sql3d
diff --git a/‎docs/advanced-analytics/administration/modify-user-account-pool.md‎
Lines changed: 1 addition & 1 deletion b/‎docs/advanced-analytics/administration/modify-user-account-pool.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/advanced-analytics/concepts/extensibility-framework.md‎
Lines changed: 4 additions & 2 deletions b/‎docs/advanced-analytics/concepts/extensibility-framework.md‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎docs/advanced-analytics/concepts/security.md‎
Lines changed: 60 additions & 29 deletions b/‎docs/advanced-analytics/concepts/security.md‎
Lines changed: 60 additions & 29 deletions
diff --git a/‎docs/advanced-analytics/security/add-sqlrusergroup-to-database.md‎
Lines changed: 7 additions & 7 deletions b/‎docs/advanced-analytics/security/add-sqlrusergroup-to-database.md‎
Lines changed: 7 additions & 7 deletions
diff --git a/‎docs/advanced-analytics/security/firewall-configuration.md‎
Lines changed: 3 additions & 3 deletions b/‎docs/advanced-analytics/security/firewall-configuration.md‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎docs/advanced-analytics/security/sql-server-launchpad-service-account.md‎
Lines changed: 15 additions & 24 deletions b/‎docs/advanced-analytics/security/sql-server-launchpad-service-account.md‎
Lines changed: 15 additions & 24 deletions
@@ -4,7 +4,7 @@ description: How to modify the user account pool to scale SQL Server Machine Lea
 ms.prod: sql
 ms.technology: machine-learning
 
-ms.date: 10/04/2018  
+ms.date: 10/17/2018  
 ms.topic: conceptual
 author: dphansen
 ms.author: davidph
 
@@ -4,7 +4,7 @@ description: External code support for the SQL Server database engine, with dual
 ms.prod: sql
 ms.technology: machine-learning
 
-ms.date: 09/05/2018  
+ms.date: 10/17/2018  
 ms.topic: conceptual
 author: HeidiSteen
 ms.author: heidist
@@ -48,7 +48,7 @@ Components include a **Launchpad** service used to invoke language-specific laun
 
 ## Launchpad
 
-The SQL Server Trusted Launchpad is a service that manages and executes external scripts, similar to the way that the full-text indexing and query service launches a separate host for processing full-text queries. The Launchpad service can start only trusted launchers that are published by Microsoft, or that have been certified by Microsoft as meeting requirements for performance and resource management.
+The [!INCLUDE[rsql_launchpad_md](../../includes/rsql-launchpad-md.md)] is a service that manages and executes external scripts, similar to the way that the full-text indexing and query service launches a separate host for processing full-text queries. The Launchpad service can start only trusted launchers that are published by Microsoft, or that have been certified by Microsoft as meeting requirements for performance and resource management.
 
 | Trusted launchers | Extension | SQL Server versions |
 |-------------------|-----------|---------------------|
@@ -57,6 +57,8 @@ The SQL Server Trusted Launchpad is a service that manages and executes external
 
 The [!INCLUDE[rsql_launchpad_md](../../includes/rsql-launchpad-md.md)] service runs under its own user account. If you change the account that runs Launchpad, be sure to do so using SQL Server Configuration Manager, to ensure that changes are written to related files.
 
+A separate [!INCLUDE[rsql_launchpad_md](../../includes/rsql-launchpad-md.md)] service is created for each database engine instance to which you have added SQL Server Machine Learning Services. There is one Launchpad service for each database engine instance, so if you have multiple instances with external script support, you will have a Launchpad service for each one. A database engine instance is bound to the Launchpad service created for it. All invocations of external script in a stored procedure or T-SQL result in the SQL Server service calling the Launchpad service created for the same instance.
+
 To execute tasks in a specific supported language, the Launchpad gets a secured worker account from the pool, and starts a satellite process to manage the external runtime. Each satellite process inherits the user account of the Launchpad and uses that worker account for the duration of script execution. If script uses parallel processes, they are created under the same, single worker account.
 
 ## BxlServer and SQL Satellite
 
@@ -4,7 +4,7 @@ description: For loopback connections using implied authentication, add SQLRUser
 ms.prod: sql
 ms.technology: machine-learning
 
-ms.date: 10/10/2018  
+ms.date: 10/17/2018  
 ms.topic: conceptual
 author: dphansen
 ms.author: davidph
@@ -13,11 +13,11 @@ manager: cgronlun
 # Add SQLRUserGroup as a database user
 [!INCLUDE[appliesto-ss-xxxx-xxxx-xxx-md-winonly](../../includes/appliesto-ss-xxxx-xxxx-xxx-md-winonly.md)]
 
-Create a database login for the [SQLRUserGroup](../concepts/security.md#sqlrusergroup) when a loopback connection in your script specifies a *trusted connection*, and the identity used to execute whatever object contains your code is a Windows account.
+Create a database login for [SQLRUserGroup](../concepts/security.md#sqlrusergroup) when a [loop back connection](../../advanced-analytics/concepts/security.md#implied-authentication) in your script specifies a *trusted connection*, and the identity used to execute an object contains your code is a Windows user account.
 
-Trusted connections are those having `Trusted_Connection=True` in the connection string. When SQL Server receives a request specifying a trusted connection, it checks whether the identity of the current user has a login. For external satellite processes executing as a worker account (such as MSSQLSERVER01 from **SQLRUserGroup**), the request fails because those accounts do not have a login by default. 
+Trusted connections are those having `Trusted_Connection=True` in the connection string. When SQL Server receives a request specifying a trusted connection, it checks whether the identity of the current Windows user has a login. For external processes executing as a worker account (such as MSSQLSERVER01 from **SQLRUserGroup**), the request fails because those accounts do not have a login by default.
 
-You can work around the connection error by giving **SQLServerRUserGroup** a database login on your server. For more information about identities and external processes, see [Security overview for the extensibility framework](../concepts/security.md).
+You can work around the connection error by giving **SQLServerRUserGroup** a SQL Server login. For more information about identities and external processes, see [Security overview for the extensibility framework](../concepts/security.md).
 
 > [!Note]
 >  Make sure that **SQLRUserGroup** has "Allow Log on locally" permissions. By default, this right is given to all new local users, but in some organizations stricter group policies might disable this right.
@@ -45,9 +45,9 @@ You can work around the connection error by giving **SQLServerRUserGroup** a dat
 5. Scroll through the list of group accounts on the server until you find one beginning with `SQLRUserGroup`.
 
     + The name of the group that's associated with the Launchpad service for the _default instance_ is always **SQLRUserGroup**, regardless of whether you installed R or Python or both. Select this account for the default instance only.
-    + If you are using a _named instance_, the instance name is appended to the name of the default worker group name, `SQLRUserGroup`. Hence, if your instance is named "MLTEST", the default user group name for this instance would be **SQLRUserGroupMLTest**.
+    + If you are using a _named instance_, the instance name is appended to the name of the default worker group name, `SQLRUserGroup`. For example, if your instance is named "MLTEST", the default user group name for this instance would be **SQLRUserGroupMLTest**.
 
-     ![Example of groups on server](media/implied-auth-login5.png "Example of groups on server")
+ ![Example of groups on server](media/implied-auth-login5.png "Example of groups on server")
 
 5. Click **OK** to close the advanced search dialog box.
 
@@ -58,7 +58,7 @@ You can work around the connection error by giving **SQLServerRUserGroup** a dat
 
 7. In the **Login - New** dialog box, click **OK**. By default, the login is assigned to the **public** role and has permission to connect to the database engine.
 
-## See also
+## Next steps
 
 + [Security overview](../concepts/security.md)
 + [Extensibility framework](../concepts/extensibility-framework.md)
@@ -4,7 +4,7 @@ description: How to configure the firewall for SQL Server Machine Learning Servi
 ms.prod: sql
 ms.technology: machine-learning
 
-ms.date: 10/01/2018  
+ms.date: 10/17/2018  
 ms.topic: conceptual
 author: dphansen
 ms.author: davidph
@@ -17,9 +17,9 @@ This article lists firewall configuration considerations that the administrator
 
 ## Default firewall rules
 
-By default, the SQL Server Setup disables outbound connections by creating firewall rules. 
+By default, the SQL Server Setup disables outbound connections by creating firewall rules.
 
-In SQL Server 2016 and 2017, these rules are based on local user accounts, where Setup created one outbound rule for **SQLRUserGroup** that denied network access to its members (each worker account was listed as a local principle subject to the rule.
+In SQL Server 2016 and 2017, these rules are based on local user accounts, where Setup created one outbound rule for **SQLRUserGroup** that denied network access to its members (each worker account was listed as a local principle subject to the rule. For more information about SQLRUserGroup, see [Security overview for the extensibility framework in SQL Server Machine Learning Services](../../advanced-analytics/concepts/security.md#sqlrusergroup).
 
 In SQL Server 2019, as part of the move to AppContainers, there are new firewall rules based on AppContainer SIDs: one for each of the 20 AppContainers created by SQL Server Setup. Naming conventions for the firewall rule name are **Block network access for AppContainer-00 in SQL Server instance MSSQLSERVER**, where 00 is the number of the AppContainer (00-20 by default), and MSSQLSERVER is the name of the SQL Server instance.
 
 
@@ -1,10 +1,10 @@
 ---
-title: SQL Server Trusted Launchpad service account configuration | Microsoft Docs
-description: How to modify the SQL Server Trusted Launchpad service account used for external script execution on SQL Server.
+title: SQL Server Launchpad service account configuration | Microsoft Docs
+description: How to modify the SQL Server Launchpad service account used for external script execution on SQL Server.
 ms.prod: sql
 ms.technology: machine-learning
 
-ms.date: 09/27/2018  
+ms.date: 10/17/2018  
 ms.topic: conceptual
 author: dphansen
 ms.author: davidph
@@ -15,15 +15,13 @@ manager: cgronlun
 
 The [!INCLUDE[rsql_launchpad_md](../../includes/rsql-launchpad-md.md)] is a service that manages and executes external scripts, similar to the way that the full-text indexing and query service launches a separate host for processing full-text queries.
 
-A separate [!INCLUDE[rsql_launchpad_md](../../includes/rsql-launchpad-md.md)] service is created for each database engine instance to which you have added SQL Server machine learning (R or Python) integration. There is one Launchpad service for each database engine instance, so if you have multiple instances with R or Python support, you will have a Launchpad service for each one. A database engine instance is bound to the Launchpad service created for it. All invocations of external script in a stored procedure or T-SQL result in the SQL Server service calling the Launchpad service created for the same instance.
-
 For more information, see the Launchpad sections in [Extensibility architecture in SQL Server Machine Learning Services](../../advanced-analytics/concepts/extensibility-framework.md#launchpad) and [Security overview for the extensibility framework in SQL Server Machine Learning Services](../../advanced-analytics/concepts/security.md#launchpad).
 
 ## Account permissions
 
-By default, SQL Server Launchpad is configured to run under **NT Service\MSSQLLaunchpad**, which is provisioned with all necessary permissions to run external scripts. Stripping permissions from this account can result in Launchpad failing to start or to access the SQL Server instance where external scripts should be run.
+By default, SQL Server Launchpad is configured to run under **NT Service\MSSQLLaunchpad**, which is provisioned with all necessary permissions to run external scripts. Removing permissions from this account can result in Launchpad failing to start or to access the SQL Server instance where external scripts should be run.
 
-If you modify the service account, be sure to use the **Local Security Policy** application (**All apps** > **Windows Administrative Tools** > **Local Security Policy**).
+If you modify the service account, be sure to use the [Local Security Policy console](https://docs.microsoft.com/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings).
 
 Permissions required for this account are listed in the following table.
 
@@ -42,46 +40,39 @@ For more information about permissions required to run SQL Server services, see
 
 Typically, there is no reason to modify service configuration. Properties that could be changed include the service account, the count of external processes (20 by default), or the password reset policy for worker accounts.
 
-1. Open [SQL Server Configuration Manager](../../relational-databases/sql-server-configuration-manager.md). 
-
-  + On the Start page, type **MMC** to open the Microsoft Management Console.
-
-  + On **File** > **Add/Remove Snap-in**, move **SQL Server Configuration Manager** from Available to Selected Snap-ins.
-
-2. In SQL Server Configuration Manager under SQL Server Services, right-click SQL Server Launchpad and select **Properties**.
+1. Open [SQL Server Configuration Manager](../../relational-databases/sql-server-configuration-manager.md).
 
+2. Under SQL Server Services, right-click SQL Server Launchpad and select **Properties**.
   + To change the service account, click the **Log On** tab.
-
-  + To increase the number of users, click the **Advanced** tab.
+  + To increase the number of users, click the **Advanced** tab and change the **Security Contexts Count**.
 
 > [!Note]
 > In early versions of SQL Server 2016 R Services, you could change some properties of the service by editing the [!INCLUDE[rsql_productname](../../includes/rsql-productname-md.md)] configuration file. This file is no longer used for changing configurations. SQL Server Configuration Manager is the right approach for changes to service configuration, such as the service account and number of users.
 
 ## Debug settings
 
-A few properties can only be changed by using the Launchpad's configuration file, which might be useful in limited cases, such as debugging. The configuration file is created during [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)] setup and by default is saved as a plain text file in the following location: `<instance path>\binn\rlauncher.config`
+A few properties can only be changed by using the Launchpad's configuration file, which might be useful in limited cases, such as debugging. The configuration file is created during the [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)] setup and by default is saved as a plain text file in `<instance path>\binn\rlauncher.config`.
 
 You must be an administrator on the computer that is running [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)] to make changes to this file. If you edit the file, we recommend that you make a backup copy before saving changes.
 
-The following table lists the advanced settings for [!INCLUDE[ssCurrent](../../includes/sscurrent-md.md)], with the permissible values. 
+The following table lists the advanced settings for [!INCLUDE[ssCurrent](../../includes/sscurrent-md.md)], with the permissible values.
 
 |**Setting name**|**Type**|**Description**|
 |----|----|----|
 |JOB\_CLEANUP\_ON\_EXIT|Integer |This is an internal setting only – do not change this value. </br></br>Specifies whether the temporary working folder created for each external runtime session should be cleaned up after the session is completed. This setting is useful for debugging. </br></br>Supported values are **0** (Disabled) or **1** (Enabled). </br></br>The default is 1, meaning log files are removed on exit.|
-|TRACE\_LEVEL|Integer |Configures the trace verbosity level of  MSSQLLAUNCHPAD for debugging purposes. This affects trace files in the path specified by the LOG_DIRECTORY setting. </br></br>Supported values are: **1** (Error), **2** (Performance), **3** (Warning), **4**  (Information). </br></br>The default is 1, meaning output warnings only.|
+|TRACE\_LEVEL|Integer |Configures the trace verbosity level of  MSSQLLAUNCHPAD for debugging purposes. This affects trace files in the path specified by the LOG_DIRECTORY setting. </br></br>Supported values are: **1** (Error), **2** (Performance), **3** (Warning), **4**  (Information). </br></br>The default is 1, meaning output errors only.|
 
 All settings take the form of a key-value pair, with each setting on a separate line. For example, to change the trace level, you would add the line `Default: TRACE_LEVEL=4`.
 
 ## Enforcing password policy
 
 If your organization has a policy that requires changing passwords on a regular basis,  you may need to force the Launchpad service to regenerate the encrypted passwords that Launchpad maintains for its worker accounts.
 
-To enable this setting and force password refresh, open the **Properties** pane for the Launchpad service in SQL Server Configuration Manager, click **Advanced**, and change **Reset External Users Password** to **Yes**. When you apply this change, the passwords will immediately be regenerated for all user accounts. To use R script after this change, you must restart the Launchpad service, at which time it will read the newly generated passwords.
+To enable this setting and force password refresh, open the **Properties** pane for the Launchpad service in SQL Server Configuration Manager, click **Advanced**, and change **Reset External Users Password** to **Yes**. When you apply this change, the passwords will immediately be regenerated for all user accounts. To run an external script after this change, you must restart the Launchpad service, at which time it will read the newly generated passwords.
 
 To reset passwords at regular intervals, you can either set this flag manually or use a script.
 
-## See also
-
-[Extensibility framework](../concepts/extensibility-framework.md)
+## Next steps
 
-[Security overview](../concepts/security.md)
++ [Extensibility framework](../concepts/extensibility-framework.md)
++ [Security overview](../concepts/security.md)