EnhancedAppLayerSecurity
diff --git a/windows/client-management/mdm/images/provisioning-csp-dmclient-th2.png b/windows/client-management/mdm/images/provisioning-csp-dmclient-th2.png
index 88398bc1c5..486779f038 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-dmclient-th2.png and b/windows/client-management/mdm/images/provisioning-csp-dmclient-th2.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-uefi.png b/windows/client-management/mdm/images/provisioning-csp-uefi.png
new file mode 100644
index 0000000000..6900dd0c83
Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-uefi.png differ
diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index 820cf5dfd6..8fdf97effb 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -10,12 +10,16 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/12/2018
+ms.date: 02/05/2018
---
# What's new in MDM enrollment and management
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
This topic provides information about what's new and breaking changes in Windows 10 mobile device management (MDM) enrollment and management experience across all Windows 10 devices.
For details about Microsoft mobile device management protocols for Windows 10 see [\[MS-MDM\]: Mobile Device Management Protocol](http://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347).
@@ -1385,6 +1389,27 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
## Change history in MDM documentation
+### February 2018
+
+
+
+
+
+
+
+
+
+
+
+| [VPNv2 ProfileXML XSD](vpnv2-profile-xsd.md) |
+Updated the XSD and Plug-in profile example for VPNv2 CSP.
+ |
+
+
+
### January 2018
@@ -1517,6 +1542,18 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
Updated the description for AllowWarningForOtherDiskEncryption to describe changes added in Windows 10, next major update.
|
+| [DMClient CSP](dmclient-csp.md) |
+Added ./User/Vendor/MSFT/DMClient/Provider/[ProviderID]/FirstSyncStatus node. Also added the following nodes in Windows 10, next major update:
+
+- AADSendDeviceToken
+- BlockInStatusPage
+- AllowCollectLogsButton
+- CustomErrorText
+- SkipDeviceStatusPage
+- SkipUserStatusPage
+
+ |
+
| [RemoteWipe CSP](remotewipe-csp.md) |
Added the following nodes in Windows 10, next major update:
@@ -1530,6 +1567,10 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
| [Defender CSP](defender-csp.md) |
Added new node (OfflineScan) in Windows 10, next major update.
| |
+
+| [UEFI CSP](uefi-csp.md) |
+Added a new CSP in Windows 10, next major update.
+ |
diff --git a/windows/client-management/mdm/office-csp.md b/windows/client-management/mdm/office-csp.md
index b3eec1da15..f031f91a4b 100644
--- a/windows/client-management/mdm/office-csp.md
+++ b/windows/client-management/mdm/office-csp.md
@@ -6,13 +6,13 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 01/26/2018
---
# Office CSP
-The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool. For more information, see [Configuration options for the Office Deployment Tool](https://technet.microsoft.com/en-us/library/jj219426.aspx).
+The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool (ODT). For more information, see [Configuration options for the Office Deployment Tool](https://technet.microsoft.com/en-us/library/jj219426.aspx).
This CSP was added in Windows 10, version 1703.
For additional information, see [Office DDF](office-ddf.md).
@@ -144,31 +144,54 @@ To get the current status of Office 365 on the device.
| 997 |
Installation in progress |
-Windows Information Protection |
+ |
-| 13 (ERROR_INVALID_DATA) |
-Cannot verify signature of the downloaded ODT |
+13 |
+ERROR_INVALID_DATA
+ Cannot verify signature of the downloaded Office Deployment Tool (ODT) |
Failure |
-| 1460 (ERROR_TIMEOUT) |
-Failed to download ODT |
+1460 |
+ERROR_TIMEOUT
+ Failed to download ODT |
Failure |
-| 1603 (ERROR_INSTALL_FAILURE) |
-Failed any pre-req check.
+ | 1602 |
+ERROR_INSTALL_USEREXIT
+ User cancelled the installation |
+Failure |
+
+
+| 1603 |
+ERROR_INSTALL_FAILURE
+ Failed any pre-req check.
- SxS (Tried to install when 2016 MSI is installed)
-- Bit mismatch
+- Bit mismatch between the currently installed Office and the Office that was attempting to be installed (such as when you try to install a 32-bit version while 64-bit version is currently installed.)
|
Failure |
+| 17000 |
+ERROR_PROCESSPOOL_INITIALIZATION
+ Failed to start C2RClient |
+Failure |
+
+
+| 17001 |
+ERROR_QUEUE_SCENARIO
+ Failed to queue installation scenario in C2RClient |
+Failure |
+
+
| 17002 |
-Failed to complete the process. Possible reasons:
+| ERROR_COMPLETING_SCENARIO
+ Failed to complete the process. Possible reasons:
+
- Installation cancelled by user
- Installation cancelled by another installation
- Out of disk space during installation
@@ -177,13 +200,60 @@ To get the current status of Office 365 on the device.
Failure |
| |
-| 17004 |
-Unknown SKU |
+17003 |
+ERROR_ANOTHER_RUNNING_SCENARIO
+ Another scenario is running |
Failure |
-| 0x8000ffff (E_UNEXPECTED) |
-Tried to uninstall when there is no C2R Office on the machine. |
+17004 |
+ERROR_COMPLETING_SCENARIO_NEED_CLEAN_UP
+ Possible reasons:
+
+- Unknown SKUs
+- Content does't exist on CDN
+
- such as trying to install an unsupported LAP, like zh-sg
+- CDN issue that content is not available
+
+- Signature check issue, such as failed the signature check for Office content
+- User cancelled
+
+ |
+Failure |
+
+
+| 17005 |
+ERROR_SCENARIO_CANCELLED_AS_PLANNED |
+Failure |
+
+
+| 17006 |
+ERROR_SCENARIO_CANCELLED
+ Blocked update by running apps |
+Failure |
+
+
+| 17007 |
+ERROR_REMOVE_INSTALLATION_NEEDED
+ The client is requesting client clean up in a "Remove Installation" scenario |
+Failure |
+
+
+| 17100 |
+ERROR_HANDLING_COMMAND_LINE
+ C2RClient command line error |
+Failure |
+
+
+| 0x80004005 |
+E_FAIL
+ ODT cannot be used to install Volume license |
+Failure |
+
+
+| 0x8000ffff |
+E_UNEXPECTED
+ Tried to uninstall when there is no C2R Office on the machine. |
Failure |
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 715c403580..07dec60956 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -376,30 +376,6 @@ The following diagram shows the Policy configuration service provider in tree fo
Bitlocker/EncryptionMethod
-
- BitLocker/EncryptionMethodByDriveType in BitLocker CSP
-
-
- BitLocker/FixedDrivesRecoveryOptions in BitLocker CSP
-
-
- BitLocker/FixedDrivesRequireEncryption in BitLocker CSP
-
-
- BitLocker/RemovableDrivesRequireEncryption in BitLocker CSP
-
-
- BitLocker/SystemDrivesMinimumPINLength in BitLocker CSP
-
-
- BitLocker/SystemDrivesRecoveryMessage in BitLocker CSP
-
-
- BitLocker/SystemDrivesRecoveryOptions in BitLocker CSP
-
-
- BitLocker/SystemDrivesRequireStartupAuthentication in BitLocker CSP
-
### Bluetooth policies
@@ -2822,6 +2798,7 @@ The following diagram shows the Policy configuration service provider in tree fo
SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode
+
### TaskScheduler policies
diff --git a/windows/client-management/mdm/uefi-csp.md b/windows/client-management/mdm/uefi-csp.md
new file mode 100644
index 0000000000..0b6de467ab
--- /dev/null
+++ b/windows/client-management/mdm/uefi-csp.md
@@ -0,0 +1,87 @@
+---
+title: UEFI CSP
+description: The Uefi CSP interfaces to UEFI's Device Firmware Configuration Interface (DFCI) to make BIOS configuration changes.
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 02/01/2018
+---
+
+# UEFI CSP
+
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The UEFI configuration service provider (CSP) interfaces to UEFI's Device Firmware Configuration Interface (DFCI) to make BIOS configuration changes. This CSP was added in Windows 10, next major update.
+
+The following diagram shows the UEFI CSP in tree format.
+
+
+
+The following list describes the characteristics and parameters.
+
+**./Vendor/MSFT/Uefi**
+Root node.
+
+**UefiDeviceIdentifier**
+Retrieves XML from UEFI which describes the device identifier.
+
+Supported operation is Get.
+
+**IdentityInfo**
+Node for provisioned signers operations.
+
+
+**IdentityInfo/Current**
+Retrieves XML from UEFI which describes the current UEFI identity information.
+
+Supported operation is Get.
+
+**IdentityInfo/Apply**
+Apply an identity information package to UEFI. Input is the signed package in base64 encoded format.
+
+Supported operation is Replace.
+
+**IdentityInfo/ApplyResult**
+Retrieves XML describing the results of previous ApplyIdentityInfo operation.
+
+Supported operation is Get.
+
+**AuthInfo**
+Node for permission information operations.
+
+**AuthInfo/Current**
+Retrieves XML from UEFI which describes the current UEFI permission/authentication information.
+
+Supported operation is Get.
+
+**AuthInfo/Apply**
+Apply a permission/authentication information package to UEFI. Input is the signed package in base64 encoded format.
+
+Supported operation is Replace.
+
+**AuthInfo/ApplyResult**
+Retrieves XML describing the results of previous ApplyAuthInfo operation.
+
+Supported operation is Get.
+
+**Config**
+Node for device configuration
+
+**Config/Current**
+Retrieves XML from UEFI which describes the current UEFI configuration.
+
+Supported operation is Get.
+
+**Config/Apply**
+Apply a configuration package to UEFI. Input is the signed package in base64 encoded format.
+
+Supported operation is Replace.
+
+**Config/ApplyResult**
+Retrieves XML describing the results of previous ApplyConfig operation.
+
+Supported operation is Get.
diff --git a/windows/client-management/mdm/uefi-ddf.md b/windows/client-management/mdm/uefi-ddf.md
new file mode 100644
index 0000000000..5f8e6403eb
--- /dev/null
+++ b/windows/client-management/mdm/uefi-ddf.md
@@ -0,0 +1,330 @@
+---
+title: UEFI DDF file
+description: UEFI DDF file
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 02/01/2018
+---
+
+# UEFI DDF file
+
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+This topic shows the OMA DM device description framework (DDF) for the **Uefi** configuration service provider.
+
+Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
+
+The XML below is the current version for this CSP.
+
+``` syntax
+
+]>
+
+ 1.2
+
+ Uefi
+ ./Vendor/MSFT
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ com.microsoft/1.0/MDM/Uefi
+
+
+
+ UefiDeviceIdentifier
+
+
+
+
+ Retrieves XML from UEFI which describes the device identifier.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ IdentityInfo
+
+
+
+
+ Provisioned signers
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Current
+
+
+
+
+ Retrieves XML from UEFI which describes the current UEFI identity information
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ Apply
+
+
+
+
+ Apply an identity information package to UEFI. Input is the signed package in base64 encoded format.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ApplyResult
+
+
+
+
+ Retrieves XML describing the results of previous ApplyIdentityInfo operation.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+ AuthInfo
+
+
+
+
+ Permission Information
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Current
+
+
+
+
+ Retrieves XML from UEFI which describes the current UEFI permission/authentication information.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ Apply
+
+
+
+
+ Apply a permission/authentication information package to UEFI. Input is the signed package in base64 encoded format.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ApplyResult
+
+
+
+
+ Retrieves XML describing the results of previous ApplyAuthInfo operation.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+ Config
+
+
+
+
+ Device Configuration
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Current
+
+
+
+
+ Retrieves XML from UEFI which describes the current UEFI configuration.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ Apply
+
+
+
+
+ Apply a configuration package to UEFI. Input is the signed package in base64 encoded format.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ApplyResult
+
+
+
+
+ Retrieves XML describing the results of previous ApplyConfig operation.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+
+```
\ No newline at end of file
diff --git a/windows/client-management/mdm/vpnv2-profile-xsd.md b/windows/client-management/mdm/vpnv2-profile-xsd.md
index 4934ae68ec..7f839bb83d 100644
--- a/windows/client-management/mdm/vpnv2-profile-xsd.md
+++ b/windows/client-management/mdm/vpnv2-profile-xsd.md
@@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 06/26/2017
+ms.date: 02/05/2018
---
# ProfileXML XSD
@@ -31,6 +31,8 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro
+
+
@@ -46,6 +48,20 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -388,6 +404,8 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro
true
false
+ false
+ false
corp.contoso.com
contoso.com,test.corp.contoso.com
@@ -396,6 +414,14 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro
Helloworld.Com
+
+
+
+
+
+
+
+
```
diff --git a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index a34a6aa5a7..efdd0f54a8 100644
--- a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -16,7 +16,7 @@ ms.date: 01/29/2018
**Applies to**
-- Windows 10
+- Windows 10 Enterprise edition
- Windows Server 2016
If you're looking for content on what each diagnostic data level means and how to configure it in your organization, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md).
@@ -27,11 +27,19 @@ If you want to minimize connections from Windows to Microsoft services, or confi
You can configure diagnostic data at the Security level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. There are many reasons why these communications are enabled by default, such as updating malware definitions and maintain current certificate revocation lists, which is why we strongly recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience.
-To help make it easier to deploy settings to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887). This baseline was created in the same way as the [Windows security baselines](/windows/device-security/windows-security-baselines) that are often used to efficiently configure Windows to a known secure state. Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document. However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended. Make sure should you've chosen the right settings configuration for your environment before applying. You should not extract this package to the windows\\system32 folder because it will not apply correctly. Applying this baseline is equivalent to applying the Windows 10 steps covered in this article.
+To help make it easier to deploy settings to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887).
+This baseline was created in the same way as the [Windows security baselines](/windows/device-security/windows-security-baselines) that are often used to efficiently configure Windows to a known secure state.
+Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document.
+However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended.
+Make sure should you've chosen the right settings configuration for your environment before applying.
+You should not extract this package to the windows\\system32 folder because it will not apply correctly.
+
+Applying the Windows Restricted Traffic Limited Functionality Baseline is the same as applying each setting covered in this article.
+It is recommended that you restart a device after making configuration changes to it.
We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com.
-## What's new in Windows 10, version 1709
+## What's new in Windows 10, version 1709 Enterprise edition
Here's a list of changes that were made to this article for Windows 10, version 1709:
@@ -39,7 +47,7 @@ Here's a list of changes that were made to this article for Windows 10, version
- Added the Storage Health section.
- Added discussion of apps for websites in the Microsoft Store section.
-## What's new in Windows 10, version 1703
+## What's new in Windows 10, version 1703 Enterprise edition
Here's a list of changes that were made to this article for Windows 10, version 1703:
@@ -73,9 +81,9 @@ The following sections list the components that make network connections to Micr
If you're running Windows 10, they will be included in the next update for the Long Term Servicing Branch.
-### Settings for Windows 10 Enterprise, version 1703
+### Settings for Windows 10 Enterprise edition
-See the following table for a summary of the management settings for Windows 10 Enterprise, version 1703.
+See the following table for a summary of the management settings for Windows 10 Enterprise, version 1709 and Windows 10 Enterprise, version 1703.
| Setting | UI | Group Policy | MDM policy | Registry | Command line |
| - | :-: | :-: | :-: | :-: | :-: |
@@ -1430,11 +1438,14 @@ To change the level of diagnostic and usage data sent when you **Send your devic
-or-
-- Apply the Group Policy: **Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection And Preview Builds\\Allow Telemetry**
+- Apply the Group Policy: **Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection And Preview Builds\\Allow Telemetry** and select the appropriate option for your deployment.
-or-
-- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry**, with a value of 0 (zero).
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry**, with a value of 0-3, as appropriate for your deployment (see below for the values for each level).
+
+> [!NOTE]
+> If the **Security** option is configured by using Group Policy or the Registry, the value will not be reflected in the UI. The **Security** option is only available in Windows 10 Enterprise edition.
-or-
@@ -1474,7 +1485,11 @@ In the **Background Apps** area, you can choose which apps can run in the backgr
To turn off **Let apps run in the background**:
-- Turn off the feature in the UI for each app.
+- In **Background apps**, set **Let apps run in the background** to **Off**.
+
+ -or-
+
+- In **Background apps**, turn off the feature for each app.
-or-
diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md
index 3452191682..dc565440b6 100644
--- a/windows/deployment/update/waas-overview.md
+++ b/windows/deployment/update/waas-overview.md
@@ -98,7 +98,7 @@ In Windows 10, rather than receiving several updates each month and trying to fi
To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing channels to allow customers to designate how frequently their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity.
-With that in mind, Windows 10 offers 3 servicing channels. The [Windows Insider Program](#windows-insider) provides organizations with the opportunity to test and provide feedback on features that will be shipped in the next feature update. The [Semi-Annual Channel](#semi-annual-channel) provides new functionality with twice-per-year feature update releases. Organizations can choose when to deploy updates from the Semi-Annual Channel. The [Long Term Servicing Channel](#long-term-servicing-channel), which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases about every three years. For details about the versions in each servicing channel, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx).
+With that in mind, Windows 10 offers 3 servicing channels. The [Windows Insider Program](#windows-insider) provides organizations with the opportunity to test and provide feedback on features that will be shipped in the next feature update. The [Semi-Annual Channel](#semi-annual-channel) provides new functionality with twice-per-year feature update releases. Organizations can choose when to deploy updates from the Semi-Annual Channel. The [Long Term Servicing Channel](#long-term-servicing-channel), which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to three years. For details about the versions in each servicing channel, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx).
The concept of servicing channels is new, but organizations can use the same management tools they used to manage updates and upgrades in previous versions of Windows. For more information about the servicing tool options for Windows 10 and their capabilities, see [Servicing tools](#servicing-tools).
@@ -199,4 +199,4 @@ With all these options, which an organization chooses depends on the resources,
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
- [Manage device restarts after updates](waas-restart.md)
-
\ No newline at end of file
+
diff --git a/windows/deployment/update/waas-quick-start.md b/windows/deployment/update/waas-quick-start.md
index 8b85bf57aa..5716edbdd3 100644
--- a/windows/deployment/update/waas-quick-start.md
+++ b/windows/deployment/update/waas-quick-start.md
@@ -29,7 +29,7 @@ Some new terms have been introduced as part of Windows as a service, so you shou
- **Insider Preview** builds are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features as well as compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered.
- **Servicing channels** allow organizations to choose when to deploy new features.
- The **Semi-Annual Channel** receives feature updates twice per year.
- - The **Long Term Servicing Channel**, which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases about every three years.
+ - The **Long Term Servicing Channel**, which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to three years.
- **Deployment rings** are groups of devices used to initially pilot, and then to broadly deploy, each feature update in an organization.
See [Overview of Windows as a service](waas-overview.md) for more information.
diff --git a/windows/device-security/bitlocker/bitlocker-basic-deployment.md b/windows/device-security/bitlocker/bitlocker-basic-deployment.md
index 9a2d09f6a4..529ff6e574 100644
--- a/windows/device-security/bitlocker/bitlocker-basic-deployment.md
+++ b/windows/device-security/bitlocker/bitlocker-basic-deployment.md
@@ -17,14 +17,7 @@ ms.date: 04/19/2017
This topic for the IT professional explains how BitLocker features can be used to protect your data through drive encryption.
-The following sections provide information that will help you put together your basic deployment plan for implementing BitLocker in your organization:
-
-- [Using BitLocker to encrypt volumes](#bkmk-dep1)
-- [Down-level compatibility](#bkmk-dep2)
-- [Using manage-bde to encrypt volumes with BitLocker](#bkmk-dep3)
-- [Using PowerShell to encrypt volumes with BitLocker](#bkmk-dep4)
-
-## Using BitLocker to encrypt volumes
+## Using BitLocker to encrypt volumes
BitLocker provides full volume encryption (FVE) for operating system volumes, as well as fixed and removable data volumes. To support fully encrypted operating system volumes, BitLocker uses an unencrypted system volume for the files required to boot, decrypt, and load the operating system. This volume is automatically created during a new installation of both client and server operating systems.
4