Merge remote-tracking branch 'refs/remotes/origin/master' into vs-8493293

CONTRIBUTING.md

@@ -30,7 +30,7 @@ We've tried to make editing an existing, public file as simple as possible.
 
        ![GitHub Web, showing the Pencil icon in the red box](images/pencil-icon.png)
 
-4.	Using markdown language, make your changes to the topic. For info about how to edit content using markdown, see:
+4.	Using Markdown language, make your changes to the topic. For info about how to edit content using Markdown, see:
     - **If you're linked to the Microsoft organization in GitHub:** [Windows Open Publishing Guide Home](http://aka.ms/windows-op-guide)
     
     - **If you're external to Microsoft:** [Mastering Markdown](https://guides.github.com/features/mastering-markdown/) 

devices/surface-hub/create-a-device-account-using-office-365.md

@@ -54,7 +54,7 @@ If you prefer to use a graphical user interface, you can create a device account
 
     ![assign license for Skype for Business online.](images/setupdeviceaccto365-07.png)
 
-    From the list, uncheck **Skype for Business Online (plan 2)** (this license may vary depending on your organization), and click **SAVE**.
+    From the list, select **Skype for Business Online (Plan 2)**, and then click **SAVE**. The license may vary depending on your organization (for example, you might have Plan 2, or Plan 3). 
 
 ### <a href="" id="create-device-acct-o365-mbx-policy"></a>Create a mobile device mailbox (ActiveSync) policy from the Exchange Admin Center
 
@@ -133,8 +133,7 @@ In order to run cmdlets used by these PowerShell scripts, the following must be
 5.  Finally, to connect to Exchange Online Services, run:
 
     ``` syntax
-    $exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri
-    "https://outlook.office365.com/powershell-liveid/" -Credential $cred -Authentication "Basic" –AllowRedirection
+    $exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri"https://outlook.office365.com/powershell-liveid/" -Credential $cred -Authentication "Basic" –AllowRedirection
     ```
 
     ![Image showing PowerShell cmdlet.](images/setupdeviceaccto365-21.png)

devices/surface-hub/device-reset-surface-hub.md

@@ -30,7 +30,7 @@ Initiating a reset will return the device to the last cumulative Windows update,
 -   Local admins on the device
 -   Configurations from MDM or the Settings app
 
-**To reset a Surface Hub from Settings**</br>
+**To reset a Surface Hub**
 1.	On your Surface Hub, open **Settings**. 
 
     ![Image showing Settings app for Surface Hub.](images/sh-settings.png)
@@ -43,18 +43,8 @@ Initiating a reset will return the device to the last cumulative Windows update,
 
     ![Image showing Reset device option in Settings app for Surface Hub.](images/sh-settings-reset-device.png) 
 
-**To reset a Surface Hub from Windows Recovery Environment**</br>
-On rare occasions, a Surface Hub may encounter an error while cleaning up user and app data at the end of a session. When this happens, the device will automatically reboot and try again. If this operation fails repeatedly, the device will be automatically locked to protect user data. To unlock it, you must reset the device from Windows Recovery Environment (Windows RE). To learn more about Windows RE, see [What is Windows RE?](https://technet.microsoft.com/library/cc765966.aspx).
-
-To reset a Surface Hub from Windows RE:
-
-1.  From the welcome screen, toggle the Surface Hub's power switch 3 times. Wait a few seconds between each toggle. See the [Surface Hub Site Readiness Guide](https://www.microsoft.com/surface/support/surface-hub/surface-hub-site-readiness-guide) for help with locating the power switch.
-2.  The device should automatically boot into Windows RE. Select **Advanced Repair**.
-3.  Select **Reset**.
-4.  If prompted, enter your device's BitLocker key.
-
 **Important Note**</br>
-Performing a device reset may take up to 2 hours. Do not interrupt the reset process. Interrupting the process will render the device inoperable, requiring warranty service to return to normal functionality.
+Performing a device reset may take up to 6 hours. Do not interrupt the reset process. Interrupting the process will render the device inoperable, requiring warranty service to return to normal functionality.
 
 After the reset, Surface Hub restarts the [first run program](first-run-program-surface-hub.md) again. 
 
@@ -63,4 +53,4 @@ After the reset, Surface Hub restarts the [first run program](first-run-program-
 
 [Manage Microsoft Surface Hub](manage-surface-hub.md)
 
-[Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)
+[Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)

devices/surface/TOC.md

@@ -12,6 +12,7 @@
 ## [Surface Data Eraser](microsoft-surface-data-eraser.md)
 ## [Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md)
 ### [Step by step: Surface Deployment Accelerator](step-by-step-surface-deployment-accelerator.md)
+### [Using the Surface Deployment Accelerator deployment share](using-the-sda-deployment-share.md)
 ## [Surface Diagnostic Toolkit](surface-diagnostic-toolkit.md)
 ## [Surface Dock Updater](surface-dock-updater.md)
 ## [Surface Enterprise Management Mode](surface-enterprise-management-mode.md)

devices/surface/advanced-uefi-security-features-for-surface.md

@@ -0,0 +1,3 @@
+---
+redirect_url: https://technet.microsoft.com/itpro/surface/advanced-uefi-security-features-for-surface-pro-3
+---

devices/surface/using-the-sda-deployment-share.md

@@ -0,0 +1,163 @@
+---
+title: Using the Microsoft Surface Deployment Accelerator deployment share (Surface)
+description: Explore the scenarios where you can use SDA to meet the deployment needs of your organization including Proof of Concept, pilot deployment, as well as import additional drivers and applications.
+keywords: deploy, install, automate, deployment solution
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.pagetype: surface, devices
+ms.sitesec: library
+author: Scottmca
+---
+
+# Using the Microsoft Surface Deployment Accelerator deployment share
+
+With Microsoft Surface Deployment Accelerator (SDA), you can quickly and easily set up a deployment solution that is ready to deploy Windows to Surface devices. The prepared environment is built on powerful deployment technologies available from Microsoft, such as the [Microsoft Deployment Toolkit (MDT)](https://technet.microsoft.com/en-us/windows/dn475741), and is capable of immediately performing a deployment after configuration. See [Step-by-Step: Surface Deployment Accelerator](https://technet.microsoft.com/en-us/itpro/surface/step-by-step-surface-deployment-accelerator) for a comprehensive walkthrough of using the SDA wizard to set up a deployment share and perform a deployment.
+
+For more information about SDA and information on how to download SDA, see [Microsoft Surface Deployment Accelerator (SDA)](https://technet.microsoft.com/en-us/itpro/surface/microsoft-surface-deployment-accelerator).
+
+Using SDA provides these primary benefits:
+
+* With SDA, you can create a ready-to-deploy environment that can deploy to target devices as fast as your download speeds allow. The wizard experience enables you to check a few boxes and then the automated process builds your deployment environment for you.
+
+* With SDA, you prepare a deployment environment built on the industry leading deployment solution of MDT. With MDT you can scale from a relatively basic deployment of a few Surface devices to a solution capable of deploying to thousands of devices including all of the different makes and models in your organization and all of the applications required by each device and user.
+
+This article explores four scenarios where you can use SDA to meet the needs of your organization. See [Deploy Windows 10](https://technet.microsoft.com/en-us/itpro/windows/deploy/index) to explore the capabilities of MDT and the Windows deployment technologies available from Microsoft in greater detail. 
+
+## Perform a Proof of Concept deployment
+
+One of the primary scenarios for use of SDA is as a Proof of Concept. A *Proof of Concept* (PoC) enables you to test or evaluate the capabilities of a solution or technology. A PoC is often used to illustrate the benefits of the solution or technology to decision makers. For example, if you want to recommend Surface devices as a replacement of older point of sale (POS) systems, you could perform a PoC to demonstrate how Surface devices provide superior computing power, flexibility, and connectivity when compared to alternate options.
+
+Using SDA to prepare a PoC of Surface devices enables you to very quickly prepare a demonstration of Surface device or devices, which gives you more time for customization or preparation. The flexibility of SDA even lets you import resources, like applications and drivers, from existing MDT deployment infrastructure. See the [Work with existing deployment shares](#work-with-existing-deployment-shares) section later in this article for more information.
+
+SDA is also an excellent PoC of the capabilities of MDT. SDA demonstrates just how quickly an MDT deployment environment can be prepared and made ready for deployment to devices. It also shows just how flexible and customizable the MDT solution can be, with support for Windows 10 and Windows 8.1, for Windows Store and desktop applications, and several models of Surface devices.
+
+Some recommendations for a successful PoC with SDA are:
+
+* Keep your SDA deployment environment separate from your production network. This ensures optimal performance and reduces potential for conflicts during your PoC deployment.
+
+* Use a fresh and updated instance of Windows Server to house your SDA deployment share to maintain the simplicity and performance of the demonstration environment.
+
+* Test the deployment process before you demonstrate your PoC. This reduces the potential for unexpected situations and keeps the demonstration focused on the deployment process and Surface devices.
+
+* Use offline files with SDA to further reduce installation times.
+
+* For help with your PoC, contact [Surface Support](https://www.microsoft.com/surface/en-us/support/contact-us-business).
+
+## Perform a pilot deployment
+
+A pilot deployment differs from a PoC. Where a PoC is usually a closed demonstration that is performed prior to the deployment process in order to get approval for the use of certain technologies or solutions, a *pilot deployment* is performed during the deployment process as a limited scope deployment for testing and validation. The focus of a pilot deployment can be as narrow as only a handful of devices, or wide enough to include a significant portion of your organization.
+
+>[!NOTE]
+>A pilot deployment should not replace the testing process that should be performed regularly in the lab as the deployment environment is built and developed. A deployment solution should be tested in virtual and physical environments as new applications and drivers are added and when task sequences are modified and before a pilot deployment is performed. 
+
+For example, you are tasked with deploying Surface devices to mobile workers and you want to test the organization’s MDT deployment process by providing a small number of devices to executives. You can use SDA to create an isolated Surface deployment environment and then copy the task sequence, applications, and drivers needed from the production deployment share. This not only enables you to quickly create a Surface deployment, but it also minimizes the risk to the production deployment process used for other types of devices.
+
+For small organizations, the pilot deployment environment of SDA may suffice as a complete deployment solution. Even if you do not have an existing deployment environment, you can import drivers and applications (covered later in this article) to provide a complete deployment solution based on MDT. Even without previous knowledge of MDT or Windows deployment, you can follow the [Step-by-Step: Surface Deployment Accelerator](https://technet.microsoft.com/en-us/itpro/surface/step-by-step-surface-deployment-accelerator) article to get started with a deployment to Surface devices.
+
+## Import additional drivers
+
+The SDA deployment share includes all of the drivers needed for Surface devices. This includes the drivers for the components inside the Surface device, such as the wireless network adapter and the main chipset, as well as drivers for Surface accessories, such as the Surface Dock or Surface USB Ethernet adapters. The SDA deployment share does not, however, include drivers for third-party devices or peripherals.
+
+For example, you may intend to use your Surface device with a thermal printer, credit card reader, and barcode scanner as a POS terminal. In this scenario, the thermal printer, credit card reader, and barcode scanner will very likely require installation of drivers to operate properly. You could potentially download and install these drivers from Windows Update when each peripheral is connected, or you could install the driver package from the manufacturer manually on each Surface device, but the ideal solution is to have these drivers already present in Windows so that when the peripheral is connected, it will just work.
+
+Because SDA is built on MDT, adding the drivers to the SDA deployment share is easy and simple. 
+
+>[!NOTE]
+>The drivers must be in the Setup Information File (.inf) format. If the drivers for your device come as an executable file (.exe), they may need to be extracted or installed to procure the .inf file. Some device drivers come packaged with applications, for example an all-in-one printer bundled with scan software. These applications will need to be installed separately from the drivers.
+
+To import drivers for a peripheral device:
+
+1. Download the drivers for your device from the manufacturer web site.
+
+2. Open the MDT Deployment Workbench.
+
+3. Expand the **Deployment Shares** node and expand the SDA deployment share.
+
+4. Expand the **Out-of-Box Drivers** folder.
+
+5. Select the folder of the Surface model for which you would like to include this driver.
+
+6. Click **Import Drivers** to start the Import Drivers Wizard, as shown in Figure 1.
+
+  ![Provide the location of your driver files](images\using-sda-driverfiles-fig1.png "Provide the location of your driver files")
+  
+  *Figure 1. Provide the location of your driver files*
+
+7. The Import Drivers Wizard presents a series of steps:
+
+  - **Specify Directory** – Click **Browse** and navigate to the folder where you stored the drivers in Step 1.
+  - **Summary** – Review the specified configuration on this page before you click **Next** to begin the import process.
+  - **Progress** – While the drivers are imported, a progress bar is displayed on this page.
+  - **Confirmation** – When the import process completes, the success of the process is displayed on this page. Click **Finish** to complete the Import Drivers Wizard.
+
+8. Repeat Steps 5-7 for each Surface model on which you would like to include this driver.
+
+9. Close the Deployment Workbench.
+
+After the drivers are imported for the Surface model, the deployment task sequence will automatically select the drivers during the deployment process and include them in the Windows environment. When you connect your device, such as the barcode scanner in the example, Windows should automatically detect the device and you should be able to use it immediately.
+
+>[!NOTE]
+>You can even import drivers for other computer makes and models to support other devices. See **Step 5: Prepare the drivers repository** in [Deploy a Windows 10 image using MDT 2013 Update 2](https://technet.microsoft.com/en-us/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt) for more information about how to import drivers for other makes and models.
+
+## Import additional applications
+
+As with drivers, the SDA deployment share can be pre-configured with apps like the Surface App and Microsoft Office 365. You can also add applications to the SDA deployment share and configure them to be installed on your Surface devices during deployment of Windows. In the ideal scenario, your Surface devices deployed with the SDA deployment share will include all of the applications needed to be ready for your end users.
+
+In the previous example for including drivers for a POS system, you would also need to include POS software for processing transactions and recording the input from the barcode scanner and credit card reader. To import an application and prepare it for installation on your Surface devices during Windows deployment:
+
+1.	Download the application installation files or locate the installation media for your application.
+
+2.	Determine the command line instruction for silent installation, usually provided by the developer of the application. For Windows Installer files (.msi), see [Standard Installer Command-Line Options](https://msdn.microsoft.com/library/windows/desktop/aa372024) in the Windows Dev Center.
+
+3.	Open the MDT Deployment Workbench.
+
+4.	Expand the **Deployment Shares** node and expand the SDA deployment share.
+
+5.	Expand the **Applications** folder.
+
+6.	Click **New Application** to start the New Application Wizard, as shown in Figure 2.
+
+  ![Provide the command to install your application](images\using-sda-installcommand-fig2.png "Provide the command to install your application")
+  
+  *Figure 2: Provide the command to install your application*
+
+7.	Follow the steps of the New Application Wizard:
+
+  - **Application Type** – Click **Application with Source Files**, and then click **Next**.
+  - **Details** – Enter a name for the application in the **Application Name** field. Enter publisher, version, and language information in the **Publisher**, **Version**, and **Language** fields if desired. Click **Next**.
+  - **Source** – Click **Browse** to navigate to and select the folder with the application installation files procured in Step 1, and then click **Next**.
+  - **Destination** – Enter a name for the folder where the application files will be stored in the **Specify the Name of the Directory that Should Be Created** field or click **Next** to accept the default name.
+  - **Command Details** – Enter the silent command-line instruction, for example `setup.msi /quiet /norestart`
+  - **Summary** – Review the specified configuration on this page before you click **Next** to begin the import process.
+  - **Progress** – While the installation files are imported, a progress bar is displayed on this page.
+  - **Confirmation** – When the import process completes, the success of the process is displayed on this page. Click **Finish** to complete the New Application Wizard.
+
+8.	Click the **Task Sequences** folder, right-click **1 - Deploy Microsoft Surface**, and then click **Properties**.
+
+9.	Click the **Task Sequence** tab to view the steps that are included in the new task sequence.
+
+10.	Select the **Windows Update (Pre-Application Installation)** step, and then click **Add**.
+
+11.	Hover the mouse over **General** under the **Add** menu, and then click **Install Application**. This will add a new step after the selected step for the installation of a specific application as shown in Figure 3.
+
+  ![A new Install Application step for Sample POS App](images\using-sda-newinstall-fig3.png "A new Install Application step for Sample POS App")
+  
+  *Figure 3. A new Install Application step for Sample POS App*
+
+12.	On the **Properties** tab of the new **Install Application** step, enter **Install - Sample POS App** in the **Name** field, where *Sample POS App* is the name of your app.
+
+13.	Click **Install a Single Application**, and then click **Browse** to view available applications that have been imported into the deployment share.
+
+14.	Select your app from the list of applications, and then click **OK**.
+
+15.	Click **OK** to close the task sequence properties.
+
+16.	Close the Deployment Workbench.
+
+## Work with existing deployment shares
+
+One of the many benefits of an MDT deployment share is the simplicity of how deployment resources are stored. The MDT deployment share is, at its core, just a standard network file share. All deployment resources, such as Windows images, application installation files, and drivers, are stored in a share that can be browsed with File Explorer, copied and pasted, and moved just like any other file share, provided that you have the necessary permissions. This makes working with deployment resources extremely easy. MDT even allows you to make it easier by allowing you to open multiple deployment shares from the Deployment Workbench and to transfer or copy resources between them.
+
+This ability gives SDA some extra capabilities when used in an environment with an existing MDT infrastructure. For example, if you install SDA on an isolated server to prepare a PoC and then log on to your production MDT deployment share from the Deployment Workbench on your SDA server, you can copy applications, drivers, task sequences, and other components into the SDA deployment share that is prepared with Surface apps and drivers. With this process, in a very short amount time, you can have a deployment environment ready to deploy your organization’s precise requirements to Surface devices.
+
+You can also use this capability in reverse. For example, you can copy the Surface drivers, deployment task sequences, and apps directly into a lab or testing environment following a successful PoC. Using these resources, you can immediately begin to integrate Surface deployment into your existing deployment infrastructure.

education/windows/TOC.md

@@ -1,5 +1,4 @@
 # [Windows 10 for Education](index.md)
-## [Change history for Windows 10 for Education](change-history-edu.md)
 ## [Windows 10 editions for education customers](windows-editions-for-education-customers.md)
 ## [Setup options for Windows 10](set-up-windows-10.md)
 ### [Use the Set up School PCs app ](use-set-up-school-pcs-app.md)
@@ -18,3 +17,4 @@
 ## [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
 ## [Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)
 ## [Chromebook migration guide](chromebook-migration-guide.md)
+## [Change history for Windows 10 for Education](change-history-edu.md)

mdop/TOC.md

@@ -1,21 +1,21 @@
 # [Microsoft Desktop Optimization Pack](index.md)
-## [Advanced Group Policy Management](agpm/)
+## [Advanced Group Policy Management](agpm/index.md)
 ## [Application Virtualization]()
-### [Application Virtualization 5](appv-v5/)
-### [Application Virtualization 4](appv-v4/)
+### [Application Virtualization 5](appv-v5/index.md)
+### [Application Virtualization 4](appv-v4/index.md)
 ### [SoftGrid Application Virtualization](softgrid-application-virtualization.md)
 ## [Diagnostics and Recovery Toolset]()
-### [Diagnostics and Recovery Toolset 10](dart-v10/)
-### [Diagnostics and Recovery Toolset 8](dart-v8/)
-### [Diagnostics and Recovery Toolset 7](dart-v7/)
+### [Diagnostics and Recovery Toolset 10](dart-v10/index.md)
+### [Diagnostics and Recovery Toolset 8](dart-v8/index.md)
+### [Diagnostics and Recovery Toolset 7](dart-v7/index.md)
 ### [Diagnostics and Recovery Toolset 6.5](dart-v65.md)
 ## [Microsoft Bitlocker Administration and Monitoring]()
-### [Microsoft Bitlocker Administration and Monitoring 2.5](mbam-v25/)
-### [Microsoft Bitlocker Administration and Monitoring 2](mbam-v2/)
-### [Microsoft Bitlocker Administration and Monitoring 1](mbam-v1/)
+### [Microsoft Bitlocker Administration and Monitoring 2.5](mbam-v25/index.md)
+### [Microsoft Bitlocker Administration and Monitoring 2](mbam-v2/index.md)
+### [Microsoft Bitlocker Administration and Monitoring 1](mbam-v1/index.md)
 ## [Microsoft Enterprise Desktop Virtualization]()
-### [Microsoft Enterprise Desktop Virtualization 2](medv-v2/)
+### [Microsoft Enterprise Desktop Virtualization 2](medv-v2/index.md)
 ## [User Experience Virtualization]()
-### [User Experience Virtualization 2](uev-v2/)
-### [User Experience Virtualization 1](uev-v1/)
-## [MDOP Solutions and Scenarios](solutions/)
+### [User Experience Virtualization 2](uev-v2/index.md)
+### [User Experience Virtualization 1](uev-v1/index.md)
+## [MDOP Solutions and Scenarios](solutions/index.md)

windows/TOC.md

@@ -1,6 +1,6 @@
 # [Windows 10 and Windows 10 Mobile](index.md)
-## [What's new in Windows 10](whats-new/)
-## [Plan for Windows 10 deployment](plan/)
-## [Deploy Windows 10](deploy/)
-## [Keep Windows 10 secure](keep-secure/)
-## [Manage and update Windows 10](manage/)
+## [What's new in Windows 10](whats-new/index.md)
+## [Plan for Windows 10 deployment](plan/index.md)
+## [Deploy Windows 10](deploy/index.md)
+## [Keep Windows 10 secure](keep-secure/index.md)
+## [Manage and update Windows 10](manage/index.md)

windows/deploy/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md

@@ -36,13 +36,12 @@ This section will show you how to import some network and storage drivers for Wi
 
 5.  On the **Select drivers to include in the boot image** page, select the **Zero Touch WinPE x64** boot image. Also select the **Update distribution points when finished** check box, and click **Next** twice.
 
-![figure 21](images/fig21-add-drivers.png)
+![Add drivers to Windows PE](images/fig21-add-drivers.png "Add drivers to Windows PE")
 
-Figure 21. Add drivers to Windows PE.
-
-**Note**  
-The Updating Boot Image part of the wizard will appear to hang when displaying Done. It will complete in a minute or two.
+*Figure 21. Add drivers to Windows PE*
 
+>[!NOTE]  
+>The Updating Boot Image part of the wizard will appear to hang when displaying Done. It will complete in a minute or two.
  
 
 ## <a href="" id="sec02"></a>Add drivers for Windows 10
@@ -56,31 +55,28 @@ This section illustrates how to add drivers for Windows 10 through an example in
 
 3.  On the **Specify the details for the imported driver** page, click **Categories**, create a category named Windows 10 x64 - HP EliteBook 8560w, and then click **Next**.
 
-    ![figure 22](images/fig22-createcategories.png)
+    ![Create driver categories](images/fig22-createcategories.png "Create driver categories")
 
-    Figure 22. Create driver categories.
+    *Figure 22. Create driver categories*
 
 4.  On the **Select the packages to add the imported driver** page, click **New Package**, use the following settings for the package, and then click **Next**:
 
-    1.  Name: Windows 10 x64 - HP EliteBook 8560w
+    * Name: Windows 10 x64 - HP EliteBook 8560w
 
-    2.  Path: \\\\CM01\\Sources$\\OSD\\DriverPackages\\Windows 10 x64\\HP EliteBook 8560w
-
-    **Note**  
-    The package path does not yet exist, so you have to type it in. The wizard will create the new package in that folder.
+    * Path: \\\\CM01\\Sources$\\OSD\\DriverPackages\\Windows 10 x64\\HP EliteBook 8560w
 
+    >[!NOTE]  
+    >The package path does not yet exist, so you have to type it in. The wizard will create the new package in that folder.
      
 
 5.  On the **Select drivers to include in the boot image** page, do not select anything, and click **Next** twice. After the package has been created, click **Close**.
 
-**Note**  
-If you want to monitor the driver import process more closely, you can open the SMSProv.log file during driver import.
-
- 
-
-![figure 23](images/mdt-06-fig26.png)
-
-Figure 23. Drivers imported and a new driver package created.
+    >[!NOTE]  
+    >If you want to monitor the driver import process more closely, you can open the SMSProv.log file during driver import.
+  
+    ![Drivers imported and a new driver package created](images/mdt-06-fig26.png "Drivers imported and a new driver package created")
+  
+    *Figure 23. Drivers imported and a new driver package created*
 
 ## Related topics
 

windows/deploy/create-a-task-sequence-with-configuration-manager-and-mdt.md

@@ -25,7 +25,7 @@ For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is
 ## <a href="" id="sec01"></a>Create a task sequence using the MDT Integration Wizard
 
 
-This section will walk you through the process of creating a System Center 2012 R2 Configuration Manager task sequence for production use.
+This section walks you through the process of creating a System Center 2012 R2 Configuration Manager task sequence for production use.
 
 1.  On CM01, using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**.
 
@@ -33,27 +33,27 @@ This section will walk you through the process of creating a System Center 2012
 
 3.  On the **General** page, assign the following settings and then click **Next**:
 
-    1.  Task sequence name: Windows 10 Enterprise x64 RTM
+    * Task sequence name: Windows 10 Enterprise x64 RTM
 
-    2.  Task sequence comments: Production image with Office 2013
+    * Task sequence comments: Production image with Office 2013
 
 4.  On the **Details** page, assign the following settings and then click **Next**:
 
-    1.  Join a Domain
+    * Join a Domain
 
-    2.  Domain: contoso.com
+    * Domain: contoso.com
 
-        1.  Account: CONTOSO\\CM\_JD
+        * Account: CONTOSO\\CM\_JD
 
-        2.  Password: Passw0rd!
+        * Password: Passw0rd!
 
-    3.  Windows Settings
+    * Windows Settings
 
-        1.  User name: Contoso
+        * User name: Contoso
 
-        2.  Organization name: Contoso
+        * Organization name: Contoso
 
-        3.  Product key: &lt;blank&gt;
+        * Product key: &lt;blank&gt;
 
 5.  On the **Capture Settings** page, accept the default settings, and click **Next**.
 
@@ -88,12 +88,10 @@ After you create the task sequence, we recommend that you configure the task seq
 
 2.  In the **Install** group, select the **Set Variable for Drive Letter** action and configure the following:
 
-    -   OSDPreserveDriveLetter: True
-
-    **Note**  
-    If you don't change this value, your Windows installation will end up in E:\\Windows.
-
-     
+    * OSDPreserveDriveLetter: True
+    
+    >[!NOTE]  
+    >If you don't change this value, your Windows installation will end up in E:\\Windows.
 
 3.  In the **Post Install** group, select **Apply Network Settings**, and configure the Domain OU value to use the **Contoso / Workstations** OU (browse for values).
 
@@ -103,57 +101,55 @@ After you create the task sequence, we recommend that you configure the task seq
 
 6.  After the **Post Install / Drivers** group, add an **Apply Driver Package** action with the following settings:
 
-    1.  Name: HP EliteBook 8560w
+    * Name: HP EliteBook 8560w
 
-    2.  Driver Package: Windows 10 x64 - HP EliteBook 8560w
+    * Driver Package: Windows 10 x64 - HP EliteBook 8560w
 
-    3.  Options: Task Sequence Variable: Model equals HP EliteBook 8560w
-
-    **Note**  
-    You also can add a Query WMI condition with the following query: SELECT \* FROM Win32\_ComputerSystem WHERE Model LIKE '%HP EliteBook 8560w%'
-
-     
-
-    ![figure 24](images/fig27-driverpackage.png)
-
-    Figure 24. The driver package options.
+    * Options: Task Sequence Variable: Model equals HP EliteBook 8560w
+    
+    >[!NOTE]  
+    >You also can add a Query WMI condition with the following query: SELECT \* FROM Win32\_ComputerSystem WHERE Model LIKE '%HP EliteBook 8560w%'
+    
+    ![Driver package options](images/fig27-driverpackage.png "Driver package options")
+    
+    *Figure 24. The driver package options*
 
 7.  In the **State Restore / Install Applications** group, select the **Install Application** action.
 
 8.  Select the **Install the following applications** option, and add the OSD / Adobe Reader XI - OSD Install application to the list.
 
-    ![figure 25](images/fig28-addapp.png)
+    ![Add an application to the task sequence](images/fig28-addapp.png "Add an application to the task sequence")
 
-    Figure 25. Add an application to the Configuration Manager task sequence.
+    *Figure 25. Add an application to the Configuration Manager task sequence*
 
 9.  In the **State Restore** group, after the **Set Status 5** action, add a **Request State Store** action with the following settings:
 
-    1.  Restore state from another computer
+    * Restore state from another computer
 
-    2.  If computer account fails to connect to state store, use the Network Access account
+    * If computer account fails to connect to state store, use the Network Access account
 
-    3.  Options: Continue on error
+    * Options: Continue on error
 
-    4.  Options / Condition:
-
-        1.  Task Sequence Variable
-
-        2.  USMTLOCAL not equals True
+    * Options / Condition:
+    
+      * Task Sequence Variable
+      
+      * USMTLOCAL not equals True
 
 10. In the **State Restore** group, after the **Restore User State** action, add a **Release State Store** action with the following settings:
 
-    1.  Options: Continue on error
+    * Options: Continue on error
 
-    2.  Options / Condition:
-
-        1.  Task Sequence Variable
-
-        2.  USMTLOCAL not equals True
+    * Options / Condition:
+    
+      * Task Sequence Variable
+      
+      * USMTLOCAL not equals True
 
 11. Click **OK**.
 
-**Note**  
-The Request State Store and Release State Store actions need to be added for common computer replace scenarios.
+>[!NOTE]  
+>The Request State Store and Release State Store actions need to be added for common computer replace scenarios.
 
  
 

windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md

@@ -22,15 +22,13 @@ Microsoft System Center 2012 R2 Configuration Manager supports deploying applica
 
 For the purposes of this topic, we will use CM01, a machine running Windows Server 2012 R2 Standard that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
 
-**Note**  
-Even though the new application model is fully supported to deploy via the task sequence, the most reliable way to deploy software via the task sequence is still the legacy packages, especially if you deploy many applications.
-
- 
+>[!NOTE]  
+>Even though the new application model is fully supported to deploy via the task sequence, the most reliable way to deploy software via the task sequence is still the legacy packages, especially if you deploy many applications.
 
 ## Example: Create the Adobe Reader XI application
 
 
-The steps below show you how to create the Adobe Reader XI application. This section assumes that you have downloaded the MSI version of Adobe Reader XI to the C:\\Setup\\Adobe Reader XI folder on CM01.
+The following steps show you how to create the Adobe Reader XI application. This section assumes that you have downloaded the MSI version of Adobe Reader XI to the C:\\Setup\\Adobe Reader XI folder on CM01.
 
 1.  On CM01, using File Explorer, copy the **C:\\Setup\\Adobe Reader XI** folder to the **E:\\Sources\\Software\\Adobe** folder.
 
@@ -42,17 +40,17 @@ The steps below show you how to create the Adobe Reader XI application. This sec
 
 5.  In the Create Application Wizard, on the **General** page, use the following settings:
 
-    1.  Automatically detect information about this application from installation files
+    * Automatically detect information about this application from installation files
 
-    2.  Type: Windows Installer (\*.msi file)
+    * Type: Windows Installer (\*.msi file)
 
-    3.  Location: \\\\CM01\\Sources$\\Software\\Adobe\\Adobe Reader XI
+    * Location: \\\\CM01\\Sources$\\Software\\Adobe\\Adobe Reader XI
 
-    4.  \\AdbeRdr11000\_en\_US.msi
+    * \\AdbeRdr11000\_en\_US.msi
 
-    ![figure 19](images/mdt-06-fig20.png)
+    ![The Create Application Wizard](images/mdt-06-fig20.png "The Create Application Wizard")
 
-    Figure 19. The Create Application Wizard.
+    *Figure 19. The Create Application Wizard*
 
 6.  Click **Next**, and wait while Configuration Manager parses the MSI file.
 
@@ -60,14 +58,12 @@ The steps below show you how to create the Adobe Reader XI application. This sec
 
 8.  On the **General Information** page, name the application Adobe Reader XI - OSD Install, click **Next** twice, and then click **Close**.
 
-    **Note**  
-    Since it is not possible to reference an application deployment type in the task sequence, you should have a single deployment type for applications deployed by the task sequence. If you are deploying applications via both the task sequence and normal application deployment, and you have multiple deployment types, you should have two applications of the same software. In this section, you add the "OSD Install" suffix to applications that are deployed via the task sequence. If using packages, you can still reference both package and program in the task sequence.
-
-     
-
-    ![figure 20](images/mdt-06-fig21.png)
-
-    Figure 20. Add the "OSD Install" suffix to the application name.
+    >[!NOTE]
+    >Because it is not possible to reference an application deployment type in the task sequence, you should have a single deployment type for applications deployed by the task sequence. If you are deploying applications via both the task sequence and normal application deployment, and you have multiple deployment types, you should have two applications of the same software. In this section, you add the "OSD Install" suffix to applications that are deployed via the task sequence. If using packages, you can still reference both package and program in the task sequence.
+  
+    ![Add the OSD Install suffix to the application name](images/mdt-06-fig21.png "Add the OSD Install suffix to the application name")
+  
+    *Figure 20. Add the "OSD Install" suffix to the application name*
 
 9.  In the **Applications** node, select the Adobe Reader XI - OSD Install application, and click **Properties** on the ribbon bar.
 

windows/keep-secure/bitlocker-how-to-enable-network-unlock.md

@@ -146,12 +146,12 @@ To create a self-signed certificate, you can either use the New-SelfSignedCertif
 Windows PowerShell example:
 
 ```syntax
-New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Subject "CN=BitLocker Network Unlock certificate" -Provider "Microsoft Software Key Storage Provider" -KeyUsage KeyEncipherment -KeyUsageProperty Decrypt -KeyLength 2048 -HashAlgorithm sha512 -TextExtension @("1.3.6.1.4.1.311.21.10={text}OID=1.3.6.1.4.1.311.67.1.1","2.5.29.37={text}1.3.6.1.4.1.311.67.1.1")
+New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Subject "CN=BitLocker Network Unlock certificate" -Provider "Microsoft Software Key Storage Provider" -KeyUsage KeyEncipherment -KeyUsageProperty Decrypt,Sign -KeyLength 2048 -HashAlgorithm sha512 -TextExtension @("1.3.6.1.4.1.311.21.10={text}OID=1.3.6.1.4.1.311.67.1.1","2.5.29.37={text}1.3.6.1.4.1.311.67.1.1")
 ```
 
 Certreq example:
 
-1.  Create a text file with an .inf extension. For example, notepad.exe BitLocker-NetworkUnlock.inf
+1.  Create a text file with an .inf extension. For example, notepad.exe BitLocker-NetworkUnlock.inf.
 2.  Add the following contents to the previously created file:
 
     ``` syntax
@@ -162,7 +162,7 @@ Certreq example:
     Exportable=true
     RequestType=Cert
     KeyUsage="CERT_KEY_ENCIPHERMENT_KEY_USAGE"
-    KeyUsageProperty="NCRYPT_ALLOW_DECRYPT_FLAG"
+    KeyUsageProperty="NCRYPT_ALLOW_DECRYPT_FLAG | NCRYPT_ALLOW_SIGNING_FLAG"
     KeyLength=2048
     SMIME=FALSE
     HashAlgorithm=sha512
@@ -179,9 +179,9 @@ Certreq example:
     certreq -new BitLocker-NetworkUnlock.inf BitLocker-NetworkUnlock.cer
     ```
 
-4.  Verify the previous command properly created the certificate by confirming the .cer file exists
-5.  Launch the Certificate Manager by running **certmgr.msc**
-6.  Create a .pfx file by opening the **Certificates – Current User\\Personal\\Certificates** path in the navigation pane, right-clicking the previously imported certificate, selecting **All Tasks**, then **Export**. Follow through the wizard to create the .pfx file.
+4.  Verify the previous command properly created the certificate by confirming the .cer file exists.
+5.  Launch Certificates - Local Machine by running **certlm.msc**.
+6.  Create a .pfx file by opening the **Certificates – Local Computer\\Personal\\Certificates** path in the navigation pane, right-clicking the previously imported certificate, selecting **All Tasks**, then **Export**. Follow through the wizard to create the .pfx file.
 
 ### <a href="" id="bkmk-stepfive"></a>Step Five: Deploy the private key and certificate to the WDS server
 
@@ -192,27 +192,27 @@ With the certificate and key created, deploy them to the infrastructure to prope
 3.  In the **File to Import** dialog, choose the .pfx file created previously.
 4.  Enter the password used to create the .pfx and complete the wizard.
 
-### Step Six: Configure Group Policy settings for Network Unlock
+### <a href="" id="bkmk-stepsix"></a>Step Six: Configure Group Policy settings for Network Unlock
 
 With certificate and key deployed to the WDS server for Network Unlock, the final step is to use Group Policy settings to deploy the public key certificate to computers that you want to be able to unlock using the Network Unlock key. Group Policy settings for BitLocker can be found under **\\Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption** using the Local Group Policy Editor or the Microsoft Management Console.
 
 The following steps describe how to enable the Group Policy setting that is a requirement for configuring Network Unlock.
 
-1.  Open Group Policy Management Console (gpmc.msc)
-2.  Enable the policy **Require additional authentication at startup** and select the **Require startup PIN with TPM** option
-3.  Turn on BitLocker with TPM+PIN protectors on all domain-joined computers
+1.  Open Group Policy Management Console (gpmc.msc).
+2.  Enable the policy **Require additional authentication at startup** and select the **Require startup PIN with TPM** option.
+3.  Turn on BitLocker with TPM+PIN protectors on all domain-joined computers.
 
 The following steps describe how to deploy the required Group Policy setting:
 
 >**Note:**  The Group Policy settings **Allow network unlock at startup** and **Add Network Unlock Certificate** were introduced in Windows Server 2012.
  
-1.  Copy the .cer file created for Network Unlock to the domain controller
-2.  On the domain controller, launch Group Policy Management Console (gpmc.msc)
+1.  Copy the .cer file created for Network Unlock to the domain controller.
+2.  On the domain controller, launch Group Policy Management Console (gpmc.msc).
 3.  Create a new Group Policy Object or modify an existing object to enable the **Allow network unlock at startup** setting.
-4.  Deploy the public certificate to clients
+4.  Deploy the public certificate to clients:
 
-    1.  Within Group Policy Management Console, navigate to the following location: **Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Public Key Policies\\BitLocker Drive Encryption Network Unlock Certificate**
-    2.  Right-click the folder and choose **Add Network Unlock Certificate**
+    1.  Within Group Policy Management Console, navigate to the following location: **Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Public Key Policies\\BitLocker Drive Encryption Network Unlock Certificate**.
+    2.  Right-click the folder and choose **Add Network Unlock Certificate**.
     3.  Follow the wizard steps and import the .cer file that was copied earlier.
 
 >**Note:**  Only one network unlock certificate can be available at a time. If a new certificate is required, delete the current certificate before deploying a new one. The Network Unlock certificate is located in the **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP** key on the client computer.
@@ -221,16 +221,16 @@ The following steps describe how to deploy the required Group Policy setting:
 
 An additional step is for enterprises to use TPM+PIN protectors for an extra level of security. To require TPM+PIN protectors in an environment, do the following:
 
-1.  Open Group Policy Management Console (gpmc.msc)
-2.  Enable the policy **Require additional authentication at startup** and select the **Require startup PIN with TPM** option
-3.  Turn on BitLocker with TPM+PIN protectors on all domain-joined computers
+1.  Open Group Policy Management Console (gpmc.msc).
+2.  Enable the policy **Require additional authentication at startup** and select the **Require startup PIN with TPM** option.
+3.  Turn on BitLocker with TPM+PIN protectors on all domain-joined computers.
 
 ### <a href="" id="bkmk-createcerttmpl"></a>Create the certificate template for Network Unlock
 
 The following steps detail how to create a certificate template for use with BitLocker Network Unlock. A properly configured Active Directory Services Certification Authority can use this certificate to create and issue Network Unlock certificates.
 
 1.  Open the Certificates Template snap-in (certtmpl.msc).
-2.  Locate the User template. Right-click the template name and select **Duplicate Template**
+2.  Locate the User template. Right-click the template name and select **Duplicate Template**.
 3.  On the **Compatibility** tab, change the **Certification Authority** and **Certificate recipient** fields to Windows Server 2012 and Windows 8respectively. Ensure the **Show resulting changes** dialog box is selected.
 4.  Select the **General** tab of the template. The **Template display name** and **Template name** should clearly identify that the template will be used for Network Unlock. Clear the checkbox for the **Publish certificate in Active Directory** option.
 5.  Select the **Request Handling** tab. Select **Encryption** from the **Purpose** drop down menu. Ensure the **Allow private key to be exported** option is selected.
@@ -246,9 +246,9 @@ The following steps detail how to create a certificate template for use with Bit
     -   **Name:** **BitLocker Network Unlock**
     -   **Object Identifier:** **1.3.6.1.4.1.311.67.1.1**
 
-14. Select the newly created **BitLocker Network Unlock** application policy and select **OK**
+14. Select the newly created **BitLocker Network Unlock** application policy and select **OK**.
 15. With the **Extensions** tab still open, select the **Edit Key Usage Extension** dialog, select the **Allow key exchange only with key encryption (key encipherment)** option. Select the **Make this extension critical** option.
-16. Select the **Security** tab. Confirm that the **Domain Admins** group has been granted **Enroll** permission
+16. Select the **Security** tab. Confirm that the **Domain Admins** group has been granted **Enroll** permission.
 17. Select **OK** to complete configuration of the template.
 
 To add the Network Unlock template to the Certification Authority, open the Certification Authority snap-in (certsrv.msc). Right-click the **Certificate Templates** item and choose **New, Certificate Template to issue**. Select the previously created BitLocker Network Unlock certificate.
@@ -328,8 +328,8 @@ Files to gather when troubleshooting BitLocker Network Unlock include:
         In the right pane, click **Enable Log**.
 
 2.  The DHCP subnet configuration file (if one exists).
-3.  The output of the BitLocker status on the volume, this can be gathered into a text file using **manage-bde -status** or **Get-BitLockerVolume** in Windows PowerShell
-4.  Network Monitor capture on the server hosting the WDS role, filtered by client IP address
+3.  The output of the BitLocker status on the volume, this can be gathered into a text file using **manage-bde -status** or **Get-BitLockerVolume** in Windows PowerShell.
+4.  Network Monitor capture on the server hosting the WDS role, filtered by client IP address.
 
 ## <a href="" id="bkmk-unsupportedsystems"></a>Configure Network Unlock Group Policy settings on earlier versions
 
@@ -346,7 +346,7 @@ The following steps can be used to configure Network Unlock on these older syste
 3.  [Step Three: Install the Network Unlock feature](#bkmk-stepthree)
 4.  [Step Four: Create the Network Unlock certificate](#bkmk-stepfour)
 5.  [Step Five: Deploy the private key and certificate to the WDS server](#bkmk-stepfive)
-6.  **Step Six: Configure registry settings for Network Unlock**
+6.  [Step Six: Configure registry settings for Network Unlock](#bkmk-stepsix)
 
     Apply the registry settings by running the following certutil script on each computer running any of the client operating systems designated in the **Applies To** list at the beginning of this topic.
         certutil -f -grouppolicy -addstore FVE_NKP BitLocker-NetworkUnlock.cer

windows/keep-secure/protect-enterprise-data-using-wip.md

@@ -48,7 +48,7 @@ To help address this security insufficiency, company’s developed data loss pre
 Unfortunately, data loss prevention systems have their own problems. For example, the more detailed the rule set, the more false positives are created, leading employees to believe that the rules slow down their work and need to be bypassed in order to remain productive, potentially leading to data being incorrectly blocked or improperly released. Another major problem is that data loss prevention systems must be widely implemented to be effective. For example, if your company uses a data loss prevention system for email, but not for file shares or document storage, you might find that your data leaks through the unprotected channels. But perhaps the biggest problem with data loss preventions systems is that it provides a jarring experience that interrupts the employees’ natural workflow by blocking some operations (such as sending a message with an attachment that the system tags as sensitive) while allowing others, often according to subtle rules that the employee doesn’t see and can’t understand.
 
 ### Using information rights management systems
-To help address the potential data loss prevention system problems, company’s developed information rights management (also known as IRM) systems. Information rights management systems embed protection directly into documents, so that when an employee creates a document, he or she determines what kind of protection to apply. For example, an employee can choose to stop the document from being forwarded, printed, shared outside of the organization, and so on. 
+To help address the potential data loss prevention system problems, companies developed information rights management (also known as IRM) systems. Information rights management systems embed protection directly into documents, so that when an employee creates a document, he or she determines what kind of protection to apply. For example, an employee can choose to stop the document from being forwarded, printed, shared outside of the organization, and so on. 
 
 After the type of protection is set, the creating app encrypts the document so that only authorized people can open it, and even then, only in compatible apps. After an employee opens the document, the app becomes responsible for enforcing the specified protections. Because protection travels with the document, if an authorized person sends it to an unauthorized person, the unauthorized person won’t be able to read or change it. However, for this to work effectively information rights management systems require you to deploy and set up both a server and client environment. And, because only compatible clients can work with protected documents, an employees’ work might be unexpectedly interrupted if he or she attempts to use a non-compatible app.
 

windows/manage/TOC.md

@@ -1,6 +1,22 @@
 # [Manage and update Windows 10](index.md)
 ## [Administrative Tools in Windows 10](administrative-tools-in-windows-10.md)
 ## [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md)
+## [Update Windows 10 in the enterprise](waas-update-windows-10.md)
+### [Overview of Windows as a service](waas-overview.md)
+### [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
+### [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
+### [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+### [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
+#### [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+#### [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+### [Manage updates for Windows 10 Mobile Enterprise](waas-mobile-updates.md)
+### [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
+#### [Configure Windows Update for Business](waas-configure-wufb.md)
+#### [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+#### [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+#### [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
+### [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+### [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
 ## [Manage corporate devices](manage-corporate-devices.md)
 ### [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md)
 ### [Manage Windows 10 and Windows Store tips, tricks, and suggestions](manage-tips-and-suggestions.md)
@@ -35,7 +51,6 @@
 ### [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)
 ## [Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md)
 ## [Configure devices without MDM](configure-devices-without-mdm.md)
-## [Windows 10 servicing options](introduction-to-windows-10-servicing.md)
 ## [Application Virtualization (App-V) for Windows](appv-for-windows.md)
 ### [Getting Started with App-V](appv-getting-started.md)
 #### [What's new in App-V](appv-about-appv.md)

windows/manage/acquire-apps-windows-store-for-business.md

@@ -13,9 +13,9 @@ localizationpriority: high
 As an admin, you can acquire apps from the Windows Store for Business for your employees. Some apps are free, and some have a price. For info on app types that are supported, see [Apps in the Windows Store for Business](apps-in-windows-store-for-business.md).
 
 ## App licensing model
-The Business store supports two options to license apps: online and offline. **Online** licensing is the default licensing model and is similar to the Windows Store. Online licensed apps require users and devices to connect to the Store for Business service to acquire an app and its license. **Offline** licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center.
+The Business store supports two options to license apps: online and offline. **Online** licensing is the default licensing model and is similar to the Windows Store. Online licensed apps require users and devices to connect to the Store for Business service to acquire an app and its license. **Offline** licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center. Admins control whether or not offline apps are available in Store for Business with an offline app visibility setting. For more information, see [offline license visibility](https://technet.microsoft.com/itpro/windows/manage/update-windows-store-for-business-account-settings#offline-licensing). 
 
-For more information, see [Apps in the Windows Store for Business](apps-in-windows-store-for-business.md). 
+For more information on the Store for Business licensing model, see [licensing model](https://technet.microsoft.com/itpro/windows/manage/apps-in-windows-store-for-business#licensing-model).
 
 ## Payment options
 Some apps are free, and some have a price. Apps can be purchased in the Windows Store for Business using your credit card. You can enter your credit card information on **Account Information**, or when you purchase an app. Currently, we accept these credit cards:

windows/manage/apps-in-windows-store-for-business.md

@@ -80,7 +80,7 @@ Distribution options for online-licensed apps include the ability to:
 
 -   Distribute through a management tool.
 
-**Offline** licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in Store for Business. This model means organizations can deploy apps when users or devices do not have connectivity to the Store.
+**Offline** licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in Store for Business. This model means organizations can deploy apps when users or devices do not have connectivity to the Store. Admins control whether or not offline apps are available in Store for Business with an offline app visibility setting. For more information, see [offline license visibility](https://technet.microsoft.com/itpro/windows/manage/update-windows-store-for-business-account-settings#offline-licensing). 
 
 You have the following distribution options for offline-licensed apps:
 

windows/manage/change-history-for-manage-and-update-windows-10.md

@@ -16,6 +16,7 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in
 
 | New or changed topic | Description |
 | --- | --- |
+| [Update Windows 10 in the enterprise](waas-update-windows-10.md), replaces **Windows 10 servicing options** | New |
 | [Lockdown features from Windows Embedded 8.1 Industry](lockdown-features-windows-10.md) | Added Group Policy setting to replace Gesture Filter |
 | [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Added content for Windows Server 2016 |
 | [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Updated the script for setting a custom shell using Shell Launcher. |
@@ -25,10 +26,11 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in
 | New or changed topic | Description |
 | --- | --- |
 | [Create mandatory user profiles](mandatory-user-profile.md) | New |
+| [Update Windows 10 in the enterprise](waas-update-windows-10.md) | New section |
 | [Configure Windows 10 taskbar](configure-windows-10-taskbar.md) | Updated sample XML for combined Start and taskbar layout; added note to explain the difference between applying taskbar configuration by Group Policy and by provisioning package |
 | [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Updated instructions for exiting assigned access mode. |
 | Application development for Windows as a service  |  Topic moved to MSDN: [Application development for Windows as a service](https://msdn.microsoft.com/windows/uwp/get-started/application-development-for-windows-as-a-service)
-
+| Windows 10 servicing options | New content replaced this topic; see [Overview of Windows as a service](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-overview) |
 
 ## RELEASE: Windows 10, version 1607
 

windows/manage/index.md

@@ -31,6 +31,7 @@ Learn about managing and updating Windows 10.
 <tr class="odd">
 <td align="left"><p>[Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md)</p></td>
 <td align="left"><p>The world’s first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments.</p></td></tr>
+<tr><td>[Update Windows 10 in the enterprise](waas-update-windows-10.md) </td><td>Learn how to manage updates to Windows 10 in your organization, including Windows Update for Business. </td></tr>
 <tr><td align="left"><p>[Manage corporate devices](manage-corporate-devices.md)</p></td>
 <td align="left"><p>You can use the same management tools to manage all device types running Windows 10: desktops, laptops, tablets, and phones. And your current management tools, such as Group Policy, Windows Management Instrumentation (WMI), PowerShell scripts, Orchestrator runbooks, System Center tools, and so on, will continue to work for Windows 10 on desktop editions.</p></td>
 </tr>
@@ -55,7 +56,6 @@ Learn about managing and updating Windows 10.
 <td align="left"><p>[Configure devices without MDM](configure-devices-without-mdm.md)</p></td>
 <td align="left"><p>Create a runtime provisioning package to apply settings, profiles, and file assets to a device running Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile, or Windows 10 Mobile Enterprise.</p></td>
 </tr>
-<tr><td>[Windows 10 servicing options](introduction-to-windows-10-servicing.md)</td><td>This article describes the new servicing options available in Windows 10, Windows 10 Mobile, and Windows 10 IoT Core (IoT Core) and how they enable enterprises to keep their devices current with the latest feature upgrades. It also covers related topics, such as how enterprises can make better use of Windows Update, and what the new servicing options mean for support lifecycles.</td></tr>
 <tr class="even">
 <td align="left"><p>[Application Virtualization for Windows (App-V)](appv-for-windows.md)</p></td>
 <td align="left"><p>When you deploy Application Virtualization (App-V) in your orgnazation, you can deliver Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service – in real time and on as as-needed basis. Users launch virtual applications from familiar access points, including the Windows Store, and interact with them as if they were installed locally.</p></td>

windows/manage/introduction-to-windows-10-servicing.md

@@ -8,6 +8,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security, servicing
 author: jdeckerMS
+redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/waas-update-windows-10
 ---
 
 # Windows 10 servicing options

windows/manage/manage-access-to-private-store.md

@@ -25,12 +25,28 @@ The private store is a feature in Store for Business that organizations receive
 
 ![Image showing the Windows Store app, with a private store tab highlighted.](images/wsfb-wsappprivatestore.png)
 
-Organizations using an MDM to manage apps can use a policy to show only the private store. When your MDM supports the Store for Business, the MDM can use the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#group-policy-table). More specifically, the **ApplicationManagement/RequirePrivateStoreOnly** policy.
+Organizations can use either an MDM policy, or Group Policy to show only their private store in Windows Store.  
+
+## Show private store only using MDM policy
+
+Organizations using an MDM to manage apps can use a policy to show only the private store. When your MDM supports the Store for Business, the MDM can use the [Policy CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx). More specifically, the [ApplicationManagement/RequirePrivateStoreOnly](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#ApplicationManagement_RequirePrivateStoreOnly) policy. 
+
+**ApplicationManagement/RequirePrivateStoreOnly** policy is supported on the following Windows 10 editions:
+- Enterprise
+- Education
+- Mobile
+- Mobile Enterprise
+
+For more information on configuring an MDM provider, see [Configure an MDM provider](https://technet.microsoft.com/itpro/windows/manage/configure-mdm-provider-windows-store-for-business). 
 
 ## Show private store only using Group Policy 
 
 If you're using Windows Store for Business and you want employees to only see apps you're managing in your private store, you can use Group Policy to show only the private store. Windows Store app will still be available, but employees can't view or purchase apps. Employees can view and install apps that the admin has added to your organization's private store.  
 
+**Only display the private store within the Windows Store app** group policy is supported on the following Windows 10 editions:
+- Enterprise
+- Education
+
 **To show private store only in Windows Store app**
 
 1. Type **gpedit** in the search bar, and then select **Edit group policy (Control panel)** to find and start Group Policy Editor.

windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md

@@ -270,6 +270,8 @@ Fonts that are included in Windows but that are not stored on the local device c
 
 To turn off font streaming, create a REG\_DWORD registry setting called **DisableFontProviders** in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\FontCache\\Parameters**, with a value of 1.
 
+> [!NOTE]  
+> After you apply this registry setting, you must restart the device for it to take effect.
 
 ### <a href="" id="bkmk-previewbuilds"></a>6. Insider Preview builds
 

windows/manage/update-windows-store-for-business-account-settings.md

@@ -130,7 +130,7 @@ Once you click **Next**, the information you provided will be validated with a
 
 ##Offline licensing##
 
-Offline licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in Store for Business. This model means organizations can deploy apps when users or devices do not have connectivity to the Store. 
+Offline licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in Store for Business. This model means organizations can deploy apps when users or devices do not have connectivity to the Store. For more information on the Store for Business licensing model, see [licensing model](https://technet.microsoft.com/itpro/windows/manage/apps-in-windows-store-for-business#licensing-model).
 
 Admins can decide whether or not offline licenses are shown for apps in Windows Store for Business. 
 

windows/manage/waas-branchcache.md

@@ -0,0 +1,66 @@
+---
+title: Configure BranchCache for Windows 10 updates (Windows 10)
+description: Use BranchCache to optimize network bandwidth during update deployment.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Configure BranchCache for Windows 10 updates
+
+
+**Applies to**
+
+- Windows 10
+
+
+BranchCache is a bandwidth-optimization feature that has been available since the Windows Server 2008 R2 and Windows 7 operating systems. Each client has a cache and acts as an alternate source for content that devices on its own network request. Windows Server Update Services (WSUS) and System Center Configuration Manager can use BranchCache to optimize network bandwidth during update deployment, and it’s easy to configure for either of them. BranchCache has two operating modes: Distributed Cache mode and Hosted Cache mode. 
+
+- Distributed Cache mode operates like the [Delivery Optimization](waas-delivery-optimization.md) feature in Windows 10: each client contains a cached version of the BranchCache-enabled files it requests and acts as a distributed cache for other clients requesting that same file. 
+
+    >[!TIP]
+    >Distributed Cache mode is preferred to Hosted Cache mode for Windows 10 updates to get the most benefit from peer-to-peer distribution. 
+
+- In Hosted Cache mode, designated servers at specific locations act as a cache for files requested by clients in its area. Then, rather than clients retrieving files from a latent source, the hosted cache server provides the content on its behalf. 
+
+For detailed information about how Distributed Cache mode and Hosted Cache mode work, see [BranchCache Overview](https://technet.microsoft.com/library/dd637832(v=ws.10).aspx). 
+
+## Configure clients for BranchCache
+
+Whether you use BranchCache with Configuration Manager or WSUS, each client that uses BranchCache must be configured to do so. You typically make your configurations through Group Policy. For step-by-step instructions on how to use Group Policy to configure BranchCache for Windows clients, see [Client Configuration](https://technet.microsoft.com/library/dd637820%28v=ws.10%29.aspx) in the [BranchCache Early Adopter’s Guide](https://technet.microsoft.com/library/dd637762(v=ws.10).aspx).
+
+Whether you use BranchCache with Configuration Manager or with WSUS, each client that uses BranchCache must be configured to do so. You typically make your configurations through Group Policy. For step-by-step instructions on how to use Group Policy to configure BranchCache for Windows clients, see Client Configuration in the BranchCache Early Adopter’s Guide.
+
+In Windows 10, version 1607, the Windows Update Agent uses Delivery Optimization by default, even when the updates are retrieved from WSUS. When using BranchCache with Windows 10, simply set the Delivery Optimization mode to Bypass to allow clients to use the Background Intelligent Transfer Service (BITS) protocol with BranchCache instead. For instructions on how to use BranchCache in Distributed Cache mode with WSUS, see the section WSUS and Configuration Manager with BranchCache in Distributed Cache mode.
+
+## Configure servers for BranchCache
+
+You can use WSUS and Configuration Manager with BranchCache in Distributed Cache mode. BranchCache in Distributed Cache mode is easy to configure for both WSUS and System Center Configuration Manager. 
+
+For a step-by-step guide to configuring BranchCache on Windows Server devices, see the [BranchCache Deployment Guide (Windows Server 2012)](https://technet.microsoft.com/library/jj572990) or [BranchCache Deployment Guide (Windows Server 2016)](https://technet.microsoft.com/windows-server-docs/networking/branchcache/deploy/branchcache-deployment-guide).
+
+In addition to these steps, there is one requirement for WSUS to be able to use BranchCache in either operating mode: the WSUS server must be configured to download updates locally on the server to a shared folder. This way, you can select BranchCache publication for the share. For Configuration Manager, you can enable BranchCache on distribution points; no other server-side configuration is necessary for Distributed Cache mode.
+
+>[!NOTE]
+>Configuration Manager only supports Distributed Cache mode.
+
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
+- [Overview of Windows as a service](waas-overview.md)
+- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
+- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
+- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Manage updates for Windows 10 Mobile Enterprise](waas-mobile-updates.md) 
+- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
+- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+- [Manage Windows 10 updates using Configuration Manager](waas-manage-updates-configuration-manager.md)

windows/manage/waas-configure-wufb.md

@@ -0,0 +1,218 @@
+---
+title: Configure Windows Update for Business (Windows 10)
+description: You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Configure Windows Update for Business
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for both Windows 10, version 1511, and Windows 10, version 1607. The MDM policies use the OMA-URI setting from the [Policy CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx).  
+
+>[!IMPORTANT]
+>For Windows Update for Business policies to be honored, the Telemetry level of the device must be set to **1 (Basic)** or higher.  If it is set to **0 (Security)**, Windows Update for Business policies will have no effect. For instructions, see [Configure the operating system telemetry level](https://technet.microsoft.com/en-us/itpro/windows/manage/configure-windows-telemetry-in-your-organization#configure-the-operating-system-telemetry-level).
+
+Configuration of Windows 10 Mobile devices is limited to the feature set pertaining to Quality Updates only.  That is, Windows Mobile Feature Updates are categorized the same as Quality Updates, and can only be deferred by setting the Quality Update deferral period, for a maximum period of 30 days.
+
+## Start by grouping devices
+
+By grouping devices with similar deferral periods, administrators are able to cluster devices into deployment or validation groups which can be as a quality control measure as updates are deployed in Windows 10.  With deferral windows and the ability to pause updates, administrators can effectively control and measure update deployments, updating a small pool of devices first to verify quality, prior to a broader roll-out to their organization. For more information, see [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md).  
+
+>[!TIP]
+>In addition to setting up multiple rings for your update deployments, also incorporate devices enrolled in the Windows Insider Program as part of your deployment strategy. This will provide you the chance to not only evaluate new features before they are broadly available to the public, but it also increases the lead time to provide feedback and influence Microsoft’s design on functional aspects of the product. For more information on Windows Insider program, see [https://insider.windows.com/](https://insider.windows.com/). 
+
+
+## Configure devices for Current Branch (CB) or Current Branch for Business (CBB)
+
+With Windows Update for Business, you can set a device to be on either the Current Branch (CB) or the Current Branch for Business (CBB) servicing branch. For more information on this servicing model, see [Windows 10 servicing options](https://technet.microsoft.com/en-us/itpro/windows/manage/introduction-to-windows-10-servicing). 
+
+**Release branch policies**
+
+| Policy | Sets registry key under **HKLM\Software** |
+| --- | --- |
+| GPO for version 1607: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\BranchReadinessLevel |
+| GPO for version 1511: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgrade |
+| MDM for version 1607: </br>../Vendor/MSFT/Policy/Config/Update/</br>**BranchReadinessLevel** | \Microsoft\PolicyManager\default\Update\BranchReadinessLevel |
+| MDM for version 1511: </br>../Vendor/MSFT/Policy/Config/Update/</br>**RequireDeferredUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade |
+
+
+## Configure when devices receive Feature Updates
+
+After you configure the servicing branch (CB or CBB), you can then define if, and for how long, you would like to defer receiving Feature Updates following their availability from Microsoft on Windows Update.  You can defer receiving these Feature Updates for a period of 180 days from their release by setting the `DeferFeatureUpdatesPeriodinDays` value.  
+
+**Examples**
+
+| Settings | Scenario and behavior |
+| --- | --- |
+| Device is on CB</br>DeferFeatureUpdatesPeriodinDays=30 | Feature Update X is first publically available on Windows Update as a CB in January. Device will not receive update until February, 30 days later. |
+| Device is on CBB</br>DeferFeatureUpdatesPeriodinDays=30 | Feature Update X is first publically available on Windows Update as a CB in January. Four months later, in April, Feature Update X is released to CBB. Device will receive the Feature Update 30 days following this CBB release and will update in May. |
+
+</br></br>
+**Defer Feature Updates policies**
+
+| Policy | Sets registry key under **HKLM\Software** |
+| --- | --- |
+| GPO for version 1607: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdates</br>\Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdatesPeriodInDays |
+| GPO for version 1511: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgradePeriod |
+| MDM for version 1607: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferFeatureUpdatesPeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferFeatureUpdatesPeriodInDays |
+| MDM for version 1511: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade |
+
+
+## Pause Feature Updates
+
+You can also pause a device from receiving Feature Updates by a period of up to 60 days from when the value is set. After 60 days has passed, pause functionality will automatically expire and the device will scan Windows Update for applicable Feature Updates. Following this scan, Feature Updates for the device can then be paused again.
+
+**Pause Feature Updates policies**
+
+| Policy | Sets registry key under **HKLM\Software** |
+| --- | --- |
+| GPO for version 1607: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdates  |
+| GPO for version 1511: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\Pause |
+| MDM for version 1607: </br>../Vendor/MSFT/Policy/Config/Update/</br>**PauseFeatureUpdates** | \Microsoft\PolicyManager\default\Update\PauseFeatureUpdates |
+| MDM for version 1511: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause |
+
+
+You can check the date Feature Updates were paused at by checking the registry key **PausedFeatureDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. 
+
+The local group policy editor (GPEdit.msc) will not reflect if your Feature Update Pause period has expired. Although the device will resume Feature Updates after 60 days automatically, the pause checkbox will remain checked in the policy editor.  To see if a device has auto-resumed taking Feature Updates, you can check the status registry key **PausedFeatureStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
+
+| Value | Status|
+| --- | --- |
+| 0 | Feature Updates not paused |
+| 1 | Feature Updates paused |
+| 2 | Feature Updates have auto-resumed after being paused |
+
+
+## Configure when devices receive Quality Updates
+
+Quality Updates are typically published the first Tuesday of every month, though can be released at any time by Microsoft. You can define if, and for how long, you would like to defer receiving Quality Updates following their availability. You can defer receiving these Quality Updates for a period of up to 35 days from their release by setting the **DeferQualityUpdatesPeriodinDays** value.  
+
+You can set your system to receive updates for other Microsoft products—known as Microsoft Updates (such as Microsoft Office, Visual Studio)—along with Windows Updates by setting the **AllowMUUpdateService** policy. When this is done, these Microsoft Updates will follow the same deferral and pause rules as all other Quality Updates.
+
+**Defer Quality Updates policies**
+
+| Policy | Sets registry key under **HKLM\Software** |
+| --- | --- |
+| GPO for version 1607: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdates</br>\Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdatesPeriodInDays  |
+| GPO for version 1511: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpdatePeriod |
+| MDM for version 1607: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferQualityUpdates** | \Microsoft\PolicyManager\default\Update\DeferQualityUpdatesPeriodInDays |
+| MDM for version 1511: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpdate |
+
+
+## Pause Quality Updates
+
+You can also pause a system from receiving Quality Updates for a period of up to 35 days from when the value is set.  After 35 days has passed, pause functionality will automatically expire and the system will scan Windows Updates for applicable Quality Updates. Following this scan, Quality Updates for the device can then be paused again.
+
+**Pause Quality Updates policies**
+
+| Policy | Sets registry key under **HKLM\Software** |
+| --- | --- |
+| GPO for version 1607: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** |\Policies\Microsoft\Windows\WindowsUpdate\PauseQualityUpdates  |
+| GPO for version 1511: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\Pause |
+| MDM for version 1607: </br>../Vendor/MSFT/Policy/Config/Update/</br>**PauseQualityUpdates** | \Microsoft\PolicyManager\default\Update\PauseQualityUpdates |
+| MDM for version 1511: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause |
+
+
+You can check what date Quality Updates were paused at by checking the registry key **PausedQualityDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. 
+
+The local group policy editor (GPEdit.msc) will not reflect if your Quality Update Pause period has expired. Although the device will resume Quality Updates after 60 days automatically, the pause checkbox will remain checked in the policy editor.  To see if a device has auto-resumed taking Quality Updates, you can check the status registry key **PausedQualityStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
+
+| Value | Status|
+| --- | --- |
+| 0 | Quality Updates not paused |
+| 1 | Quality Updates paused |
+| 2 | Quality Updates have auto-resumed after being paused |
+
+## Exclude drivers from Quality Updates
+
+In Windows 10, version 1607, you can selectively option out of receiving driver update packages as part of your normal quality update cycle.  This policy will not pertain to updates to inbox drivers (which will be packaged within a security or critical update) or to Feature Updates, where drivers may be dynamically installed to ensure the Feature Update process can complete.
+
+**Exclude driver policies**
+
+| Policy | Sets registry key under **HKLM\Software** |
+| --- | --- |
+| GPO for version 1607: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Do not include drivers with Windows Updates** | \Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate  |
+| MDM for version 1607: </br>../Vendor/MSFT/Policy/Config/Update/</br>**ExcludeWUDriversInQualityUpdate** | \Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate |
+
+
+
+## Summary: MDM and Group Policy for version 1607
+
+Below are quick-reference tables of the supported Windows Update for Business policy values for Windows 10, version 1607.
+
+**GPO: HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate**
+
+| GPO Key |	Key type | Value |
+| --- | --- | --- |
+| BranchReadinessLevel	| REG_DWORD | 16: systems take Feature Updates for the Current Branch (CB)</br>32: systems take Feature Updates for the Current Branch for Business (CBB)</br>Note: Other value or absent: receive all applicable updates (CB) |
+| DeferQualityUpdates | REG_DWORD | 1: defer quality updates</br>Other value or absent: don’t defer quality updates | 
+| DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-30: defer quality updates by given days |
+| PauseQualityUpdates | REG_DWORD | 1: pause quality updates</br>Other value or absent: don’t pause quality updates |
+|DeferFeatureUpdates | REG_DWORD | 1: defer feature updates</br>Other value or absent: don’t defer feature updates |
+| DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-180: defer feature updates by given days |
+| PauseFeatureUpdates | REG_DWORD |1: pause feature updates</br>Other value or absent: don’t pause feature updates |
+| ExcludeWUDriversInQualityUpdate | REG_DWORD | 1: exclude Windows Update drivers</br>Other value or absent: offer Windows Update drivers |
+
+
+**MDM: HKEY_LOCAL_MACHINE\Software\Microsoft\PolicyManager\default\Update**
+
+| MDM Key | Key type | Value |
+| --- | --- | --- |
+| BranchReadinessLevel | REG_DWORD | 16: systems take Feature Updates for the Current Branch (CB)</br>32: systems take Feature Updates for the Current Branch for Business (CBB)</br>Note: Other value or absent: receive all applicable updates (CB) |
+| DeferQualityUpdatesPeriod | REG_DWORD | 0-30: defer quality updates by given days |
+| PauseQualityUpdates | REG_DWORD | 1: pause quality updates</br>Other value or absent: don’t pause quality updates |
+| DeferFeatureUpdatesPeriod | REG_DWORD | 0-180: defer feature updates by given days |
+| PauseFeatureUpdates | REG_DWORD | 1: pause feature updates</br>Other value or absent: don’t pause feature updates |
+| ExcludeWUDriversinQualityUpdate | REG_DWORD | 1: exclude Windows Update drivers</br>Other value or absent: offer Windows Update drivers |
+
+## Update devices from Windows 10, version 1511 to version 1607
+
+Due to the changes in the Windows Update for Business feature set, Windows 10, version 1607, uses different GPO and MDM keys than those available in version 1511.  However,Windows Update for Business clients running version 1511 will still see their policies honored after they update to version 1607; the old policy keys will continue to exist with their values ported forward during the update. Following the update to version 1607, it should be noted that only the version 1511 keys will be populated and not the new version 1607 keys, until the newer keys are explicitly defined on the device by the administrator.
+
+### How version 1511 policies are respected on version 1607
+
+When a client running version 1607 sees an update available on Windows Update, the client will first evaluate and execute against the Windows Updates for Business policy keys for version 1607.  If these are not present, it will then check to see if any of the version 1511 keys are set and defer accordingly.  Update keys for version 1607 will always supersede the version 1511 equivalent.
+
+### Comparing the version 1511 keys to the version 1607 keys
+
+In the Windows Update for Business policies in version 1511, all the deferral rules were grouped under a single policy where pausing affected both upgrades and updates.  In Windows 10, version 1607, this functionality has been broken out into separate polices: deferral of Feature and Quality Updates can be enabled and paused independently of one other.   
+
+<table><caption>Group Policy keys</caption><thead><th>Version 1511 GPO keys</th><th>Version 1607 GPO keys</th></thead>
+<tbody><tr><td valign="top">**DeferUpgrade**: *enable/disable*</br>&nbsp;&nbsp;&nbsp;
+Enabling allows user to set deferral periods for upgrades and updates.  It also puts the device on CBB (no ability to defer updates while on the CB branch).</br></br>**DeferUpgradePeriod**: *0 - 8 months*</br></br>**DeferUpdatePeriod**: *1 – 4 weeks*</br></br>**Pause**: *enable/disable*</br>&nbsp;&nbsp;&nbsp;Enabling will pause both upgrades and updates for a max of 35 days</td><td>**DeferFeatureUpdates**: *enable/disable*</br></br>**BranchReadinessLevel**</br>&nbsp;&nbsp;&nbsp;Set device on CB or CBB</br></br>**DeferFeatureUpdatesPeriodinDays**: *1 - 180 days*</br></br>**PauseFeatureUpdates**: *enable/disable*</br>&nbsp;&nbsp;&nbsp;Enabling will pause Feature updates for a max of 60 days</br></br>**DeferQualityUpdates**: *Enable/disable*</br></br>**DeferQualityUpdatesPeriodinDays**: *0 - 30 days*</br></br>**PauseQualityUpdates**: *enable/disable*</br>&nbsp;&nbsp;&nbsp;Enabling will pause Quality updates for a max of 35 days</br></br>**ExcludeWUDrivers**: *enable/disable*</td></tr>
+</table>
+
+<table><caption>MDM keys</caption><thead><th>Version 1511 MDM keys</th><th>Version 1607 MDM keys</th></thead>
+<tbody><tr><td valign="top">**RequireDeferUpgade**: *bool*</br>&nbsp;&nbsp;&nbsp;Puts the device on CBB (no ability to defer updates while on the CB branch).</br></br>**DeferUpgradePeriod**: *0 - 8 months*</br></br>**DeferUpdatePeriod**: *1 – 4 weeks*</br></br>**PauseDeferrals**: *bool*</br>&nbsp;&nbsp;&nbsp;Enabling will pause both upgrades and updates for a max of 35 days</td><td>**BranchReadinessLevel**</br>&nbsp;&nbsp;&nbsp;Set system on CB or CBB</br></br>**DeferFeatureUpdatesPeriodinDays**: *1 - 180 days*</br></br>**PauseFeatureUpdates**: *enable/disable*</br>&nbsp;&nbsp;&nbsp;Enabling will pause Feature updates for a max of 60 days</br></br>**DeferQualityUpdatesPeriodinDays**: *0 - 30 days*</br></br>**PauseQualityUpdates**: *enable/disable*</br>&nbsp;&nbsp;&nbsp;  Enabling will pause Quality updates for a max of 35 days</br></br>**ExcludeWUDriversInQualityUpdate**: *enable/disable<*/td></tr>
+</tbody></table>
+
+
+
+
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
+- [Overview of Windows as a service](waas-overview.md)
+- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
+- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
+- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Manage updates for Windows 10 Mobile Enterprise](waas-mobile-updates.md) 
+- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
+- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)

windows/manage/waas-delivery-optimization.md

@@ -0,0 +1,251 @@
+---
+title: Configure Delivery Optimization for Windows 10 updates (Windows 10)
+description: Delivery Optimization is a new peer-to-peer distribution method in Windows 10
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Configure Delivery Optimization for Windows 10 updates
+
+
+**Applies to**
+
+- Windows 10
+
+
+Delivery Optimization is a self-organizing distributed cache solution for businesses looking to reduce bandwidth consumption for operating system updates, operating system upgrades, and applications by allowing clients to download those elements from alternate sources (such as other peers on the network) in addition to the traditional Internet-based Windows Update servers. You can use Delivery Optimization in conjunction with stand-alone Windows Update, Windows Server Update Services (WSUS), and Windows Update for Business. This functionality is similar to BranchCache in other systems, such as System Center Configuration Manager. 
+
+>[!NOTE]
+>WSUS can also use [BranchCache](waas-branchcache.md) for content sharing and caching. If Delivery Optimization is enabled on devices that use BranchCache, Delivery Optimization will be used instead. 
+
+By default in Windows 10 Enterprise and Education, Delivery Optimization allows peer-to-peer sharing on the organization's own network only, but you can configure it differently in Group Policy and mobile device management (MDM) solutions such as Microsoft Intune.
+
+## Delivery Optimization options
+
+You can use Group Policy or an MDM solution like Intune to configure Delivery Optimization. 
+
+- Group Policy: Computer Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization
+- MDM: .Vendor/MSFT/Policy/Config/DeliveryOptimization
+
+Several Delivery Optimization features are configurable.
+
+### Download mode (DODownloadMode)
+
+Download mode dictates which download sources clients are allowed to use when downloading Windows updates in addition to Windows Update servers.  The following table shows the available download mode options and what they do.
+
+| Download mode option | Functionality when set |
+| --- | --- |
+| HTTP Only (0) | This setting disables peer content sharing but still allows Delivery Optimization to download content from Windows Update servers or WSUS servers. |
+| LAN (1 – Default) | This default operating mode for Delivery Optimization enables peer sharing on the same network. | 
+| Group (2) | When group mode is set, the group is automatically selected based on the device’s Active Directory Domain Services (AD DS) site (Windows 10, version 1607) or the domain the device is authenticated to (Windows 10, version 1511). In group mode, peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices. You can use the GroupID option to create your own custom group independently of domains and AD DS sites. Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization. |
+| Internet (3) | Enable Internet peer sources for Delivery Optimization. |
+| Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable or unreachable. |
+|Bypass (100) |	Bypass Delivery Optimization and use BITS, instead. For example, select this mode so that clients can use BranchCache. |
+
+>[!NOTE]
+>Group mode is a best effort optimization and should not be relied on for an authentication of identity of devices participating in the group.
+
+### Group ID (DOGroupID)
+
+By default, peer sharing on clients using the group download mode is limited to the same domain in Windows 10, version 1511, and the same domain and AD DS site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but do not fall within those domain or AD DS site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example create a sub-group representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to peer. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group. 
+
+>[!NOTE]
+>This configuration is optional and not required for most implementations of Delivery Optimization.
+    
+### Max Cache Age (DOMaxCacheAge)
+
+In environments configured for Delivery Optimization, you may want to set an expiration on cached updates and Windows application installation files. If so, this setting defines the maximum number of seconds each file can be held in the Delivery Optimization cache on each Windows 10 client computer. The default Max Cache Age value is 259,200 seconds (3 days). Alternatively, organizations may choose to set this value to “0” which means “unlimited” to avoid peers re-downloading content. When “Unlimited” value is set, Delivery Optimization will hold the files in the cache longer and will clean up the cache as needed (for example when the cache size exceeded the maximum space allowed).
+
+### Max Cache Size (DOMaxCacheSize)
+
+This setting limits the maximum amount of space the Delivery Optimization cache can use as a percentage of the available drive space, from 1 to 100. For example, if you set this value to 10 on a Windows 10 client computer that has 100 GB of available drive space, then Delivery Optimization will use up to 10 GB of that space. Delivery Optimization will constantly assess the available drive space and automatically clear the cache to keep the maximum cache size under the set percentage. The default value for this setting is 20.
+
+### Absolute Max Cache Size (DOAbsoluteMaxCacheSize)
+
+This setting specifies the maximum number of gigabytes the Delivery Optimization cache can use. This is different from the **DOMaxCacheSize** setting, which is a percentage of available disk space. Also, if you configure this policy, it will override the **DOMaxCacheSize** setting. The default value for this setting is 10 GB.
+
+### Maximum Download Bandwidth (DOMaxDownloadBandwidth)
+
+This setting specifies the maximum download bandwidth that can be used across all concurrent Delivery Optimization downloads in kilobytes per second (KB/s). A default value of 0 means that Delivery Optimization will dynamically adjust and optimize the maximum bandwidth used.
+
+### Percentage of Maximum Download Bandwidth (DOPercentageMaxDownloadBandwidth)
+
+This setting specifies the maximum download bandwidth that Delivery Optimization can use across all concurrent download activities as a percentage of available download bandwidth. The default value 0 means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
+
+### Max Upload Bandwidth (DOMaxUploadBandwidth)
+
+This setting allows you to limit the amount of upload bandwidth individual clients can use for Delivery Optimization. Consider this setting when clients are providing content to requesting peers on the network. This option is set in kilobytes per second (KB/s). The default setting is 0, or “unlimited” which means Delivery Optimization dynamically optimizes for minimal usage of upload bandwidth; however it does not cap the upload bandwidth rate at a set rate.
+
+### Minimum Background QoS (DOMinBackgroundQoS)
+
+This value specifies the minimum download speed guarantee that a client attempts to achieve and will fulfill by downloading more bytes from Windows Update servers or WSUS. Simply put, the lower this value is, the more content will be sourced using peers on the network rather than Windows Update. The higher this value, the more content is received from Windows Update servers or WSUS, versus peers on the local network.
+
+### Modify Cache Drive (DOModifyCacheDrive)
+
+This setting allows for an alternate Delivery Optimization cache location on the clients. By default, the cache is stored on the operating system drive through the %SYSTEMDRIVE% environment variable. You can set the value to an environment variable (e.g., %SYSTEMDRIVE%), a drive letter (e.g., D:), or a folder path (e.g., D:\DOCache).
+
+### Monthly Upload Data Cap (DOMonthlyUploadDataCap)
+
+This setting specifies the total amount of data in gigabytes that a Delivery Optimization client can upload to Internet peers per month. A value of 0 means that an unlimited amount of data can be uploaded. The default value for this setting is 20 GB.
+
+## Delivery Optimization configuration examples
+
+Delivery Optimization can be configured in various ways, leveraging the policies described in the previous section.  The following samples describe some common scenarios that organizations may want to set up, given specific scenarios in use for their organization.
+
+### Use Delivery Optimzation with group download mode
+
+Delivery Optimization by default will consider all PCs in an organizations as peers for sharing content, even those that might be located across a slower WAN link.  Group download mode is designed to help with this by limiting the PCs that can be used. In Windows 10, version 1511, group download mode considers PCs in the same domain and with the same configured Group ID to be eligible peers. In Windows 10, version 1607, the default behavior also adds the PC's AD DS site into the grouping determination.
+
+**To use Group Policy to configure Delivery Optimization for group download mode**
+
+1.	Open Group Policy Management Console (GPMC).
+
+2.	Expand Forest\Domains\\*Your_Domain*.
+
+3.	Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**.
+
+4.	In the **New GPO** dialog box, in the **Name** box, type **Delivery Optimization – Group**.
+
+5.	Right-click the **Delivery Optimization – Group** GPO, and then click **Edit**.
+
+6.	In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization.
+
+7.	Right-click the **Download Mode** setting, and then click **Edit**.
+
+8.	Enable the policy, and then select the **Group** download mode.
+
+9.	Right-click the **GroupID** setting, and then click **Edit**. Enable the policy, and then specify a unique GUID for each group of PCs. (This is not required for Windows 10, version 1607, since the AD site code will be used to group devices automatically.)
+
+10.	Click **OK**, and then close the Group Policy Management Editor.
+
+11.	In GPMC, select the **Delivery Optimization – Group** policy.
+
+12.	On the **Scope** tab, under **Security Filtering**, configure the policy to be targeted to an approprite computer group.
+
+**To use Intune to configure Delivery Optimization for group download mode**
+
+1. Sign in to [https://manage.microsoft.com](https://manage.microsoft.com) with your Intune administrator credentials.
+
+2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane.
+    
+3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**.
+
+4. Name the policy **Windows Update for Business - CBB1**. Then, in the **OMA-URI Settings** section, click **Add**.
+
+5. In **Setting name**, type **Set Delivery Optimization to Group**, and then select **Integer** from the **Data type** list.
+
+6. In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/DeliveryOptimization/DODownloadMode**.
+
+7. In the **Value** box, type **2**, and then click **OK**.
+
+    >[!NOTE]
+    >The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) for the proper syntax.
+
+8. Click **Save Policy**.
+
+9. In the **Deploy Policy: Windows Update for Business – CBB1** dialog box, click **Yes**.
+
+    >[!NOTE]
+    >If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**.
+    
+10. In the **Manage Deployment** dialog box, select the **All Computers** group, click **Add**, and then click **OK**.
+
+### Use WSUS and BranchCache with Windows 10, version 1511
+
+In Windows 10, version 1511, Delivery Optimization is enabled by default and is used for peer-to-peer sharing of updates.  For organizations that wish to instead leverage BranchCache for the caching of updates being delivered from a WSUS server, Delivery Optimization can be configured to leverage the **HTTP only** download mode, which results in Background Intelligent Transfer Service (BITS) being used to transfer the content; BITS will then use BranchCache when peers are available on the same subnet, and use the WSUS server directly when no peers are available.
+
+**To use Group Policy to configure HTTP only download mode**
+
+1.	Open Group Policy Management Console (GPMC).
+
+2.	Expand Forest\Domains\\*Your_Domain*.
+
+3.	Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**.
+
+4.	In the **New GPO** dialog box, in the **Name** box, type **Delivery Optimization – HTTP Only**.
+
+5.	Right-click the **Delivery Optimization – HTTP Only** GPO, and then click **Edit**.
+
+6.	In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization.
+
+7.	Right-click the **Download Mode** setting, and then click **Edit**.
+
+8.	Enable the policy, and then select the **HTTP only** download mode.
+
+9.	Click **OK**, and then close the Group Policy Management Editor.
+
+10.	In GPMC, select the **Delivery Optimization – HTTP Only** policy.
+
+11.	On the **Scope** tab, under **Security Filtering**, select the default **AUTHENTICATED USERS** security group, and then click **Remove**. Then, click **Add**, browse to the **Domain Computers** group, and then click **OK**.
+
+    ![example of UI](images/waas-do-fig4.png)
+
+    >[!NOTE]
+    >This example uses the Domain Computers group, but you can deploy this policy setting to any computer group.
+
+### Use WSUS and BranchCache with Windows 10, version 1607
+
+In Windows 10, version 1607, Delivery Optimization is enabled by default and is used for peer-to-peer sharing of updates. For organizations that wish to instead leverage BranchCache for the caching of updates being delivered from a WSUS server, Delivery Optimization can be configured to leverage the **Bypass** download mode (new in Windows 10, version 1607), which results in BITS being used to transfer the content; BITS will then use BranchCache when peers are available on the same subnet, and use the WSUS server directly when no peers are available.
+
+**To use Group Policy to enable the Bypass download mode**
+
+1.	Open Group Policy Management Console (GPMC).
+
+2.	Expand Forest\Domains\\*Your_Domain*.
+
+3.	Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**.
+
+4.	In the **New GPO** dialog box, in the **Name** box, type **Delivery Optimization – Bypass**.
+
+5.	Right-click the **Delivery Optimization – Bypass** GPO, and then click **Edit**.
+
+6.	In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization.
+
+7.	Right-click the **Download Mode** setting, and then click **Edit**.
+
+8.	Enable the policy, and then select the **Bypass** download mode. (Note that this download mode is only present in the Windows 10, version 1607, Group Policy ADMX files.)
+
+9.	Click **OK**, and then close the Group Policy Management Editor.
+
+10.	In GPMC, select the **Delivery Optimization – Bypass** policy.
+
+11.	On the **Scope** tab, under **Security Filtering**, select the default **AUTHENTICATED USERS** security group, and then click **Remove**. Then, click **Add**, select the **Domain Computers** group, and then click **OK**.
+
+    >[!NOTE]
+    >This example uses the Domain Computers group, but you can deploy this policy setting to any computer group.
+    
+### Set “preferred” cache devices for Delivery Optimization
+
+In some cases, IT pros may have an interest in identifying specific devices that will be “preferred” as sources to other devices—for example, devices that have hard-wired connections, large drives that you can use as caches, or a high-end hardware profile. These preferred devices will act as a “master” for the update content related to that devices’s configuration (Delivery Optimization only caches content relative to the client downloading the content).
+
+To specify which devices are preferred, you can set the **Max Cache Age** configuration with a value of **Unlimited** (0). As a result, these devices will be used more often as sources for other devices downloading the same files.
+
+On devices that are not preferred, you can choose to set the following policy to prioritize data coming from local peers instead of the Internet:
+
+-  Set **DOBackgroundQoS** with a low value, for example `65536` which is the equivalent of 64 KB/s.
+
+## Learn more
+
+[Windows 10, Delivery Optimization, and WSUS](https://blogs.technet.microsoft.com/mniehaus/2016/08/16/windows-10-delivery-optimization-and-wsus-take-2/)
+
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
+- [Overview of Windows as a service](waas-overview.md)
+- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
+- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
+- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Manage updates for Windows 10 Mobile Enterprise](waas-mobile-updates.md) 
+- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
+- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)

windows/manage/waas-deployment-rings-windows-10-updates.md

@@ -0,0 +1,76 @@
+---
+title: Build deployment rings for Windows 10 updates (Windows 10)
+description: Deployment rings in Windows 10 are similar to the deployment groups most organizations constructed for previous major revision upgrades.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Build deployment rings for Windows 10 updates
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+For Windows as a service, maintenance is ongoing and iterative. Deploying previous versions of Windows required organizations to build sets of users to roll out the changes in phases. Typically, these users ranged (in order) from the most adaptable and least risky to the least adaptable or riskiest. With Windows 10, a similar methodology exists, but construction of the groups is a little different. 
+
+Deployment rings in Windows 10 are similar to the deployment groups most organizations constructed for previous major revision upgrades. They are simply a method by which to separate machines into a deployment timeline. With Windows 10, you construct deployment rings a bit differently in each servicing tool, but the concepts remain the same. Each deployment ring should reduce the risk of issues derived from the deployment of the feature updates by gradually deploying the update to entire departments. As previously mentioned, consider including a portion of each department’s employees in several deployment rings. 
+
+Defining deployment rings is generally a one-time event (or at least infrequent), but IT should revisit these groups to ensure that the sequencing is still correct. Also, there are times in which client computers could move between different deployment rings when necessary.
+
+Table 1 provides an example of the deployment rings you might use. 
+
+**Table 1**
+
+| Deployment ring | Servicing branch | Total weeks after Current Branch (CB) or Current Brandh for Business (CBB) release |
+| --- | --- | --- |
+| Preview | Windows Insider | Pre-CB |
+| Ring 1 Pilot IT | CB | CB + 0 weeks |
+| Ring 2 Pilot business users | CB | CB + 2 weeks |
+| Ring 3 Broad IT | CBB | CBB + 0 weeks |
+| Ring 4 Broad business users | CBB | CBB + 4 weeks |
+| Ring 5 Broad business users #2 | CBB | CBB + 8 weeks |
+
+>[!NOTE]
+>In this example, there are no rings made up of the long-term servicing branch (LTSB). The LTSB servicing branch does not receive feature updates. 
+>
+>Windows Insider is in the deployment ring list for informational purposes only. Windows Insider PCs must be enrolled manually on each device and serviced based on the Windows Insider level chosen in the **Settings** app on that particular PC. Feature update servicing for Windows Insiderdevices is done completely through Windows Update; no servicing tools can manage Windows Insider feature updates.
+
+
+As Table 1 shows, each combination of servicing branch and deployment group is tied to a specific deployment ring. As you can see, the associated groups of devices are combined with a servicing branch to specify which deployment ring those devices and their users fall into. The naming convention used to identify the rings is completely customizable as long as the name clearly identifies the sequence. Deployment rings represent a sequential deployment timeline, regardless of the servicing branch they contain. Deployment rings will likely rarely change for an organization, but they should be periodically assessed to ensure that the deployment cadence still makes sense. 
+
+![illustration of rings](images/waas-rings.png)
+
+
+
+## Steps to manage updates for Windows 10
+
+<table><tbody>
+<tr><td style="border: 0px;width: 24px">![done](images/checklistdone.png)</td><td align="left" style="border: 0px">[Learn about updates and servicing branches](waas-overview.md)</td></tr>
+<tr><td style="border: 0px;width: 24px">![done](images/checklistdone.png)</td><td align="left" style="border: 0px">[Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)</td></tr>
+<tr><td style="border: 0px;width: 24px">![done](images/checklistdone.png)</td><td align="left" style="border: 0px">Build deployment rings for Windows 10 updates
+(this topic)</td></tr>
+<tr><td style="border: 0px;width: 24px">![to do](images/checklistbox.gif)</td><td align="left" style="border: 0px">[Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)</td></tr>
+<tr><td style="border: 0px;width: 24px">![to do](images/checklistbox.gif)</td><td align="left" style="border: 0px">[Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)</td></tr>
+<tr><td style="border: 0px;width: 24px">![to do](images/checklistbox.gif)</td><td align="left" style="border: 0px">[Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)</br>
+or [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)</br>
+or [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)</td></tr>
+</tbody></table>
+</br>
+
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
+- [Manage updates for Windows 10 Mobile Enterprise](waas-mobile-updates.md) 
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
+

windows/manage/waas-integrate-wufb.md

@@ -0,0 +1,109 @@
+---
+title: Integrate Windows Update for Business with management solutions (Windows 10)
+description: Use Windows Update for Business deployments with management tools such as Windows Server Update Services (WSUS) and System Center Configuration Manager.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Integrate Windows Update for Business with management solutions
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+You can integrate Windows Update for Business deployments with existing management tools such as Windows Server Update Services (WSUS) and System Center Configuration Manager.
+
+## Integrate Windows Update for Business with Windows Server Update Services
+
+
+For Windows 10, version 1607, devices can now be configured to receive updates from both Windows Update and Windows Server Update Services (WSUS).  In a joint WSUS and Windows Update for Business setup:
+
+- Devices will receive their Windows content from Microsoft and defer these updates according to Windows Update for Business policy
+- All other content synced from WSUS will be directly applied to the device; that is, non-Windows Updates content will not follow your Windows Update for Business deferral policies
+
+### Configuration example \#1: Deferring Windows Update updates with other update content hosted on WSUS
+
+**Configuration:**
+
+- Device is configured to defer Windows Quality Updates using Windows Update for Business
+- Device is also configured to be managed by WSUS
+- Device is not configured to include Microsoft Updates from Windows Update (**Update/AllowMUUpdateService** = not enabled)
+- Admin has opted to put Microsoft updates on WSUS
+- Admin has also put 3rd party drivers on WSUS
+
+<table><thead><th>Content</th><th>Metadata source</th><th>Payload source</th><th>Deferred?</th><th></th></thead>
+<tbody><tr><td>Windows Update</td><td>Windows Update</td><td>Windows Update</td><td>Yes</td><td rowspan="3">![diagram of content flow](images/wufb-config1a.png)</td></tr>
+<tr><td>Microsoft Update (such as Office updates)</td><td>WSUS</td><td>WSUS</td><td>No</td></tr>
+<tr><td>Third-party drivers</td><td>WSUS</td><td>WSUS</td><td>No</td></tr>
+</table>
+
+### Configuration example \#2: Excluding drivers from Windows Quality Updates using Windows Update for Business 
+
+**Configuration:**
+
+- Device is configured to defer Windows Quality Updates and to exclude drivers from Windows Update Quality Updates (**ExcludeWUDriversInQualityUpdate** = enabled)
+- Device is also configured to be managed by WSUS
+- Admin has opted to put Windows Update drivers on WSUS
+
+
+<table><thead><th>Content</th><th>Metadata source</th><th>Payload source</th><th>Deferred?</th><th></th></thead>
+<tbody><tr><td>Windows Update (exclude driver)</td><td>Windows Update</td><td>Windows Update</td><td>Yes</td><td rowspan="4">![diagram of content flow](images/wufb-config2.png)</td></tr>
+<tr><td>Windows Update drivers</td><td>WSUS</td><td>WSUS</td><td>No</td></tr>
+<tr><td>Microsoft Update (such as Office updates)</td><td>WSUS</td><td>WSUS</td><td>No</td></tr>
+<tr><td>Windows drivers, third-party drivers</td><td>WSUS</td><td>WSUS</td><td>No</td></tr>
+
+</table>
+
+### Configuration example \#3: Device configured to receive Microsoft updates 
+
+**Configuration:**
+
+- Device is configured to defer Quality Updates using Windows Update for Business and to be managed by WSUS
+- Device is configured to “receive updates for other Microsoft products” along with Windows Update updates (**Update/AllowMUUpdateService** = enabled)
+- Admin has also placed Microsoft Update content on the WSUS server
+
+In this example, the Microsoft Update deferral behavior is slightly different than if WSUS were not enabled. 
+- In a non-WSUS case, the Microsoft Update updates would be deferred just as any Windows Update update would be.  
+- However, with WSUS also configured, Microsoft Update content is sourced from Microsoft but deferral policies are not applied.  
+
+
+<table><thead><th>Content</th><th>Metadata source</th><th>Payload source</th><th>Deferred?</th><th></th></thead>
+<tbody><tr><td>Windows Update (exclude drivers)</td><td>Windows Update</td><td>Windows Update</td><td>Yes</td><td rowspan="3">![diagram of content flow](images/wufb-config3a.png)</td></tr>
+<tr><td>Microsoft Update (such as Office updates)</td><td>Microsoft Update</td><td>Microsoft Update</td><td>No</td></tr>
+<tr><td>Drivers, third-party</td><td>WSUS</td><td>WSUS</td><td>No</td></tr>
+</table>
+
+>[!NOTE]
+> Because the admin enabled **Update/AllowMUUpdateService**, placing the content on WSUS was not needed for the particular device, as the device will always receive Microsoft Update content from Microsoft when configured in this manner.
+
+## Integrate Windows Update for Business with System Center Configuration Manager
+
+For Windows 10, version 1607, organizations already managing their systems with a Configuration Manager solution can also have their devices configured for Windows Update for Business (i.e. setting deferral policies on those devices). Such devices will be visible in the Configuration Manager console, however they will appear with a detection state of **Unknown**.
+
+![Example of unknown devices](images/wufb-sccm.png)
+
+
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
+- [Overview of Windows as a service](waas-overview.md)
+- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
+- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
+- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Manage updates for Windows 10 Mobile Enterprise](waas-mobile-updates.md) 
+- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
+- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+

windows/manage/waas-manage-updates-configuration-manager.md

@@ -0,0 +1,406 @@
+---
+title: Manage Windows 10 updates using System Center Configuration Manager (Windows 10)
+description: System Center Configuration Manager provides maximum control over quality and feature updates for Windows 10.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Manage Windows 10 updates using System Center Configuration Manager
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+
+System Center Configuration Manager provides maximum control over quality and feature updates for Windows 10. Unlike other servicing tools, Configuration Manager has capabilities that extend beyond servicing, such as application deployment, antivirus management, software metering, and reporting, and provides a secondary deployment method for LTSB clients. Configuration Manager can effectively control bandwidth usage and content distribution through a combination of BranchCache and distribution points. Microsoft encourages organizations currently using Configuration Manager for Windows update management to continue doing so for Windows 10 client computers.
+
+You can use Configuration Manager to service Windows 10 devices in two ways. The first option is to use Windows 10 Servicing Plans to deploy Windows 10 feature updates automatically based on specific criteria, similar to an Automatic Deployment Rule for software updates. The second option is to use a task sequence to deploy feature updates, along with anything else in the installation. 
+
+>[!NOTE]
+>This topic focuses on updating and upgrading Windows 10 after it has already been deployed. To use Configuration Manager to upgrade your systems from the Windows 8.1, Windows 8, or Windows 7 operating system, see [Upgrade to Windows 10 with System Center Configuration Manager](https://technet.microsoft.com/itpro/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager).
+
+## Windows 10 servicing dashboard
+
+The Windows 10 servicing dashboard gives you a quick-reference view of your active servicing plans, compliance for servicing plan deployment, and other key information about Windows 10 servicing. For details about what each tile on the servicing dashboard represents, see [Manage Windows as a service using System Center Configuration Manager](https://technet.microsoft.com/library/mt627931.aspx).
+
+For the Windows 10 servicing dashboard to display information, you must adhere to the following requirements: 
+
+- **Heartbeat discovery**. Enable heartbeat discovery for the site receiving Windows 10 servicing information. Configuration for heartbeat discovery can be found in Administration\Overview\Hierarchy Configuration\Discovery Methods.
+- **Windows Server Update Service (WSUS)**. System Center Configuration Manager must have the Software update point site system role added and configured to receive updates from a WSUS 4.0 server with the hotfix KB3095113 installed.
+- **Service connection point**. Add the Service connection point site system role in Online, persistent connection mode.
+- **Upgrade classification**. Select **Upgrade** from the list of synchronized software update classifications.
+
+    **To configure Upgrade classification**
+
+    1.	Go to Administration\Overview\Site Configuration\Sites, and then select your site from the list.
+
+    2.	On the Ribbon, in the **Settings** section, click **Configure Site Components**, and then click **Software Update Point**.
+
+        ![Example of UI](images/waas-sccm-fig1.png)
+
+    3.	In the **Software Update Point Component Properties** dialog box, on the **Classifications** tab, click **Upgrades**.
+
+When you have met all these requirements and deployed a servicing plan to a collection, you’ll receive information on the Windows 10 servicing dashboard.
+
+## Enable CBB clients in Windows 10, version 1511
+
+When you use System Center Configuration Manager to manage Windows 10 servicing, you must first set the **Defer Updates or Upgrades** policy on the clients that should be on the Current Branch for Business (CBB) servicing branch so that you can use CBB servicing plans from Configuration Manager. You can do this either manually or through Group Policy. If you don’t set this policy, Configuration Manager discovers all clients, as it would in Current Branch (CB) mode. 
+
+**To use Group Policy to configure a client for the CBB servicing branch** 
+
+>[!NOTE]
+>In this example, a specific organizational unit (OU) called **Windows 10 – Current Branch for Business Machines** contains the Windows 10 devices that should be configured for CBB. You can also use a security group to filter the computers to which the policy should be applied.
+
+1. On a PC running the Remote Server Administration Tools or on a domain controller, open Group Policy Management Console (GPMC).
+
+2. Expand Forest\Domains\\*Your_Domain*.
+
+4. Right-click the **Windows 10 – Current Branch for Business Machines** OU, and then click **Create a GPO in this domain, and Link it here**. 
+
+    ![Example of UI](images/waas-sccm-fig2.png)   
+
+5.	In the **New GPO** dialog box, type **Enable Current Branch for Business** for the name of the new GPO.
+
+    >[!NOTE]
+    >In this example, you’re linking the GPO to a specific OU. This is not a requirement. You can link the Windows Update for Business GPOs to any OU or the top-level domain, whichever is appropriate for your Active Directory Domain Services (AD DS) structure.
+
+6.	Right-click the **Enable Current Branch for Business** GPO, and then click **Edit**.
+
+7.	In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update.
+
+8.	Right-click the **Defer Upgrades and Updates** setting, and then click **Edit**.
+
+    ![Example of UI](images/waas-sccm-fig3.png)  
+    
+9.	Enable the policy, and then click **OK**.
+
+    >[!NOTE]
+    >The additional options in this setting are only for Windows Update for Business, so be sure not to configure them when using System Center Configuration Manager for Windows 10 servicing.
+
+10.	Close the Group Policy Management Editor.
+
+This policy will now be deployed to every device in the **Windows 10 – Current Branch for Business Machines** OU.
+
+
+## Enable CBB clients in Windows 10, version 1607
+
+When you use Configuration Manager to manage Windows 10 servicing, you must first set the **Select when Feature Updates** are received policy on the clients that should be on the CBB servicing branch so that you can use CBB servicing plans from Configuration Manager. You can do this either manually or through Group Policy. If you don’t set this policy, Configuration Manager discovers all clients, as it would in CB mode. 
+
+>[!NOTE]
+>System Center Configuration Manager version 1606 is required to manage devices running Windows 10, version 1607.
+
+**To use Group Policy to configure a client for the CBB servicing branch** 
+
+>[!NOTE]
+>In this example, a specific organizational unit (OU) called **Windows 10 – Current Branch for Business Machines** contains the Windows 10 devices that should be configured for CBB. You can also use a security group to filter the computers to which the policy should be applied.
+
+1. On a PC running the Remote Server Administration Tools or on a domain controller, open GPMC.
+
+2. Expand Forest\Domains\\*Your_Domain*.
+
+3. Right-click the **Windows 10 – Current Branch for Business Machines** OU, and then click **Create a GPO in this domain, and Link it here**. 
+
+    ![Example of UI](images/waas-sccm-fig2.png) 
+    
+5.	In the **New GPO** dialog box, type **Enable Current Branch for Business** for the name of the new GPO.
+
+    >[!NOTE]
+    >In this example, you’re linking the GPO to a specific OU. This is not a requirement. You can link the Windows Update for Business GPOs to any OU or the top-level domain, whichever is appropriate for your Active Directory Domain Services (AD DS) structure.
+
+6.	Right-click the **Enable Current Branch for Business** GPO, and then click **Edit**.
+
+7.	In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update\Defer Windows Updates.
+
+8.	Right-click the **Select when Feature Updates are received** setting, and then click **Edit**.
+ 
+9.	Enable the policy, select the **CBB** branch readiness level, and then click **OK**.
+
+10.	Close the Group Policy Management Editor.
+
+This policy will now be deployed to every device in the **Windows 10 – Current Branch for Business Machines** OU.
+
+## Create collections for deployment rings
+
+Regardless of the method by which you deploy Windows 10 feature updates to your environment, you must start the Windows 10 servicing process by creating collections of computers that represent your deployment rings. In this example, you create two collections: **Windows 10 – All Current Branch for Business** and **Ring 3 Broad IT**. You’ll use the **Windows 10 – All Current Branch for Business** collection for reporting and deployments that should go to all CBB clients. You’ll use the **Ring 3 Broad IT** collection as a deployment ring for the first CBB users, IT pros.
+
+>[!NOTE]
+>The following procedures use the groups from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) as examples.
+
+**To create collections for deployment rings**
+
+1.	In the Configuration Manager console, go to Assets and Compliance\Overview\Device Collections.
+
+2.	On the Ribbon, in the **Create** group, click **Create Device Collection**.
+
+3.	In the Create Device Collection Wizard, in the **name** box, type **Windows 10 – All Current Branch for Business**.
+
+4.	Click **Browse** to select the limiting collection, and then click **All Systems**.
+
+5.	In **Membership rules**, click **Add Rule**, and then click **Query Rule**.
+
+6.	Name the rule **CBB Detection**, and then click **Edit Query Statement**.
+
+7.	On the **Criteria** tab, click the **New** icon.
+
+    ![Example of UI](images/waas-sccm-fig4.png) 
+    
+8.	In the **Criterion Properties** dialog box, leave the type as **Simple Value**, and then click **Select**.
+
+9.	In the **Select Attribute** dialog box, from the **Attribute class** list, select **System Resource**. From the **Attribute** list, select **OSBranch**, and then click **OK**.
+
+     ![Example of UI](images/waas-sccm-fig5.png) 
+
+     >[!NOTE]
+     >Configuration Manager discovers clients’ servicing branch and stores that value in the **OSBranch** attribute, which you will use to create collections based on servicing branch. The values in this attribute can be **0 (Current Branch)**, **1 (Current Branch for Business)**, or **2 (Long-Term Servicing Branch)**.
+
+10.	Leave **Operator** set to **is equal to**; in the **Value** box, type **1**. Click **OK**.
+
+      ![Example of UI](images/waas-sccm-fig6.png) 
+
+11.	Now that the **OSBranch** attribute is correct, verify the operating system version.
+
+12.	On the **Criteria** tab, click the **New** icon again to add criteria.
+
+13.	In the **Criterion Properties** dialog box, click **Select**.
+
+14.	From the **Attribute class** list, select **System Resource**. From the **Attribute** list, select **Operating System Name and Version**, and then click **OK**.
+
+      ![Example of UI](images/waas-sccm-fig7.png) 
+
+15.	In the **Value** box, type **Microsoft Windows NT Workstation 10.0**, and then click **OK**. 
+
+      ![Example of UI](images/waas-sccm-fig8.png) 
+      
+16.	In the **Query Statement Properties** dialog box, you see two values. Click **OK**, and then click **OK** again to continue to the Create Device Collection Wizard.
+
+17.	Click **Summary**, and then click **Next**.
+
+18.	Close the wizard.
+
+>[!IMPORTANT]
+>Windows Insider PCs are discovered the same way as CB or CBB devices. If you have Windows Insider PCs that you use Configuration Manager to manage, then you should create a collection of those PCs and exclude them from this collection. You can create the membership for the Windows Insider collection either manually or by using a query where the operating system build doesn’t equal any of the current CB or CBB build numbers. You would have to update each periodically to include new devices or new operating system builds.
+
+After you have updated the membership, this new collection will contain all managed clients on the CBB servicing branch. You will use this collection as a limiting collection for future CBB-based collections and the **Ring 3 Broad IT** collection. Complete the following steps to create the Ring 3 Broad IT device collection, which you’ll use as a CBB deployment ring for servicing plans or task sequences.
+
+1.	In the Configuration Manager console, go to Assets and Compliance\Overview\Device Collections.
+
+2.	On the Ribbon, in the **Create** group, click **Create Device Collection**.
+
+3.	In the Create Device Collection Wizard, in the **name** box, type **Ring 3 Broad IT**.
+
+4.	Click **Browse** to select the limiting collection, and then click **Windows 10 – All Current Branch for Business**.
+
+5.	In **Membership rules**, click **Add Rule**, and then click **Direct Rule**.
+
+6.	In the **Create Direct Membership Rule Wizard** dialog box, click **Next**.
+
+7.	In the **Value** field, type all or part of the name of a device to add, and then click **Next**.
+
+8.	Select the computer that will be part of the **Ring 3 Broad IT** deployment ring, and then click **Next**.
+
+9.	Click **Next**, and then click **Close**.
+
+10.	In the **Create Device Collection Wizard** dialog box, click **Summary**.
+
+11.	Click **Next**, and then click **Close**.
+
+
+## Use Windows 10 servicing plans to deploy Windows 10 feature updates
+
+There are two ways to deploy Windows 10 feature updates with System Center onfiguration Manager. The first is to use servicing plans, which provide an automated method to update devices consistently in their respective deployment rings, similar to Automatic Deployment Rules for software updates. 
+
+**To configure Windows feature updates for CBB clients in the Ring 3 Broad IT deployment ring using a servicing plan**
+
+1.	In the Configuration Manager console, go to Software Library\Overview\Windows 10 Servicing, and then click **Servicing Plans**.
+
+2.	On the Ribbon, in the **Create** group, click **Create Servicing Plan**.
+
+3.	Name the plan **Ring 3 Broad IT Servicing Plan**, and then click **Next**.
+
+4.	On the **Servicing Plan page**, click **Browse**. Select the **Ring 3 Broad IT** collection, which you created in the [Create collections for deployment rings](#create-collections-for-deployment-rings) section, click **OK**, and then click **Next**.
+
+    >[!IMPORTANT]
+    >Microsoft added a new protection feature to Configuration Manager that prevents accidental installation of high-risk deployments such as operating system upgrades on site systems. If you select a collection (All Systems in this example) that has a site system in it, you may receive the following message.
+    >
+    >![This is a high-risk deployment](images/waas-sccm-fig9.png) 
+    >
+    >For details about how to manage the settings for high-risk deployments in Configuration Manager, see [Settings to manage high-risk deployments for System Center Configuration Manager](https://technet.microsoft.com/library/mt621992.aspx).
+
+5.	On the **Deployment Ring** page, select the **Business Ready (Current Branch for Business)** readiness state, leave the delay at **0 days**, and then click **Next**.
+
+    Doing so deploys CBB feature updates to the IT deployment ring immediately after they are released to CBB.
+
+    On the Upgrades page, you specify filters for the feature updates to which this servicing plan is applicable. For example, if you wanted this plan to be only for Windows 10 Enterprise, you could select **Title**, and then type **Enterprise**.
+    
+6.	For this example, on the **Upgrades** page, click **Next** to leave the criterion blank.
+
+7.	On the **Deployment Schedule** page, click **Next** to keep the default values of making the content available immediately and requiring installation by the 7-day deadline.
+
+8.	On the **User Experience** page, from the **Deadline behavior** list, select **Software Installation and System restart (if necessary)**. From the **Device restart behavior** list, select **Workstations**, and then click **Next**.
+
+    Doing so allows installation and restarts after the 7-day deadline on workstations only.
+    
+9.	On the **Deployment Package** page, select **Create a new deployment package**. In **Name**, type **CBB Upgrades**, select a share for your package source location, and then click **Next**.
+
+    In this example, \\contoso-cm01\Sources\Windows 10 Feature Upgrades is a share on the Configuration Manager server that contains all the Windows 10 feature updates.
+
+    ![Example of UI](images/waas-sccm-fig10.png) 
+    
+10.	On the **Distribution Points** page, from the **Add** list, select **Distribution Point**.
+
+    ![Example of UI](images/waas-sccm-fig11.png) 
+    
+    Select the distribution points that serve the clients to which you’re deploying this servicing plan, and then click **OK**.
+    
+11.	Click **Summary**, click **Next** to complete the servicing plan, and then click **Close**.
+
+
+You have now created a servicing plan for the **Ring 3 Broad IT** deployment ring. By default, this rule is evaluated each time the software update point is synchronized, but you can modify this schedule by viewing the service plan’s properties on the **Evaluation Schedule** tab.
+
+![Example of UI](images/waas-sccm-fig12.png) 
+
+
+## Use a task sequence to deploy Windows 10 updates
+
+There are times when deploying a Windows 10 feature update requires the use of a task sequence—for example:
+
+- **LTSB feature updates**. With the LTSB servicing branch, feature updates are never provided to the Windows clients themselves. Instead, feature updates must be installed like a traditional in-place upgrade.
+- **Additional required tasks**. When deploying a feature update requires additional steps (e.g., suspending disk encryption, updating applications), you must use task sequences to orchestrate the additional steps. Servicing plans do not have the ability to add steps to their deployments.
+
+Each time Microsoft releases a new Windows 10 build, it releases a new .iso file containing the latest build, as well. Regardless of the scenario that requires a task sequence to deploy the Windows 10 upgrade, the base process is the same. Start by creating an Operating System Upgrade Package in the Configuration Manager console:
+
+1.	In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Operating System Upgrade Packages.
+
+2.	On the Ribbon, in the **Create** group, click **Add Operating System Upgrade Package**.
+
+3.	On the **Data Source** page, type the path of the extracted .iso file of the new version of Windows 10 you’re deploying, and then click **Next**.
+
+    In this example, the Windows 10 Enterprise 1607 installation media is deployed to \\contoso-cm01\Sources\Operating Systems\Windows 10 Enterprise\Windows 10 Enterprise - Version 1607.
+    
+    >[!NOTE]
+    >System Center Configuration Manager version 1606 is required to manage machines running Windows 10, version 1607.
+    
+4.	On the **General** page, in the **Name** field, type the name of the folder (**Windows 10 Enterprise - Version 1607** in this example). Set the **Version** to **1607**, and then click **Next**.
+
+5.	On the **Summary** page, click **Next** to create the package.
+
+6.	On the **Completion** page, click **Close**.
+
+Now that the operating system upgrade package has been created, the content in that package must be distributed to the correct distribution points so that the clients can access the content. Complete the following steps to distribute the package content to distribution points:
+
+1.	In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Operating System Upgrade Packages, and then select the **Windows 10 Enterprise – Version 1607** software upgrade package.
+
+2.	On the Ribbon, in the **Deployment group**, click **Distribute Content**.
+
+3.	In the Distribute Content Wizard, on the **General** page, click **Next**.
+
+4.	On the **Content Destination** page, click **Add**, and then click **Distribution Point**.
+
+5.	In the **Add Distribution Points** dialog box, select the distribution point that will serve the clients receiving this package, and then click **OK**.
+
+6.	On the **Content Destination** page, click **Next**.
+
+7.	On the **Summary** page, click **Next** to distribute the content to the selected distribution point.
+
+8.	On the **Completion** page, click **Close**.
+
+Now that the upgrade package has been created and its contents distributed, create the task sequence that will use it. Complete the following steps to create the task sequence, using the previously created deployment package:
+
+1.	In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Task Sequences.
+
+2.	On the Ribbon, in the **Create** group, click **Create Task Sequence**.
+
+3.	In the Create Task Sequence Wizard, on the **Create a new task sequence** page, select **Upgrade an operating system from upgrade package**, and then click **Next**.
+
+4.	On the **Task Sequence Information** page, in **Task sequence name**, type **Upgrade Windows 10 Enterprise – Version 1607**, and then click **Next**.
+
+5.	On the **Upgrade the Windows Operating system** page, click **Browse**, select the deployment package you created in the previous steps, and then click **OK**.
+
+6.	Click **Next**.
+
+7.	On the **Include Updates** page, select **Available for installation – All software updates**, and then click **Next**.
+
+8.	On the **Install Applications** page, click **Next**.
+
+9.	On the **Summary** page, click **Next** to create the task sequence.
+
+10.	On the **Completion** page, click **Close**.
+
+With the task sequence created, you’re ready to deploy it. If you’re using this method to deploy most of your Windows 10 feature updates, you may want to create deployment rings to stage the deployment of this task sequence, with delays appropriate for the respective deployment ring. In this example, you deploy the task sequence to the **Ring 3 Broad IT collection**.
+
+>[!IMPORTANT]
+>This process deploys a Windows 10 operating system feature update to the affected devices. If you’re testing, be sure to select the collection to which you deploy this task sequence carefully.
+
+**To deploy your task sequence**
+
+1.	In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Task Sequences, and then select the **Upgrade Windows 10 Enterprise – Version 1607** task sequence.
+
+2.	On the Ribbon, in the **Deployment** group, click **Deploy**.
+
+3.	In the Deploy Software Wizard, on the **General** page, click **Browse**. Select the target collection, click **OK**, and then click **Next**.
+  
+4.	On the **Deployment Settings** page, for **purpose**, select **Required**, and then click **Next**.
+
+5.	On the **Scheduling** page, select the **Schedule when this deployment will become available** check box (it sets the current time by default). For **Assignment schedule**, click **New**.
+
+6.	In the **Assignment Schedule** dialog box, click **Schedule**.
+
+7.	In the **Custom Schedule** dialog box, select the desired deadline, and then click **OK**.
+    
+8.	In the **Assignment Schedule** dialog box, click **OK**, and then click **Next**.
+
+9.	On the **User Experience** page, in the **When the scheduled assignment time is reached, allow the following activities to be performed outside of the maintenance window** section, select **Software Installation** and **System restart** (if required to complete the installation), and then click **Next**.
+
+10.	Use the defaults for the remaining settings.
+
+11.	Click **Summary**, and then click **Next** to deploy the task sequence.
+
+12.	Click **Close**.
+
+
+
+
+</br>
+
+## Steps to manage updates for Windows 10
+
+<table><tbody>
+<tr><td style="border: 0px;width: 24px">![done](images/checklistdone.png)</td><td align="left" style="border: 0px">[Learn about updates and servicing branches](waas-overview.md)</td></tr>
+<tr><td style="border: 0px;width: 24px">![done](images/checklistdone.png)</td><td align="left" style="border: 0px">[Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)</td></tr>
+<tr><td style="border: 0px;width: 24px">![done](images/checklistdone.png)</td><td align="left" style="border: 0px">[Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)</td></tr>
+<tr><td style="border: 0px;width: 24px">![done](images/checklistdone.png)</td><td align="left" style="border: 0px">[Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)</td></tr>
+<tr><td style="border: 0px;width: 24px">![done](images/checklistdone.png)</td><td align="left" style="border: 0px">[Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)</td></tr>
+<tr><td style="border: 0px;width: 24px">![done](images/checklistdone.png)</td><td align="left" style="border: 0px">[Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)</br>
+or [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)</br>
+or Manage Windows 10 updates using System Center Configuration Manager (this topic)</td></tr>
+</tbody></table>
+</br>
+
+
+
+
+
+
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
+- [Overview of Windows as a service](waas-overview.md)
+- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
+- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
+- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Manage updates for Windows 10 Mobile Enterprise](waas-mobile-updates.md) 
+- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
+- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)

windows/manage/waas-manage-updates-wsus.md

@@ -0,0 +1,351 @@
+---
+title: Manage Windows 10 updates using Windows Server Update Services (Windows 10)
+description: WSUS allows companies to defer, selectively approve, choose when delivered, and determine which devices receive updates.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Manage Windows 10 updates using Windows Server Update Services (WSUS)
+
+
+**Applies to**
+
+- Windows 10
+
+
+WSUS is a Windows Server role available in the Windows Server operating systems. It provides a single hub for Windows updates within an organization. WSUS allows companies not only to defer updates but also to selectively approve them, choose when they’re delivered, and determine which individual devices or groups of devices receive them. WSUS provides additional control over Windows Update for Business but does not provide all the scheduling options and deployment flexibility that System Center Configuration Manager provides.
+
+When you choose WSUS as your source for Windows updates, you use Group Policy to point Windows 10 client devices to the WSUS server for their updates. From there, updates are periodically downloaded to the WSUS server and managed, approved, and deployed through the WSUS administration console or Group Policy, streamlining enterprise update management. If you’re currently using WSUS to manage Windows updates in your environment, you can continue to do so in Windows 10. 
+
+
+
+## Requirements for Windows 10 servicing with WSUS
+
+To be able to use WSUS to manage and deploy Windows 10 feature updates, you must have WSUS 4.0, which is available in the Windows Server 2012 R2 and Windows Server 2012 operating systems. In addition to WSUS 4.0, you must install the [KB3095113](https://support.microsoft.com/kb/3095113) and [KB3148812](https://support.microsoft.com/kb/3159706) patches on the WSUS server. 
+
+## WSUS scalability
+
+To use WSUS to manage all Windows updates, some organizations may need access to WSUS from a demilitarized zone, or they might have some other complex scenario. WSUS is highly scalable and configurable for organizations of any size or site layout. For specific information about scaling WSUS, including upstream and downstream server configuration, branch offices, WSUS load balancing, and other complex scenarios, see [Choose a Type of WSUS Deployment](https://technet.microsoft.com/library/cc720448%28v=ws.10%29.aspx).
+ 
+
+## Express Installation Files
+
+With Windows 10, quality updates will be larger than traditional Windows Updates because they’re cumulative. To manage the bandwidth clients downloading large updates like these will need, WSUS has a feature called *Express Installation Files*.
+
+ At a binary level, files associated with updates may not change a lot. In fact, with cumulative quality updates, most of the content will be from previous updates. Rather than downloading the entire update when only a small percentage of the payload is actually different, Express Installation Files analyze the differences between the new files associated with an update and the existing files on the client. This approach significantly reduces the amount of bandwidth used because only a fraction of the update content is actually delivered. 
+ 
+ **To configure WSUS to download Express Update Files**
+ 
+1.	Open the WSUS Administration Console.
+ 
+2.	In the navigation pane, go to *Your_Server*\\**Options**.
+
+3.	In the **Options** section, click **Update Files and Languages**.
+
+    ![Example of UI](images/waas-wsus-fig1.png)
+    
+4. In the **Update Files and Languages** dialog box, select **Download express installation files**.
+
+    ![Example of UI](images/waas-wsus-fig2.png) 
+    
+    >[!NOTE]
+    >Because Windows 10 updates are cumulative, enabling Express Installation Files when WSUS is configured to download Windows 10 updates will significantly increase the amount of disk space that WSUS requires. Alternatively, when using Express Installation Files for previous versions of Windows, the feature’s positive effects aren’t noticeable because the updates aren’t cumulative. 
+
+## Configure automatic updates and update service location
+
+When using WSUS to manage updates on Windows client devices, start by configuring the **Configure Automatic Updates** and **Intranet Microsoft Update Service Location** Group Policy settings for your environment. Doing so forces the affected clients to contact the WSUS server so that it can manage them. The following process describes how to specify these settings and deploy them to all devices in the domain.
+
+**To configure the Configure Automatic Updates and Intranet Microsoft Update Service Location Group Policy settings for your environment**
+
+1.	Open GPMC.
+
+2.	Expand Forest\Domains\\*Your_Domain*. 
+
+3.	Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**.
+
+    ![Example of UI](images/waas-wsus-fig3.png) 
+    
+    >[!NOTE]
+    >In this example, the **Configure Automatic Updates** and **Intranet Microsoft Update Service Location** Group Policy settings are specified for the entire domain. This is not a requirement; you can target these settings to any security group by using Security Filtering or a specific OU.
+    
+4.	In the **New GPO** dialog box, name the new GPO **WSUS – Auto Updates and Intranet Update Service Location**.
+
+5.	Right-click the **WSUS – Auto Updates and Intranet Update Service Location** GPO, and then click **Edit**.
+
+6.	In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update.
+
+7.	Right-click the **Configure Automatic Updates** setting, and then click **Edit**.
+
+    ![Example of UI](images/waas-wsus-fig4.png)
+    
+8.  In the **Configure Automatic Updates** dialog box, select **Enable**.
+
+9.	Under **Options**, from the **Configure automatic updating** list, select **3 - Auto download and notify for install**, and then click **OK**.
+
+    ![Example of UI](images/waas-wsus-fig5.png)
+    
+    >[!NOTE]
+    ?There are three other settings for automatic update download and installation dates and times. This is simply the option this example uses. For more examples of how to control automatic updates and other related policies, see [Configure Automatic Updates by Using Group Policy](https://technet.microsoft.com/library/cc720539%28v=ws.10%29.aspx). 
+    
+9. Right-click the **Specify intranet Microsoft update service location** setting, and then click **Edit**. 
+
+9. In the **Specify intranet Microsoft update service location** dialog box, select **Enable**.
+
+12.	Under **Options**, in the **Set the intranet update service for detecting updates** and **Set the intranet statistics server** options, type **http://Your_WSUS_Server_FQDN:PortNumber**, and then click **OK**.
+
+    >[!NOTE]
+    >The URL `http://CONTOSO-WSUS1.contoso.com:8530` in the following image is just an example. In your environment, be sure to use the server name and port number for your WSUS instance.
+    
+     ![Example of UI](images/waas-wsus-fig6.png)
+     
+     >[!NOTE]
+     >The default HTTP port for WSUS is 8530, and the default HTTP over Secure Sockets Layer (HTTPS) port is 8531. If you’re unsure which port WSUS is using for client communication, right-click the WSUS Administration site in IIS Manager, and then click **Edit Bindings**.
+
+As Windows clients refresh their computer policies (the default Group Policy refresh setting is 90 minutes and when a computer restarts), computers start to appear in WSUS. Now that clients are communicating with the WSUS server, create the computer groups that align with your deployment rings.
+
+## Create computer groups in the WSUS Administration Console
+
+>[!NOTE]
+>The following procedures use the groups from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) as examples.
+
+You can use computer groups to target a subset of devices that have specific quality and feature updates. These groups represent your deployment rings, as controlled by WSUS. You can populate the groups either manually by using the WSUS Administration Console or automatically through Group Policy. Regardless of the method you choose, you must first create the groups in the WSUS Administration Console. 
+
+**To create computer groups in the WSUS Administration Console**
+
+1.	Open the WSUS Administration Console. 
+
+2.	Go to *Server_Name*\Computers\All Computers, and then click **Add Computer Group**. 
+
+    ![Example of UI](images/waas-wsus-fig7.png)
+    
+3. Type **Ring 2 Pilot Business Users** for the name, and then click **Add**.
+
+4.	Repeat these steps for the **Ring 3 Broad IT** and **Ring 4 Broad Business Users** groups. When you’re finished, there should be three deployment ring groups.
+
+Now that the groups have been created, add the computers to the computer groups that align with the desired deployment rings. You can do this through [Group Policy](#wsus-gp) or manually by using the [WSUS Administration Console](#wsus-admin).
+
+<span id="wsus-admin"/>
+## Use the WSUS Administration Console to populate deployment rings
+
+Adding computers to computer groups in the WSUS Administration Console is simple, but it could take much longer than managing membership through Group Policy, especially if you have many computers to add. Adding computers to computer groups in the WSUS Administration Console is called *server-side targeting*. 
+
+In this example, you add computers to computer groups in two different ways: by manually assigning unassigned computers and by searching for multiple computers.
+
+### Manually assign unassigned computers to groups
+
+When new computers communicate with WSUS, they appear in the **Unassigned Computers** group. From there, you can use the following procedure to add computers to their correct groups. For these examples, you use two Windows 10 PCs (WIN10-PC1 and WIN10-PC2) to add to the computer groups.
+
+**To assign computers manually**
+
+1.	In the WSUS Administration Console, go to *Server_Name*\Computers\All Computers\Unassigned Computers.
+
+    Here, you see the new computers that have received the GPO you created in the previous section and started communicating with WSUS. This example has only two computers; depending on how broadly you deployed your policy, you will likely have many computers here.
+
+2.	Select both computers, right-click the selection, and then click **Change Membership**.
+
+    ![Example of UI](images/waas-wsus-fig8.png)
+
+3.	In the **Set Computer Group Membership** dialog box, select the **Ring 2 Pilot Business Users** deployment ring, and then click **OK**.
+
+    Because they were assigned to a group, the computers are no longer in the **Unassigned Computers** group. If you select the **Ring 2 Pilot Business Users** computer group, you will see both computers there.
+
+### Search for multiple computers to add to groups
+
+Another way to add multiple computers to a deployment ring in the WSUS Administration Console is to use the search feature.
+
+**To search for multiple computers**
+
+1. In the WSUS Administration Console, go to *Server_Name*\Computers\All Computers, right-click **All Computers**, and then click **Search**.
+
+2. In the search box, type **WIN10**.
+
+3. In the search results, select the computers, right-click the selection, and then click **Change Membership**.
+
+    ![Example of UI](images/waas-wsus-fig9.png)
+    
+4.	Select the **Ring 3 Broad IT** deployment ring, and then click **OK**.
+
+You can now see these computers in the **Ring 3 Broad IT** computer group.
+
+
+<span id="wsus-gp"/>
+## Use Group Policy to populate deployment rings
+
+The WSUS Administration Console provides a friendly interface from which you can manage Windows 10 quality and feature updates. When you need to add many computers to their correct WSUS deployment ring, however, it can be time-consuming to do so manually in the WSUS Administration Console. For these cases, consider using Group Policy to target the correct computers, automatically adding them to the correct WSUS deployment ring based on an Active Directory security group. This process is called *client-side targeting*. Before enabling client-side targeting in Group Policy, you must configure WSUS to accept Group Policy computer assignment.
+
+**To configure WSUS to allow client-side targeting from Group Policy**
+
+1.	Open the WSUS Administration Console, and go to *Server_Name*\Options, and then click **Computers**.
+
+     ![Example of UI](images/waas-wsus-fig10.png)
+     
+2.	In the **Computers** dialog box, select **Use Group Policy or registry settings on computers**, and then click **OK**.
+
+    >[!NOTE]
+    >This option is exclusively either-or. When you enable WSUS to use Group Policy for group assignment, you can no longer manually add computers through the WSUS Administration Console until you change the option back. 
+    
+Now that WSUS is ready for client-side targeting, complete the following steps to use Group Policy to configure client-side targeting:
+
+**To configure client-side targeting**
+
+>[!TIP]
+>When using client-side targeting, consider giving security groups the same names as your deployment rings. Doing so simplifies the policy-creation process and helps ensure that you don’t add computers to the incorrect rings.
+
+1.	Open GPMC.
+
+2.	Expand Forest\Domains\\*Your_Domain*.
+
+3.	Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**.
+
+4.	In the **New GPO** dialog box, type **WSUS – Client Targeting – Ring 4 Broad Business Users** for the name of the new GPO.
+
+5.	Right-click the **WSUS – Client Targeting – Ring 4 Broad Business Users** GPO, and then click **Edit**.
+
+    ![Example of UI](images/waas-wsus-fig11.png)
+    
+6.	In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update.
+
+7.	Right-click **Enable client-side targeting**, and then click **Edit**.
+
+8.	In the **Enable client-side targeting** dialog box, select **Enable**.
+
+9.	In the **Target group name for this computer** box, type **Ring 4 Broad Business Users**. This is the name of the deployment ring in WSUS to which these computers will be added.
+
+    ![Example of UI](images/waas-wsus-fig12.png)
+
+10.	Close the Group Policy Management Editor.
+
+Now you’re ready to deploy this GPO to the correct computer security group for the **Ring 4 Broad Business Users** deployment ring. 
+
+**To scope the GPO to a group**
+
+1.	In GPMC, select the **WSUS – Client Targeting – Ring 4 Broad Business Users** policy.
+
+2.	Click the **Scope** tab.
+
+3.	Under **Security Filtering**, remove the default **AUTHENTICATED USERS** security group, and then add the **Ring 4 Broad Business Users** group.
+
+    ![Example of UI](images/waas-wsus-fig13.png)
+    
+The next time the clients in the **Ring 4 Broad Business Users** security group receive their computer policy and contact WSUS, they will be added to the **Ring 4 Broad Business Users** deployment ring. 
+
+## Automatically approve and deploy feature updates
+
+For clients that should have their feature updates approved as soon as they’re available, you can configure Automatic Approval rules in WSUS.
+
+>[!NOTE]
+>WSUS respects the client’s servicing branch. If you approve a feature update while it is still Current Branch (CB), WSUS will install the update only on PCs that are in the CB servicing branch. When Microsoft releases the build for Current Branch for Business (CBB), the PCs in the CBB servicing branch will install it.
+
+**To configure an Automatic Approval rule for Windows 10 feature updates and approve them for the Ring 3 Broad IT deployment ring**
+
+1.	In the WSUS Administration Console, go to Update Services\\*Server_Name*\Options, and then select **Automatic Approvals**.
+
+2.	On the **Update Rules** tab, click **New Rule**.
+
+3.	In the **Add Rule** dialog box, select the **When an update is in a specific classification**, **When an update is in a specific product**, and **Set a deadline for the approval** check boxes.
+
+     ![Example of UI](images/waas-wsus-fig14.png)
+     
+4.	In the **Edit the properties** area, select **any classification**. Clear everything except **Upgrades**, and then click **OK**.
+
+5.	In the **Edit the properties area**, click the **any product** link. Clear all check boxes except **Windows 10**, and then click **OK**.
+
+    Windows 10 is under All Products\Microsoft\Windows.
+    
+6.	In the **Edit the properties** area, click the **all computers** link. Clear all the computer group check boxes except **Ring 3 Broad IT**, and then click **OK**.
+
+7.	Leave the deadline set for **7 days after the approval at 3:00 AM**.
+
+8.	In the **Step 3: Specify a name** box, type **Windows 10 Upgrade Auto-approval for Ring 3 Broad IT**, and then click **OK**.
+
+    ![Example of UI](images/waas-wsus-fig15.png)
+    
+9.	In the **Automatic Approvals** dialog box, click **OK**.
+
+    >[!NOTE]
+    >WSUS does not honor any existing month/week/day deferral settings for CB or CBB. That said, if you’re using Windows Update for Business for a computer for which WSUS is also managing updates, when WSUS approves the update, it will be installed on the computer regardless of whether you configured Group Policy to wait.
+
+Now, whenever Windows 10 feature updates are published to WSUS, they will automatically be approved for the **Ring 3 Broad IT** deployment ring with an installation deadline of 1 week.
+
+## Manually approve and deploy feature updates
+
+You can manually approve updates and set deadlines for installation within the WSUS Administration Console, as well. To simplify the manual approval process, start by creating a software update view that contains only Windows 10 updates.
+
+**To approve and deploy feature updates manually**
+
+1.	 In the WSUS Administration Console, go to Update Services\\*Server_Name*\Updates. In the **Action** pane, click **New Update View**.
+
+2.	In the **Add Update View** dialog box, select **Updates are in a specific classification** and **Updates are for a specific product**.
+
+3.	Under **Step 2: Edit the properties**, click **any classification**. Clear all check boxes except **Upgrades**, and then click **OK**.
+
+4.	Under **Step 2: Edit the properties**, click **any product**. Clear all check boxes except **Windows 10**, and then click **OK**.
+
+    Windows 10 is under All Products\Microsoft\Windows.
+    
+5.	In the **Step 3: Specify a name** box, type **All Windows 10 Upgrades**, and then click **OK**.
+
+     ![Example of UI](images/waas-wsus-fig16.png)
+
+Now that you have the All Windows 10 Upgrades view, complete the following steps to manually approve an update for the **Ring 4 Broad Business Users** deployment ring:
+
+1.	In the WSUS Administration Console, go to Update Services\\*Server_Name*\Updates\All Windows 10 Upgrades.
+
+2.	Right-click the feature update you want to deploy, and then click **Approve**.
+
+      ![Example of UI](images/waas-wsus-fig17.png)  
+      
+3.	In the **Approve Updates** dialog box, from the **Ring 4 Broad Business Users** list, select **Approved for Install**.
+
+      ![Example of UI](images/waas-wsus-fig18.png) 
+      
+4.	In the **Approve Updates** dialog box, from the **Ring 4 Broad Business Users** list, click **Deadline**, click **One Week**, and then click **OK**. 
+
+      ![Example of UI](images/waas-wsus-fig19.png) 
+      
+5.	If the **Microsoft Software License Terms** dialog box opens, click **Accept**.
+
+    If the deployment is successful, you should receive a successful progress report.
+    
+    ![Example of UI](images/waas-wsus-fig20.png) 
+
+6.	In the **Approval Progress** dialog box, click **Close**.
+
+</br>
+
+## Steps to manage updates for Windows 10
+
+<table><tbody>
+<tr><td style="border: 0px;width: 24px">![done](images/checklistdone.png)</td><td align="left" style="border: 0px">[Learn about updates and servicing branches](waas-overview.md)</td></tr>
+<tr><td style="border: 0px;width: 24px">![done](images/checklistdone.png)</td><td align="left" style="border: 0px">[Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)</td></tr>
+<tr><td style="border: 0px;width: 24px">![done](images/checklistdone.png)</td><td align="left" style="border: 0px">[Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)</td></tr>
+<tr><td style="border: 0px;width: 24px">![done](images/checklistdone.png)</td><td align="left" style="border: 0px">[Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)</td></tr>
+<tr><td style="border: 0px;width: 24px">![done](images/checklistdone.png)</td><td align="left" style="border: 0px">[Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)</td></tr>
+<tr><td style="border: 0px;width: 24px">![done](images/checklistdone.png)</td><td align="left" style="border: 0px">[Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)</br>
+or Manage Windows 10 updates using Windows Server Update Services (this topic)</br>
+or [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)</td></tr>
+</tbody></table>
+</br>
+
+
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
+- [Overview of Windows as a service](waas-overview.md)
+- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
+- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
+- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Manage updates for Windows 10 Mobile Enterprise](waas-mobile-updates.md) 
+- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
+- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)

windows/manage/waas-manage-updates-wufb.md

@@ -0,0 +1,136 @@
+---
+title: Manage updates using Windows Update for Business (Windows 10)
+description: Windows Update for Business lets you manage when devices received updates from Windows Update.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Manage updates using Windows Update for Business
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+Windows Update for Business enables information technology administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service.  You can use Group Policy or MDM solutions such as Intune to configure the Windows Update for Business settings. Using Group Policy or MDM solutions such as Intune, you can control how and when Windows 10 devices are updated. In addition, by using Intune, organizations can manage devices that are not joined to a domain at all or are joined to Microsoft Azure Active Directory (Azure AD) alongside your on-premises domain-joined machines.  
+
+Specifically, Windows Update for Business allows for: 
+
+- The creation of deployment and validation groups, where administrators can specify which devices go first in an update wave, and which ones will come later (to ensure any quality bars are met).
+- Selectively including or excluding drivers as part of Microsoft-provided updates
+- Integration with existing management tools such as Windows Server Update Services (WSUS), System Center Configuration Manager, and Microsoft Intune.
+- Peer-to-peer delivery for Microsoft updates, which optimizes bandwidth efficiency and reduces the need for an on-site server caching solution.
+
+Windows Update for Business is a free service that is available for Windows Pro, Enterprise, Pro Education, and Education.
+
+## Update types
+
+Windows Update for Business provides three types of updates to Windows 10 devices:
+
+- **Feature Updates**: previously referred to as *upgrades*, Feature Updates contain not only security and quality revisions, but also significant feature additions and changes; they are released at a slower cadence, every 4 to 8 months.
+- **Quality Updates**: these are traditional operating system updates, typically released the second Tuesday of each month (though they can be released at any time).  These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as those for Microsoft Office or Visual Studio) as Quality Updates. These non-Windows Updates are known as *Microsoft Updates* and devices can be optionally configured to receive such updates along with their Windows Updates.
+- **Non-deferrable updates**: Currently, antimalware and antispyware Definition Updates from Windows Update cannot be deferred.
+ 
+Both Feature and Quality Updates can be deferred from deploying to client devices by a Windows Update for Business administrator within a bounded rage of time from when those updates are first made available on the Windows Update Service. This deferral capability allows administrators to validate deployments as they are pushed to all client devices configured for Windows Update for Business.
+
+<table>
+<tr>
+<th>Category</th>
+<th>Maximum deferral</th>
+<th>Deferral increments</th>
+<th>Example</th>
+<th>Classification GUID</th>
+</tr>
+<tr>
+<td>Feature Updates</td>
+<td>180 days</td>
+<td>Days</td>
+<td>From Windows 10, version 1511 to version 1607</td>
+<td>3689BDC8-B205-4AF4-8D4A-A63924C5E9D5</td>
+</tr>
+<tr>
+<td rowspan="4">Quality Updates</td>
+<td rowspan="4">30 days</td>
+<td rowspan="4">Days</td>
+<td>Security updates</td>
+<td>0FA1201D-4330-4FA8-8AE9-B877473B6441</td>
+</tr>
+<tr>
+<td>Drivers (optional)</td>
+<td>EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0</td>
+</tr>
+<tr>
+<td>Non-security updates</td>
+<td>CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83</td>
+</tr><tr><td>Microsoft updates (Office, Visual Studio, etc.)</td><td>varies</td></tr>
+<tr>
+<td>Non-deferrable</td>
+<td>No deferral</td>
+<td>No deferral</td>
+<td>Definition updates</td>
+<td>E0789628-CE08-4437-BE74-2495B842F43B</td>
+</tr>
+</table> 
+
+>[!NOTE]
+>For information about classification GUIDs, see [WSUS Classification GUIDs](https://msdn.microsoft.com/en-us/library/ff357803.aspx).
+
+## Comparing Windows Update for Business in Windows 10, version 1511 and version 1607
+
+Windows Update for Business was first made available in Windows 10, version 1511. In Windows 10, version 1607 (also known as the Anniversary Update), there are several new or changed capabilities provided as well as updated behavior.   
+
+>[!NOTE]
+>For more information on Current Branch and Current Branch for Business, see [Windows 10 servicing options](introduction-to-windows-10-servicing.md).
+
+<table>
+    <thead>
+        <tr><th>Capability</th><th>Windows 10, version 1511</th><th>Windows 10, version 1607</th>           
+        </tr>
+    </thead>
+    <tbody>
+        <tr><td><p>Select Servicing Options: CB or CBB</p></td><td><p>Not available.  To defer updates, all systems must be on the Current Branch for Business (CBB)</p></td><td><p>Ability to set systems on the Current Branch (CB) or Current Branch for Business (CBB).</p></td></tr>
+<tr><td><p>Quality Updates</p></td><td><p>Able to defer receiving Quality Updates:</p><ul><li>Up to 4 weeks</li><li>In weekly increments</li></ul></td><td><p>Able to defer receiving Quality Updates:</p><ul><li>Up to 30 days</li><li>In daily increments</li></ul></td></tr>
+<tr><td><p>Feature Updates</p></td><td><p>Able to defer receiving Feature Updates:</p><ul><li>Up to 8 months</li><li>In monthly increments</li></ul></td><td><p>Able to defer receiving Feature Updates:</p><ul><li>Up to 180 days</li><li>In daily increments</li></ul></td></tr>
+<tr><td><p>Pause updates</p></td><td><ul><li>Feature Updates and Quality Updates paused together</li><li>Maximum of 35 days</li></ul></td><td><p>Features and Quality Updates can be paused separately.</p><ul><li>Feature Updates: maximum 60 days</li><li>Quality Updates: maximum 35 days</li></ul></td></tr>
+<tr><td><p>Drivers</p></td><td><p>No driver-specific controls</p></td><td><p>Drivers can be selectively excluded from Windows Update for Business.</p></td></tr>
+</tbody></table>
+
+
+## Steps to manage updates for Windows 10
+
+<table><tbody>
+<tr><td style="border: 0px;width: 24px">![done](images/checklistdone.png)</td><td align="left" style="border: 0px">[Learn about updates and servicing branches](waas-overview.md)</td></tr>
+<tr><td style="border: 0px;width: 24px">![done](images/checklistdone.png)</td><td align="left" style="border: 0px">[Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)</td></tr>
+<tr><td style="border: 0px;width: 24px">![done](images/checklistdone.png)</td><td align="left" style="border: 0px">[Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)</td></tr>
+<tr><td style="border: 0px;width: 24px">![done](images/checklistdone.png)</td><td align="left" style="border: 0px">[Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)</td></tr>
+<tr><td style="border: 0px;width: 24px">![done](images/checklistdone.png)</td><td align="left" style="border: 0px">[Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)</td></tr>
+<tr><td style="border: 0px;width: 24px">![done](images/checklistdone.png)</td><td align="left" style="border: 0px">Manage updates using Windows Update for Business (this topic)</br>
+or [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)</br>
+or [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)</td></tr>
+</tbody></table>
+</br>
+
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
+- [Overview of Windows as a service](waas-overview.md)
+- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
+- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
+- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Manage updates for Windows 10 Mobile Enterprise](waas-mobile-updates.md) 
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
+- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+
+