                                                                                                                        |
+| Security Options        | User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode | Prompt for consent on the secure desktop                | When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.                                                                                                                                                                                                                                                                                |
+| Security Options        | User Account Control: Detect application installations and prompt for elevation                  | Enabled                                                 | When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.                                                                                                                                                                                                                                                                       |
+| Security Options        | User Account Control: Run all Administrators in admin approval mode                              | Enabled                                                 | This policy must be enabled, and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.                                                                                                                                                                                                                                                                                                |
+| Security Options        | User Account Control: Virtualize file and registry write failures to per-user locations          | Enabled                                                 | This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\\system32, or HKLM\\Software.                                                                                                                                                                                                                            |
+| User Rights Assignments | Access Credential Manager as a trusted caller                                                    | No One (blank)                                          | This setting is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users saved credentials might be compromised if this privilege is given to other entities.                                                                                                                                                                                                                                                                                              |
+| User Rights Assignments | Act as part of the operating system                                                              | No One (blank)                                          | This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user.                                                                                                                                                                                                                                                                                                                                                                      |
+| User Rights Assignments | Allow log on locally                                                                             | Administrators; Users                                   | Determines which users can log on to the computer                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
+| User Rights Assignments | Back up files and directories                                                                    | Administrators                                          | Determines which users can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system                                                                                                                                                                                                                                                                                                                                                                                     |
+| User Rights Assignments | Create a pagefile                                                                                | Administrators                                          | Determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file                                                                                                                                                                                                                                                                                                                                                                                           |
+| User Rights Assignments | Create a token object                                                                            | No One (blank)                                          | Determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token.                                                                                                                                                                                                                                                                                                  |
+| User Rights Assignments | Create global objects                                                                            | Administrators; LOCAL SERVICE; NETWORK SERVICE; SERVICE | This security setting determines whether users can create global objects that are available to all sessions.                                                                                                                                                                                                                                                                                                                                                                                                                          |
+| User Rights Assignments | Create permanent shared objects                                                                  | No One (blank)                                          | Determines which accounts can be used by processes to create a directory object using the object manager                                                                                                                                                                                                                                                                                                                                                                                                                              |
+| User Rights Assignments | Create symbolic links                                                                            | Administrators                                          | Determines if the user can create a symbolic link from the computer he is logged on to                                                                                                                                                                                                                                                                                                                                                                                                                                                |
+| User Rights Assignments | Debug programs                                                                                   | Administrators                                          | Determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components.                                                                                                                                                       |
+| User Rights Assignments | Deny access to this computer from the network                                                    | Guests; NT AUTHORITY\\Local Account                     | Determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies.                                                                                                                                                                                                                                                                                                               |
+| User Rights Assignments | Deny log on locally                                                                              | Guests                                                  | Determines which users are prevented from logging on at the computer. This policy setting supersedes the Allow log on locally policy setting if an account is subject to both policies.                                                                                                                                                                                                                                                                                                                                               |
+| User Rights Assignments | Deny log on through Remote Desktop Services                                                      | Guests; NT AUTHORITY\\Local Account                     | Determines which users and groups are prohibited from logging on as a Remote Desktop Services client                                                                                                                                                                                                                                                                                                                                                                                                                                  |
+| User Rights Assignments | Force shutdown from a remote system                                                              | Administrators                                          | Determines which users can shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service.                                                                                                                                                                                                                                                                                                                                                                                   |
+| User Rights Assignments | Increase scheduling priority                                                                     | Administrators                                          | Determines which accounts can use a process with Write Property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface.                                                                                                                                                                                                                                                       |
+| User Rights Assignments | Load and unload device drivers                                                                   | Administrators                                          | Determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers.                                                                                                                                                                                                                                                                                                                                                                |
+| User Rights Assignments | Manage auditing and security log                                                                 | Administrators                                          | Determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys.                                                                                                                                                                                                                                                                                                                                                                               |
+| User Rights Assignments | Modify firmware environment variables                                                            | Administrators                                          | Determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor.                                                                                                                                                                                                                                                                                                                      |
+| User Rights Assignments | Restore files and directories                                                                    | Administrators                                          | Determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object                                                                                                                                                                                                                                                                                       |
+| User Rights Assignments | Take ownership of files or other objects                                                         | Administrators                                          | Determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads                                                                                                                                                                                                                                                                                                                                               |
+
+### Advanced Audit Policies
+
+| Feature            | Policy Setting                        | Policy Value        | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
+|--------------------|---------------------------------------|---------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Account Logon      | Audit Credential Validation           | Success and Failure | Audit events generated by validation tests on user account logon credentials. Occurs only on the computer that is authoritative for those credentials.                                                                                                                                                                                                                                                                                                       |
+| Account Management | Audit Security Group Management       | Success             | Audit events generated by changes to security groups, such as creating, changing or deleting security groups, adding or removing members, or changing group type.                                                                                                                                                                                                                                                                                            |
+| Account Management | Audit User Account Management         | Success and Failure | Audit changes to user accounts. Events include creating, changing, deleting user accounts; renaming, disabling, enabling, locking out, or unlocking accounts; setting or changing a user account’s password; adding a security identifier (SID) to the SID History of a user account; configuring the Directory Services Restore Mode password; changing permissions on administrative user accounts; backing up or restoring Credential Manager credentials |
+| Detailed Tracking  | Audit PNP Activity                    | Success             | Audit when plug and play detects an external device                                                                                                                                                                                                                                                                                                                                                                                                          |
+| Detailed Tracking  | Audit Process Creation                | Success             | Audit events generated when a process is created or starts; the name of the application or user that created the process is also audited                                                                                                                                                                                                                                                                                                                     |
+| Logon/ Logoff      | Audit Account Lockout                 | Failure             | Audit events generated by a failed attempt to log on to an account that is locked out                                                                                                                                                                                                                                                                                                                                                                        |
+| Logon/ Logoff      | Audit Group Membership                | Success             | Audit the group membership information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource.                               |
+| Logon/ Logoff      | Audit Logon                           | Success and Failure | Audit events generated by user account logon attempts on the computer                                                                                                                                                                                                                                                                                                                                                                                        |
+| Logon/ Logoff      | Audit Other Logon / Logoff Events     | Success and Failure | Audit other logon/logoff-related events that are not covered in the “Logon/Logoff” policy setting, such as Terminal Services session disconnections, new Terminal Services sessions locking and unlocking a workstation, invoking or dismissing a screen saver, detection of a Kerberos replay attack, or access to a wireless network granted to a user or computer account                                                                                 |
+| Logon/ Logoff      | Audit Special Logon                   | Success             | Audit events generated by special logons such as the use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level, or a logon by a member of a Special Group (Special Groups enable you to audit events generated when a member of a certain group has logged on to your network)                                                                                            |
+| Object Access      | Audit Detailed File Share             | Failure             | Audit attempts to access files and folders on a shared folder; the Detailed File Share setting logs an event every time a file or folder is accessed                                                                                                                                                                                                                                                                                                         |
+| Object Access      | Audit File Share                      | Success and Failure | Audit attempts to access a shared folder; an audit event is generated when an attempt is made to access a shared folder                                                                                                                                                                                                                                                                                                                                      |
+| Object Access      | Audit Other Object Access Events      | Success and Failure | Audit events generated by the management of task scheduler jobs or COM+ objects                                                                                                                                                                                                                                                                                                                                                                              |
+| Object Access      | Audit Removable Storage               | Success and Failure | Audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested.                                                                                                                                                                                                                                                                                 |
+| Policy Change      | Audit Audit Policy Change             | Success             | Audit changes in the security audit policy settings                                                                                                                                                                                                                                                                                                                                                                                                          |
+| Policy Change      | Audit Authentication Policy Change    | Success             | Audit events generated by changes to the authentication policy                                                                                                                                                                                                                                                                                                                                                                                               |
+| Policy Change      | Audit MPSSVC Rule-Level Policy Change | Success and Failure | Audit events generated by changes in policy rules used by the Microsoft Protection Service (MPSSVC). This service is used by Windows Firewall.                                                                                                                                                                                                                                                                                                               |
+| Policy Change      | Audit Other Policy Change Events      | Failure             | Audit events generated by other security policy changes that are not audited in the policy change category, such as Trusted Platform Module (TPM) configuration changes, kernel-mode cryptographic self tests, cryptographic provider operations, cryptographic context operations or modifications, applied Central Access Policies (CAPs) changes, or boot Configuration Data (BCD) modifications                                                          |
+| Privilege Use      | Audit Sensitive Privilege Use         | Success and Failure | Audit events generated when sensitive privileges (user rights) are used                                                                                                                                                                                                                                                                                                                                                                                      |
+| System             | Audit Other System Events             | Success and Failure | Audit any of the following events: Startup and shutdown of the Windows Firewall service and driver, security policy processing by the Windows Firewall Service, cryptography key file and migration operations.                                                                                                                                                                                                                                              |
+| System             | Audit Security State Change           | Success             | Audit events generated by changes in the security state of the computer such as startup and shutdown of the computer, change of system time, recovering the system from CrashOnAuditFail, which is logged after a system restarts when the security event log is full and the CrashOnAuditFail registry entry is configured.                                                                                                                                 |
+| System             | Audit Security System Extension       | Success             | Audit events related to security system extensions or services                                                                                                                                                                                                                                                                                                                                                                                               |
+| System             | Audit System Integrity                | Success and Failure | Audit events that violate the integrity of the security subsystem                                                                                                                                                                                                                                                                                                                                                                                            |
+
+### Windows Defender Firewall Policies
+
+| Feature                    | Policy Setting                        | Policy Value | Description                                                                                                                               |
+|----------------------------|---------------------------------------|--------------|-------------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Profile / Logging   | Log dropped packets                   | Yes          | Enables logging of dropped packets for a domain connection                                                                                |
+| Domain Profile / Logging   | Log successful connections            | Yes          | Enables logging of successful connections for a domain connection                                                                         |
+| Domain Profile / Logging   | Size Limit                            | 16384        | Sets the firewall log file size for a domain connection                                                                                   |
+| Domain Profile / Settings  | Display a notification                | No           | The display of notifications to the user is enabled when a program is blocked from receiving an inbound connection in the domain profile  |
+| Domain Profile / State     | Firewall State                        | On           | Enables the firewall when connected to the domain profile                                                                                 |
+| Domain Profile / State     | Inbound Connections                   | Block        | Unsolicited inbound connections for which there is no rule allowing the connection will be blocked in the domain profile                  |
+| Private Profile / Logging  | Log dropped packets                   | Yes          | Enables logging of dropped packets for a private connection                                                                               |
+| Private Profile / Logging  | Log successful connections            | Yes          | Enables logging of successful connections for a private connection                                                                        |
+| Private Profile / Logging  | Size limit                            | 16384        | Sets the firewall log file size for a private connection                                                                                  |
+| Private Profile / Settings | Display a notification                | No           | The display of notifications to the user is enabled when a program is blocked from receiving an inbound connection in the private profile |
+| Private Profile / State    | Firewall state                        | On           | Enables the firewall when connected to the private profile                                                                                |
+| Private Profile / State    | Inbound connections                   | Block        | Unsolicited inbound connections for which there is no rule allowing the connection will be blocked in the private profile                 |
+| Public Profile / Logging   | Log dropped packets                   | Yes          | Enables logging of dropped packets for a public connection                                                                                |
+| Public Profile / Logging   | Log successful connections            | Yes          | Enables logging of successful connections for a public connection                                                                         |
+| Public Profile / Logging   | Size Limit                            | 16384        | Sets the firewall log file size for a public connection                                                                                   |
+| Public Profile / Settings  | Apply local connection security rules | No           | Ensures local connection rules will not be merged with Group Policy settings in the domain                                                |
+| Public Profile / Settings  | Apply local firewall rules            | No           | Users cannot create new firewall rules                                                                                                    |
+| Public Profile / Settings  | Display a notification                | No           | The display of notifications to the user is enabled when a program is blocked from receiving an inbound connection in the public profile  |
+| Public Profile / State     | Firewall state                        | On           | Enables the firewall when connected to the public profile                                                                                 |
+| Public Profile / State     | Inbound connections                   | Block        | Unsolicited inbound connections for which there is no rule allowing the connection will be blocked in the public profile                  |
+
+### Computer Policies
+
+| Feature                                                                   | Policy Setting                                                               | Policy Value                                                                                           | Description                                                                                                                                                                                                                                                                                                                                                                          |
+|---------------------------------------------------------------------------|------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Network / Lanman Workstation                                              | Enable insecure guest logons                                                 | Disabled                                                                                               | Determines if the SMB client will allow insecure guest logons to an SMB server                                                                                                                                                                                                                                                                                                       |
+| System / Device Guard                                                     | Turn on Virtualization Based Security                                        | Enabled: SecureBoot and DMA Protection                                                                 | Specifies whether Virtualization Based Security is enabled. Virtualization Based Security uses the Windows Hypervisor to provide support for security services. Virtualization Based Security requires Secure Boot and can optionally be enabled with the use of DMA Protections. DMA protections require hardware support and will only be enabled on correctly configured devices. |
+| System / Early Launch Antimalware                                         | Boot-Start Driver Initialization Policy                                      | Enabled: Good, Unknown and bad but critical                                                            | Allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver.                                                                                                                                                                                                                                |
+| System / Power Management / Sleep Settings                                | Require a password when a computer wakes (on battery)                        | Enabled                                                                                                | Specifies whether the user is prompted for a password when the system resumes from sleep                                                                                                                                                                                                                                                                                             |
+| System / Power Management / Sleep Settings                                | Require a password when a computer wakes (plugged in)                        | Enabled                                                                                                | Specifies whether the user is prompted for a password when the system resumes from sleep                                                                                                                                                                                                                                                                                             |
+| System / Remote Procedure Call                                            | Restrict Unauthenticated RPC clients                                         | Enabled: Authenticated                                                                                 | Controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers.                                                                                                                                                                                                                                                                                   |
+| Windows Components / App runtime                                          | Allow Microsoft accounts to be optional                                      | Enabled                                                                                                | Lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it.                                                                                                                                                                                                     |
+| Windows Components / AutoPlay Policies                                    | Disallow Autoplay for non-volume devices                                     | Enabled                                                                                                | Disallows AutoPlay for MTP devices like cameras or phones.                                                                                                                                                                                                                                                                                                                           |
+| Windows Components / AutoPlay Policies                                    | Set the default behavior for AutoRun                                         | Enabled: Do not execute any autorun commands                                                           | Sets the default behavior for Autorun commands.                                                                                                                                                                                                                                                                                                                                      |
+| Windows Components / AutoPlay Policies                                    | Turn off Autoplay                                                            | Enabled: All Drives                                                                                    | Allows you to turn off the Autoplay feature.                                                                                                                                                                                                                                                                                                                                         |
+| Windows Components / Biometrics / Facial Features                         | Configure enhanced anti-spoofing                                             | Enabled                                                                                                | Determines whether enhanced anti-spoofing is required for Windows Hello face authentication                                                                                                                                                                                                                                                                                          |
+| Windows Components / BitLocker Drive Encryption                           | Choose drive encryption method and cipher strength (Windows 10)              | Enabled: XTA-AES-256 for operating system drives and fixed drives and AES-CBC-256 for removable drives | Allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker.                                                                                                                                                                                                                             |
+| Windows Components / BitLocker Drive Encryption                           | Disable new DMA devices when this computer is locked                         | Enabled                                                                                                | Allows you to block direct memory access (DMA) for all Thunderbolt hot pluggable PCI downstream ports until a user logs into Windows                                                                                                                                                                                                                                                 |
+| Windows Components / BitLocker Drive Encryption / Operating System Drives | Allow enhanced PINs for startup                                              | Enabled                                                                                                | Allows you to configure whether enhanced startup PINs are used with BitLocker                                                                                                                                                                                                                                                                                                        |
+| Windows Components / BitLocker Drive Encryption / Operating System Drives | Allow Secure Boot for integrity validation                                   | Enabled                                                                                                | Allows you to configure whether Secure Boot will be allowed as the platform integrity provider for BitLocker operating system drives.                                                                                                                                                                                                                                                |
+| Windows Components / Event Log Service / Application                      | Specify the maximum log file size (KB)                                       | Enabled: 32768                                                                                         | Specifies the maximum size of the log file in kilobytes.                                                                                                                                                                                                                                                                                                                             |
+| Windows Components / Event Log Service / Security                         | Specify the maximum log file size (KB)                                       | Enabled: 196608                                                                                        | Specifies the maximum size of the log file in kilobytes.                                                                                                                                                                                                                                                                                                                             |
+| Windows Components / Event Log Service / System                           | Specify the maximum log file size (KB)                                       | Enabled: 32768                                                                                         | Specifies the maximum size of the log file in kilobytes.                                                                                                                                                                                                                                                                                                                             |
+| Windows Components / Microsoft Edge                                       | Configure Windows Defender SmartScreen                                       | Enabled                                                                                                | Configure whether to turn on Windows Defender SmartScreen to provide warning messages to help protect your employees from potential phishing scams and malicious software                                                                                                                                                                                                            |
+| Windows Components / Windows Defender SmartScreen / Explorer              | Configure Windows Defender SmartScreen                                       | Warn and prevent bypass                                                                                | Allows you to turn Windows Defender SmartScreen on or off                                                                                                                                                                                                                                                                                                                            |
+| Windows Components / Microsoft Edge                                       | Prevent bypassing Windows Defender SmartScreen prompts for files             | Enabled                                                                                                | This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about downloading unverified files.                                                                                                                                                                                                                                     |
+| Windows Components / Windows Defender SmartScreen / Microsoft Edge        | Prevent bypassing Windows Defender SmartScreen prompts for sites             | Enabled                                                                                                | Lets you decide whether employees can override the Windows Defender SmartScreen warnings about potentially malicious websites                                                                                                                                                                                                                                                        |
+| Windows Components / Windows Installer                                    | Allow user control over installs                                             | Disabled                                                                                               | Permits users to change installation options that typically are available only to system administrators                                                                                                                                                                                                                                                                              |
+| Windows Components / Windows Installer                                    | Always install with elevated privileges                                      | Disabled                                                                                               | Directs Windows Installer to use elevated permissions when it installs any program on the system                                                                                                                                                                                                                                                                                     |
+| Windows Components / Windows Logon Options                                | Sign-in last interactive user automatically after a system-initiated restart | Disabled                                                                                               | Controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system                                                                                                                                                                                                                                                              |
+| Windows Components / Windows Remote Management (WinRM) / WinRM Client     | Allow unencrypted traffic                                                    | Disabled                                                                                               | Manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network                                                                                                                                                                                                                                                                 |
+| Windows Components / Windows Remote Management (WinRM) / WinRM Service    | Allow unencrypted traffic                                                    | Disabled                                                                                               | Manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network.                                                                                                                                                                                                                                                               |
+
+### Windows Defender Antivirus Policies
+
+| Feature                                                                | Policy Setting                                            | Policy Value               | Description                                                                                                                                                                                                         |
+|------------------------------------------------------------------------|-----------------------------------------------------------|----------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Windows Components / Windows Defender Antivirus                        | Turn off Windows Defender Antivirus                       | Disabled                   | Turns off Windows Defender Antivirus                                                                                                                                                                                |
+| Windows Components / Windows Defender Antivirus                        | Configure detection for potentially unwanted applications | Enabled: Audit             | Enable or disable detection for potentially unwanted applications. You can choose to block, audit, or allow when potentially unwanted software is being downloaded or attempts to install itself on your computer.  |
+| Windows Components / Windows Defender Antivirus / MAPS                 | Join Microsoft MAPS                                       | Enabled: Advanced MAPS     | Allows you to join Microsoft MAPS. Microsoft MAPS is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. |
+| Windows Components / Windows Defender Antivirus / MAPS                 | Send file samples when further analysis is required       | Enabled: Send safe samples | Configures behavior of samples submission when opt-in for MAPS telemetry is set                                                                                                                                     |
+| Windows Components / Windows Defender Antivirus / Real-time Protection | Turn off real-time protection                             | Disabled                   | Turns off real-time protection prompts for known malware detection                                                                                                                                                  |
+| Windows Components / Windows Defender Antivirus / Real-time Protection | Turn on behavior monitoring                               | Enabled                    | Allows you to configure behavior monitoring.                                                                                                                                                                        |
+| Windows Components / Windows Defender Antivirus / Scan                 | Scan removable drives                                     | Enabled                    | Allows you to manage whether to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan.                                          |
+| Windows Components / Windows Defender Antivirus / Scan                 | Specify the interval to run quick scans per day           | 24                         | Allows you to specify an interval at which to perform a quick scan. The time value is represented as the number of hours between quick scans. Valid values range from 1 (every hour) to 24 (once per day).          |
+| Windows Components / Windows Defender Antivirus / Scan                 | Turn on e-mail scanning                                   | Enabled                    | Allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments |
+
+### User Policies
+
+| Feature                                | Policy Setting                                              | Policy Value | Description                                                                                                                                                                      |
+|----------------------------------------|-------------------------------------------------------------|--------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Start Menu and Taskbar / Notifications | Turn off toast notifications on the lock screen             | Enabled      | Turns off toast notifications on the lock screen.                                                                                                                                |
+| Windows Components / Cloud Content     | Do not suggest third-party content in the Windows spotlight | Enabled      | Windows spotlight features like lock screen spotlight, suggested apps in Start menu or Windows tips will no longer suggest apps and content from third-party software publishers |
+
+### IE Computer Policies
+
+| Feature                                                                                                             | Policy Setting                                          | Policy Value         | Description                                                                                                                                                                                                            |
+|---------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------|----------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Windows Components / Internet Explorer                                                                              | Prevent managing SmartScreen Filter                     | Enabled: On          | Prevents the user from managing SmartScreen Filter, which warns the user if the website being visited is known for fraudulent attempts to gather personal information through "phishing," or is known to host malware. |
+| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page                                     | Check for server certificate revocation                 | Enabled              | Allows you to manage whether Internet Explorer will check revocation status of servers' certificates                                                                                                                   |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone                     | Don't run antimalware programs against ActiveX controls | Enabled: Disable     | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.                                                                                    |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone                     | Turn on Cross-Site Scripting Filter                     | Enabled: Enable      | Controls whether the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone.                                                                                |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone                     | Turn on Protected Mode                                  | Enabled: Enable      | Allows you to turn on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone                     | Turn on SmartScreen Filter scan                         | Enabled: Enable      | Controls whether SmartScreen Filter scans pages in this zone for malicious content.                                                                                                                                    |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone                     | Use Pop-up Blocker                                      | Enabled: Enable      | Allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked.                                                                           |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Intranet Zone                     | Don't run antimalware programs against ActiveX controls | Enabled: Disable     | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.                                                                                    |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Intranet Zone                     | Java permissions                                        | Enabled: High Safety | Allows you to manage permissions for Java applets. High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.                                                              |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Local Machine Zone                | Don't run antimalware programs against ActiveX controls | Enabled: Disable     | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.                                                                                    |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-down Internet Zone         | Turn on SmartScreen Filter scan                         | Enabled: Enable      | Controls whether SmartScreen Filter scans pages in this zone for malicious content.                                                                                                                                    |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Restricted Sites Zone | Turn on SmartScreen Filter scan                         | Enabled: Enable      | Controls whether SmartScreen Filter scans pages in this zone for malicious content.                                                                                                                                    |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone             | Don't run antimalware programs against ActiveX controls | Enabled: Disable     | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.                                                                                    |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone             | Turn on Cross-Site Scripting Filter                     | Enabled: Enable      | Controls whether the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone.                                                                                |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone             | Turn on Protected Mode                                  | Enabled: Enable      | Allows you to turn on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone             | Turn on SmartScreen Filter scan                         | Enabled: Enable      | Controls whether SmartScreen Filter scans pages in this zone for malicious content.                                                                                                                                    |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Trusted Sites Zone    | Java permissions                                        | Enabled: Enable      |  Allows you to configure policy settings according to the default for the selected security level, such Low, Medium, or High.                                                                                          |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone             | Use Pop-up Blocker                                      | Enabled: Enable      | Allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked.                                                                           |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Trusted Sites Zone                | Don't run antimalware programs against ActiveX controls | Enabled: Disable     | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.                                                                                    |
+| Windows Components / Internet Explorer / Security Features                                                          | Allow fallback to SSL 3.0 (Internet Explorer)           | Enabled: No sites    | Allows you to block an insecure fallback to SSL 3.0. When this policy is enabled, Internet Explorer will attempt to connect to sites using SSL 3.0 or below when TLS 1.0 or greater fails.                             |
+
+### LAPS
+
+Download and install the [Microsoft Local Admin Password Solution (LAPS)](https://www.microsoft.com/download/details.aspx?id=46899). 
+
+| Feature | Policy Setting                         | Policy Value | Description                   |
+|---------|----------------------------------------|--------------|-------------------------------|
+| LAPS    | Enable local admin password management | Enabled      | Activates LAPS for the device |
+
+### Custom Policies
+
+| Feature                                                               | Policy Setting                                            | Policy Value | Description                                                                           |
+|-----------------------------------------------------------------------|-----------------------------------------------------------|--------------|---------------------------------------------------------------------------------------|
+| Computer Configuration / Administrative Templates / MS Security Guide | Apply UAC restrictions to local accounts on network logon | Enabled      | Filters the user account token for built-in administrator accounts for network logons |
+
+### Services
+
+| Feature        | Policy Setting                    | Policy Value | Description                                                                       |
+|----------------|-----------------------------------|--------------|-----------------------------------------------------------------------------------|
+| Scheduled Task | XblGameSaveTask                   | Disabled     | Syncs save data for Xbox Live save-enabled games                                  |
+| Services       | Xbox Accessory Management Service | Disabled     | Manages connected Xbox accessories                                                |
+| Services       | Xbox Game Monitoring              | Disabled     | Monitors Xbox games currently being played                                        |
+| Services       | Xbox Live Auth Manager            | Disabled     | Provides authentication and authorization services for interactive with Xbox Live |
+| Services       | Xbox Live Game Save               | Disabled     | Syncs save data for Xbox live save enabled games                                  |
+| Services       | Xbox Live Networking Service      | Disabled     | Supports the Windows.Networking.XboxLive API                                      |
+
+## Controls
+
+The controls enabled in level 5 enforce a reasonable security level while minimizing the impact to users and applications. 
+
+| Feature                           | Config                              | Description        |
+|-----------------------------------|-------------------------------------|--------------------|
+| [Windows Defender ATP EDR](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response)          | Deployed to all devices             | The Windows Defender ATP endpoint detection and response (EDR) provides actionable and near real-time detection of advanced attacks. EDR helps security analysts , and aggregates alerts with the same attack techniques or attributed to the same attacker into an an entity called an *incident*. An incident helps analysts prioritize alerts, collectively investigate the full scope of a breach, and respond to threats. Windows Defender ATP EDR is not expected to impact users or applications, and it can be deployed to all devices in a single step.      |
+| [Windows Defender Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard)                 | Enabled for all compatible hardware | Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Windows Defender Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets (TGTs), and credentials stored by applications as domain credentials. There is a small risk to application compatibility, as [applications will break](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-requirements#application-requirements) if they require NTLMv1, Kerberos DES encryption, Kerberos unconstrained delegation, or extracting the Keberos TGT. As such, Microsoft recommends deploying Credential Guard using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates).  |   
+| [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/)                    | Default browser                     | Microsoft Edge in Windows 10 provides better security than Internet Explorer 11 (IE11). While you may still need to leverage IE11 for compatibility with some sites, Microsoft recommends configuring Microsoft Edge as the default browser, and building an Enterprise Mode Site List to redirect to IE11 only for those sites that require it. Microsoft recommends leveraging either Windows Analytics or Enterprise Site Discovery to build the initial Enterprise Mode Site List, and then gradually deploying this configuration using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates).   |
+| [Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) | Enabled on compatible hardware      | Windows Defender Application Guard uses a hardware isolation approach. If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated container, which is separate from the host operating system and enabled by Hyper-V. If the untrusted site turns out to be malicious, the isolated container protects the host PC, and the attacker can't get to your enterprise data. There is a small risk to application compatibility, as some applications may require interaction with the host PC but may not yet be on the list of trusted web sites for Application Guard. Microsoft recommends leveraging either Windows Analytics or Enterprise Site Discovery to build the initial Network Isolation Settings, and then gradually deploying this configuration using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). |    
+
+## Behaviors
+
+The behaviors recommended in level 5 enforce a reasonable security level while minimizing the impact to users or to applications.
+
+| Feature | Config            | Description |
+|---------|-------------------|-------------|
+| OS security updates | Deploy Windows Quality Updates within 7 days of release | As the time between the release of a patch and an exploit based on the reverse engineering of that patch continues to shrink, a critical aspect of security hygiene is having an engineering process that quickly validates and deploys Quality Updates that address security vulnerabilities. |
+
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
new file mode 100644
index 0000000000..fe229e350d
--- /dev/null
+++ b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
@@ -0,0 +1,72 @@
+---
+title: Microsoft Security Compliance Toolkit 1.0
+description: This article describes how to use the Security Compliance Toolkit in your organization
+keywords: virtualization, security, malware
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.author: sagaudre
+author: justinha
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 11/26/2018
+---
+
+# Microsoft Security Compliance Toolkit 1.0
+
+## What is the Security Compliance Toolkit (SCT)?
+
+The Security Compliance Toolkit (SCT) is a set of tools that allows enterprise security administrators to download, analyze, test, edit, and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products.
+
+The SCT enables administrators to effectively manage their enterprise’s Group Policy Objects (GPOs). Using the toolkit, administrators can compare their current GPOs with Microsoft-recommended GPO baselines or other baselines, edit them, store them in GPO backup file format, and apply them broadly through Active Directory or individually through local policy.
+<p></p>
+
+The Security Compliance Toolkit consists of:
+
+-   Windows 10 security baselines
+    -   Windows 10 Version 1809 (October 2018 Update)
+    -   Windows 10 Version 1803 (April 2018 Update)
+    -   Windows 10 Version 1709 (Fall Creators Update)
+    -   Windows 10 Version 1703 (Creators Update)
+    -   Windows 10 Version 1607 (Anniversary Update)
+    -   Windows 10 Version 1511 (November Update)
+    -   Windows 10 Version 1507
+
+-   Windows Server security baselines
+    -   Windows Server 2019
+    -   Windows Server 2016
+    -   Windows Server 2012 R2
+
+-   Microsoft Office security baseline
+    -   Office 2016 
+
+-   Tools
+    -   Policy Analyzer tool
+    -   Local Group Policy Object (LGPO) tool
+
+
+You can [download the tools](https://www.microsoft.com/download/details.aspx?id=55319) along with the baselines for the relevant Windows versions. For more details about security baseline recommendations, see the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/).
+
+## What is the Policy Analyzer tool?
+
+The Policy Analyzer is a utility for analyzing and comparing sets of Group Policy Objects (GPOs). Its main features include:
+-   Highlight when a set of Group Policies has redundant settings or internal inconsistencies
+-   Highlight the differences between versions or sets of Group Policies
+-   Compare GPOs against current local policy and local registry settings
+-   Export results to a Microsoft Excel spreadsheet
+
+Policy Analyzer lets you treat a set of GPOs as a single unit. This makes it easy to determine whether particular settings are duplicated across the GPOs or are set to conflicting values. Policy Analyzer also lets you capture a baseline and then compare it to a snapshot taken at a later time to identify changes anywhere across the set. 
+
+More information on the Policy Analyzer tool can be found on the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2016/01/22/new-tool-policy-analyzer/) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
+
+## What is the Local Group Policy Object (LGPO) tool?
+
+LGPO.exe is a command-line utility that is designed to help automate management of Local Group Policy. 
+Using local policy gives administrators a simple way to verify the effects of Group Policy settings, and is also useful for managing non-domain-joined systems. 
+LGPO.exe can import and apply settings from Registry Policy (Registry.pol) files, security templates, Advanced Auditing backup files, as well as from formatted “LGPO text” files. 
+It can export local policy to a GPO backup. 
+It can export the contents of a Registry Policy file to the “LGPO text” format that can then be edited, and can build a Registry Policy file from an LGPO text file.
+
+Documentation for the LGPO tool can be found on the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2016/01/21/lgpo-exe-local-group-policy-object-utility-v1-0/) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
new file mode 100644
index 0000000000..af866029c2
--- /dev/null
+++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
@@ -0,0 +1,79 @@
+---
+title: Windows security baselines
+description: This article, and the articles it links to, describe how to use Windows security baselines in your organization
+keywords: virtualization, security, malware
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.author: sagaudre
+author: justinha
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 06/25/2018
+---
+
+# Windows security baselines
+
+**Applies to**  
+
+-   Windows 10
+-   Windows Server 2016 
+-   Office 2016 
+
+## Using security baselines in your organization 
+
+Microsoft is dedicated to providing its customers with secure operating systems, such as Windows 10 and Windows Server, and secure apps, such as Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control over your environments by providing various configuration capabilities. 
+
+Even though Windows and Windows Server are designed to be secure out-of-the-box, many organizations still want more granular control over their security configurations. To navigate the large number of controls, organizations need guidance on configuring various security features. Microsoft provides this guidance in the form of security baselines.
+
+We recommend that you implement an industry-standard configuration that is broadly known and well-tested, such as Microsoft security baselines, as opposed to creating a baseline yourself. This helps increase flexibility and reduce costs. 
+
+Here is a good blog about [Sticking with Well-Known and Proven Solutions](https://blogs.technet.microsoft.com/fdcc/2010/10/06/sticking-with-well-known-and-proven-solutions/).
+
+## What are security baselines? 
+
+Every organization faces security threats. However, the types of security threats that are of most concern to one organization can be completely different from another organization. For example, an e-commerce company may focus on protecting its Internet-facing web apps, while a hospital may focus on protecting confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization. 
+
+A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers. 
+
+## Why are security baselines needed? 
+
+Security baselines are an essential benefit to customers because they bring together expert knowledge from Microsoft, partners, and customers. 
+
+For example, there are over 3,000 Group Policy settings for Windows 10, which does not include over 1,800 Internet Explorer 11 settings. Of these 4,800 settings, only some are security-related. Although Microsoft provides extensive guidance on different security features, exploring each one can take a long time. You would have to determine the security impact of each setting on your own. Then, you would still need to determine  the appropriate value for each setting. 
+
+In modern organizations, the security threat landscape is constantly evolving, and IT pros and policy-makers must keep up with security threats and make required changes to Windows security settings to help mitigate these threats. To enable faster deployments and make managing Windows easier, Microsoft provides customers with security baselines that are available in consumable formats, such as Group Policy Objects backups.
+
+## How can you use security baselines? 
+
+You can use security baselines to: 
+-   Ensure that user and device configuration settings are compliant with the baseline. 
+-   Set configuration settings. For example, you can use Group Policy, System Center Configuration Manager, or Microsoft Intune to configure a device with the setting values specified in the baseline. 
+
+## Where can I get the security baselines? 
+
+You can download the security baselines from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55319). This download page is for the Security Compliance Toolkit (SCT), which comprises tools that can assist admins in managing  baselines in addition to the security baselines.
+
+The security baselines are included in the [Security Compliance Toolkit (SCT)](security-compliance-toolkit-10.md), which can be downloaded from the Microsoft Download Center. The SCT also includes tools to help admins manage the security baselines. 
+
+[![Security Compliance Toolkit](./../images/security-compliance-toolkit-1.png)](security-compliance-toolkit-10.md) 
+[![Get Support](./../images/get-support.png)](get-support-for-security-baselines.md) 
+
+## Community
+
+[![Microsoft Security Guidance Blog](./../images/community.png)](https://blogs.technet.microsoft.com/secguide/) 
+
+## Related Videos
+
+You may also be interested in this msdn channel 9 video: 
+-   [Defrag Tools](https://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-174-Security-Baseline-Policy-Analyzer-and-LGPO)
+
+## See Also
+
+-   [System Center Configuration Manager (SCCM)](https://www.microsoft.com/cloud-platform/system-center-configuration-manager)
+-   [Azure Monitor](https://docs.microsoft.com/azure/azure-monitor/)
+-   [Microsoft Security Guidance Blog](https://blogs.technet.microsoft.com/secguide/)
+-   [Microsoft Security Compliance Toolkit Download](https://www.microsoft.com/download/details.aspx?id=55319)
+-   [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55319) 
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-compliance.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-compliance.md
new file mode 100644
index 0000000000..aaf62986eb
--- /dev/null
+++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-compliance.md
@@ -0,0 +1,28 @@
+---
+title: Windows security guidance for enterprises
+description: This article describes how to use Windows security baselines in your organization
+keywords: virtualization, security, malware
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.author: appcompatguy
+author: appcompatguy
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 04/05/2018
+---
+
+# Windows security guidance for enterprises
+
+**Applies to**  
+
+-   Windows 10
+
+The topics in this section provide security configuration guidelines for enterprises. You can use these guidelines to deploy security configuration settings and to ensure that user and device settings comply with enterprise policies.  
+
+| Capability | Description |
+|------------|-------------|
+| [Windows security baselines](windows-security-baselines.md) | Microsoft-recommended configuration settings and their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.   |
+| [Windows security configuration framework](windows-security-configuration-framework.md) | Five distinct security configurations for more granular control over productivity devices and privileged access workstations. |
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md
new file mode 100644
index 0000000000..e17ed61da6
--- /dev/null
+++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md
@@ -0,0 +1,64 @@
+---
+title: Windows security configuration framework
+description: Describes the policies, controls, and organizational behaviors for Windows security configuration framework.
+keywords: virtualization, security, malware
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.author: appcompatguy
+author: appcompatguy
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 04/05/2018
+---
+
+# Introducing the security configuration framework
+
+**Applies to**  
+
+-   Windows 10
+
+Security configuration is complex. With thousands of group policies available in Windows, choosing the “best” setting is difficult. 
+It’s not always obvious which permutations of policies are required to implement a complete scenario, and there are often unintended consequences of some security lockdowns.
+
+Because of this, with each release of Windows, Microsoft publishes [Windows security baselines](https://docs.microsoft.com/windows/security/threat-protection/windows-security-baselines), an industry-standard configuration that is broadly known and well-tested. 
+However, many organizations have discovered that this baseline sets a very high bar. 
+While appropriate for organizations with very high security needs such as those persistently targeted by Advanced Persistent Threats, some organizations have found that the cost of navigating the potential compatibility impact of this configuration is prohibitively expensive given their risk appetite. 
+They can’t justify the investment in that very high level of security with an ROI. 
+
+As such, Microsoft is introducing a new taxonomy for security configurations for Windows 10. 
+This new security configuration framework, which we call the SECCON framework (remember "WarGames"?), organizes devices into one of 5 distinct security configurations.
+
+![SECCON Framework](images/seccon-framework.png)
+
+- [Level 5 Enterprise Security](level-5-enterprise-security.md) – We recommend this configuration as the minimum security configuration for an enterprise device. Recommendations for this level are generally straightforward and are designed to be deployable within 30 days.
+- [Level 4 Enterprise High Security](level-4-enterprise-high-security.md) – We recommend this configuration for devices where users access sensitive or confidential information. Some of the controls may have an impact to app compat, and therefore will often go through an audit-configure-enforce workflow. Recommendations for this level are generally accessible to most organizations and are designed to be deployable within 90 days.
+- [Level 3 Enterprise VIP Security](level-3-enterprise-vip-security.md) – We recommend this configuration for devices run by an organization with a larger or more sophisticated security team, or for specific users or groups who are at uniquely high risk (as one example, one organization identified users who handle data whose theft would directly and seriously impact their stock price). An organization likely to be targeted by well-funded and sophisticated adversaries should aspire to this configuration. Recommendations for this level can be complex (for example, removing local admin rights for some organizations can be a long project in and of itself) and can often go beyond 90 days.
+- [Level 2 DevOps Workstation](level-2-enterprise-devops-security.md) – We recommend this configuration for developers and testers, who are an attractive target both for supply chain attacks and access to servers and systems containing high value data or where critical business functions could be disrupted. Level 2 guidance is coming soon!
+- [Level 1 Administrator Workstation](level-1-enterprise-administrator-security.md) – Administrators (particularly of identity or security systems) present the highest risk to the organization, through data theft, data alteration, or service disruption. Level 1 guidance is coming soon!
+
+
+The security configuration framework divides configuration into Productivity Devices and Privileged Access Workstations. This document will focus on Productivity Devices
+(Levels 5, 4, and 3). 
+Microsoft’s current guidance on [Privileged Access Workstations](http://aka.ms/privsec) are part of the [Securing Privileged Access roadmap](http://aka.ms/privsec).
+
+Microsoft recommends reviewing and categorizing your devices, and then configuring them using the prescriptive guidance for that level. 
+Level 5 should be considered the minimum baseline for an enterprise device, and Microsoft recommends increasing the protection based on both threat environment and risk appetite.
+
+## Security control classification
+
+The recommendations are grouped into three categories.
+
+![Security Control Classifications](images/security-control-classification.png)
+
+
+## Security control deployment methodologies
+
+The way Microsoft recommends implementing these controls depends on the
+auditability of the control–there are two primary methodologies.
+
+![Security Control Deployment methodologies](images/security-control-deployment-methodologies.png) 
+
+
diff --git a/windows/whats-new/index.md b/windows/whats-new/index.md
index a48b1bcd0e..1798631ea3 100644
--- a/windows/whats-new/index.md
+++ b/windows/whats-new/index.md
@@ -29,7 +29,6 @@ Windows 10 provides IT professionals with advanced protection against modern sec
 
 ## Learn more
 
-- [Windows 10 roadmap](https://www.microsoft.com/en-us/WindowsForBusiness/windows-roadmap)
 - [Windows 10 release information](https://technet.microsoft.com/windows/release-info)
 - [Windows 10 update history](https://support.microsoft.com/help/12387/windows-10-update-history)
 - [Windows 10 content from Microsoft Ignite](https://go.microsoft.com/fwlink/p/?LinkId=613210)
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
index 4a15ed3e75..dd8a314962 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
@@ -305,7 +305,7 @@ IT Pros can use Autopilot Reset to quickly remove personal files, apps, and sett
 
 ### Faster sign-in to a Windows 10 shared pc
 
-If you have shared devices deployed in your work place, **Fast sign-in** enables users to sign in to a [shared Windows 10 PC](/windows/configuration/set-up-shared-or-guest-pc.md) in a flash!
+If you have shared devices deployed in your work place, **Fast sign-in** enables users to sign in to a [shared Windows 10 PC](https://docs.microsoft.com/windows/configuration/set-up-shared-or-guest-pc) in a flash!
 
 **To enable fast sign-in:**
 1. Set up a shared or guest device with Windows 10, version 1809 or Windows 10 Enterprise 2019 LTSC.